diff --git a/playbooks/roles/software/files/systemd-resolved.conf b/playbooks/roles/software/files/systemd-resolved.conf
new file mode 100644
index 0000000..6f48c7f
--- /dev/null
+++ b/playbooks/roles/software/files/systemd-resolved.conf
@@ -0,0 +1,3 @@
+[Resolve]
+DNSOverTLS=opportunistic
+DNSStubListenerExtra=172.17.0.1
diff --git a/playbooks/roles/software/tasks/systemd-resolved.yml b/playbooks/roles/software/tasks/systemd-resolved.yml
index eb4fcca..0c94efe 100644
--- a/playbooks/roles/software/tasks/systemd-resolved.yml
+++ b/playbooks/roles/software/tasks/systemd-resolved.yml
@@ -6,10 +6,20 @@
     update_cache: true
   become: true
 
-- name: Enable systemd-resolved
+- name: Copy systemd config
+  ansible.builtin.copy:
+    src: systemd-resolved.conf
+    dest: /etc/systemd/resolved.conf
+    mode: "0644"
+    owner: "root"
+    group: "root"
+  become: true
+  register: systemd_resolved_config
+
+- name: Enable systemd-resolved and (re)start
   ansible.builtin.systemd_service:
     name: systemd-resolved.service
-    state: started
+    state: "{{ 'restarted' if systemd_resolved_config.changed else 'started' }}"
     enabled: true
     daemon_reload: true
   become: true