diff --git a/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf b/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
new file mode 100644
index 00000000..07912f5b
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-compat.conf
@@ -0,0 +1,7 @@
+# Quad9 with client subnet / systemd-resolved. For non-tech people? See README.md
+[Resolve]
+DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
+Domains=~.
+DNSSEC=allow-downgrade
+DNSOverTLS=opportunistic
+Cache=true
diff --git a/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf b/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
new file mode 100644
index 00000000..cc3993e2
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/quad9-ecs-strict.conf
@@ -0,0 +1,8 @@
+# Quad9 with client subnet / systemd-resolved. For people who don't panic when DNSSEC or
+# DoT doesn't work and captive portals attack? See README.md
+[Resolve]
+DNS=2620:fe::11#dns11.quad9.net 149.112.112.11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net 9.9.9.11#dns11.quad9.net
+Domains=~.
+DNSSEC=true
+DNSOverTLS=true
+Cache=true
diff --git a/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf b/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf
new file mode 100644
index 00000000..1b3557d4
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-quad9-ecs.conf
@@ -0,0 +1,13 @@
+server:
+  # Debian ca-certificates location
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+  # ctrl.blog says this is the Fedora location
+  #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+    forward-addr: 9.9.9.11@853#dns11.quad9.net
+    forward-addr: 2620:fe::11@853#dns11.quad9.net
+    forward-addr: 149.112.112.11@853#dns11.quad9.net