diff --git a/host_vars/matrix.archlinux.org/misc b/host_vars/matrix.archlinux.org/misc
index 3c34f78d5a8a0622e85ed8e74f599ace39d41a42..e001c817a1a606beadd8b872b6520a7980ee86dc 100644
--- a/host_vars/matrix.archlinux.org/misc
+++ b/host_vars/matrix.archlinux.org/misc
@@ -1,4 +1,5 @@
 ---
 filesystem: btrfs
+static_dns: true
 wireguard_address: 10.0.0.15
 wireguard_public_key: QWkTL58mJd0+Lz5AvGVmbdSSk29y/W60WUdhTgyGLCk=
diff --git a/roles/networking/files/dns.conf b/roles/networking/files/dns.conf
new file mode 100644
index 0000000000000000000000000000000000000000..e2f8b9b21dac0549961b7d163de8510f4b350881
--- /dev/null
+++ b/roles/networking/files/dns.conf
@@ -0,0 +1,15 @@
+[DHCPv4]
+UseDNS=false
+
+[DHCPv6]
+UseDNS=false
+
+[IPv6AcceptRA]
+UseDNS=false
+
+[Network]
+DNS=2606:4700:4700::1111#1dot1dot1dot1.cloudflare-dns.com
+DNS=2606:4700:4700::1001#1dot1dot1dot1.cloudflare-dns.com
+DNS=1.1.1.1#1dot1dot1dot1.cloudflare-dns.com
+DNS=1.0.0.1#1dot1dot1dot1.cloudflare-dns.com
+DNSOverTLS=true
diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml
index 843f1a8cfcd5808eb58b1b9dad6ccf3309ca2efe..3c38f1c45b91e7e959656ba70f8fe85bbc901b2f 100644
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@@ -1,14 +1,36 @@
 ---
 - name: configure network (static)
-  template: src=10-static-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
-  notify:
-    - restart networkd
+  block:
+    - name: install 10-static-ethernet.network
+      template: src=10-static-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network owner=root group=root mode=0644
+      notify:
+        - restart networkd
+
+    - name: create drop-in directory for 10-static-ethernet.network
+      file: path=/etc/systemd/network/10-static-ethernet.network.d state=directory owner=root group=root mode=0755
+
+    - name: configure static dns (static)
+      copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-static-ethernet.network.d/dns.conf owner=root group=root mode=0644
+      notify:
+        - restart networkd
+      when: static_dns|default(false)
   when: not dhcp|default(false)
 
 - name: configure network (dhcp)
-  template: src=10-dhcp-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network owner=root group=root mode=0644
-  notify:
-    - restart networkd
+  block:
+    - name: install 10-dhcp-ethernet.network
+      template: src=10-dhcp-ethernet.network.j2 dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network owner=root group=root mode=0644
+      notify:
+        - restart networkd
+
+    - name: create drop-in directory for 10-dhcp-ethernet.network
+      file: path=/etc/systemd/network/10-dhcp-ethernet.network.d state=directory owner=root group=root mode=0755
+
+    - name: configure static dns (dhcp)
+      copy: src=dns.conf dest={{ chroot_path }}/etc/systemd/network/10-dhcp-ethernet.network.d/dns.conf owner=root group=root mode=0644
+      notify:
+        - restart networkd
+      when: static_dns|default(false)
   when: dhcp|default(false)
 
 - name: create symlink to resolv.conf