diff --git a/etc/systemd/resolved.conf.d/98-dot-eu-gdpr.conf b/etc/systemd/resolved.conf.d/98-dot-eu-gdpr.conf
new file mode 100644
index 00000000..f50beabc
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/98-dot-eu-gdpr.conf
@@ -0,0 +1,14 @@
+# Brownie points for no data transmitted outside of the EU and thus
+# GDPR-compatible
+[Resolve]
+DNS=
+DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
+DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu
+DNS=2a13:1001::86:54:11:1#protective.joindns4.eu
+DNS=86.54.11.1#protective.joindns4.eu
+FallbackDNS=
+Domains=~.
+DNSSEC=true
+DNSOverTLS=true
+Cache=true
+# vim: filetype=systemd
diff --git a/etc/systemd/resolved.conf.d/99-working-dns.conf b/etc/systemd/resolved.conf.d/99-working-dns.conf
index e416a219..174a04d2 100644
--- a/etc/systemd/resolved.conf.d/99-working-dns.conf
+++ b/etc/systemd/resolved.conf.d/99-working-dns.conf
@@ -5,8 +5,10 @@ DNS=::1
 DNS=127.0.0.1
 DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
 DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu
-DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
-DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
+DNS=2620:fe::fe:853#dns.quad9.net 2620:fe::9:853#dns.quad9.net 2620:fe::fe:8853#dns.quad9.net 2620:fe::9:8853#dns.quad9.net
+DNS=9.9.9.9:853 149#dns.quad9.net.112.112.112:853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net 149.112.112.112:8853#dns.quad9.net
+DNS=2a13:1001::86:54:11:1#protective.joindns4.eu
+DNS=86.54.11.1#protective.joindns4.eu
 FallbackDNS=
 FallbackDNS=::1
 FallbackDNS=127.0.0.1
diff --git a/etc/systemd/resolved.conf.d/README.md b/etc/systemd/resolved.conf.d/README.md
index f3484ef5..70b03858 100644
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@@ -1,5 +1,3 @@
-<!-- @format -->
-
 # systemd-resolved additional config files
 
 <!-- editorconfig-checker-disable -->
diff --git a/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf
new file mode 100644
index 00000000..faa77646
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-dns0-dns4eu-quad9.conf
@@ -0,0 +1,36 @@
+# Three non-commercial malicious domain blocking DNS servers. At least one
+# will likely work, even if three choices means three different filters and
+# things might get past something.
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 2a0f:fc80::@853#dns0.eu
+	forward-addr: 193.110.81.0@853#dns0.eu
+	forward-addr: 2a0f:fc81::@853#dns0.eu
+	forward-addr: 185.253.5.0@853#dns0.eu
+	## Quad9 Secure
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
+	# DNS4EU Protective
+	forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu
+	forward-addr: 86.54.11.1@853#protective.joindns4.eu
+
+# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf b/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
deleted file mode 100644
index c75560f2..00000000
--- a/etc/unbound/unbound.conf.d/dot-dns0-quad9.conf
+++ /dev/null
@@ -1,43 +0,0 @@
-# For those who really cannot choose between DNS0.eu and Quad9. At least the
-# latter has a nice non-standard port. Climate and distance take priority,
-# thus ECS, but with any luck DNS0 gets preferred and no attacker fingerprints
-# DNS resolvers used.
-
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-
-forward-zone:
-	name: "."
-	forward-tls-upstream: yes
-	forward-addr: 2a0f:fc80::@853#dns0.eu
-	forward-addr: 193.110.81.0@853#dns0.eu
-	forward-addr: 2a0f:fc81::@853#dns0.eu
-	forward-addr: 185.253.5.0@853#dns0.eu
-	## Quad9 Secure
-	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	#forward-addr: 2620:fe::9@8853#dns.quad9.net
-	#forward-addr: 9.9.9.9@8853#dns.quad9.net
-	#forward-addr: 149.112.112.112@8853#dns.quad9.net
-	#forward-addr: 2620:fe::fe@853#dns.quad9.net
-	#forward-addr: 2620:fe::9@853#dns.quad9.net
-	#forward-addr: 9.9.9.9@853#dns.quad9.net
-	#forward-addr: 149.112.112.112@853#dns.quad9.net
-	## Quad9 Secure + ECS
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	forward-addr: 149.112.112.11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	forward-addr: 9.9.9.11@853#dns11.quad9.net
-	forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 149.112.112.11@853#dns11.quad9.net
-
-# vim: filetype=unbound.conf
diff --git a/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf b/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf
new file mode 100644
index 00000000..3902a286
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-eu-gdpr.conf
@@ -0,0 +1,35 @@
+# Brownie points for no data transmitted outside of the EU and thus
+# GDPR-compatible
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 2a0f:fc80::@853#dns0.eu
+	forward-addr: 193.110.81.0@853#dns0.eu
+	forward-addr: 2a0f:fc81::@853#dns0.eu
+	forward-addr: 185.253.5.0@853#dns0.eu
+	## Quad9 Secure
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
+	# DNS4EU Protective
+	forward-addr: 2a13:1001::86:54:11:1@853#protective.joindns4.eu
+	forward-addr: 86.54.11.1@853#protective.joindns4.eu
+
+# vim: filetype=unbound.conf