diff --git a/etc/systemd/resolved.conf.d/adguard-dot.conf b/etc/systemd/resolved.conf.d/adguard-dot.conf
new file mode 100644
index 00000000..919cd4a0
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/adguard-dot.conf
@@ -0,0 +1,12 @@
+# AdGuard / systemd-resolved. For people who don't panic when DoT doesn't
+# work and captive portals attack? See README.md. Also requires not
+# panicking if tbe user needs something AdGuard is blocking.
+[Resolve]
+DNS=2a00:5a60::ad2:ff#dns.adguard.com 176.103.130.131#dns.adguard.com 2a00:5a60::ad1:ff#dns.adguard.com 176.103.130.130#dns.adguard.com
+Domains=~.
+# non-tech friendliness in case system down for ages. Also DNSSEC ensures
+# the DNS server isn't lying which is a task of adblocking DNS server...
+DNSSEC=allow-downgrade
+# There is no point of disabling this with adblocking DNS
+DNSOverTLS=true
+Cache=true
diff --git a/etc/systemd/resolved.conf.d/adguard-strict.conf b/etc/systemd/resolved.conf.d/adguard-strict.conf
deleted file mode 100644
index bd09358c..00000000
--- a/etc/systemd/resolved.conf.d/adguard-strict.conf
+++ /dev/null
@@ -1,11 +0,0 @@
-# AdGuard / systemd-resolved. For people who don't panic when DNSSEC or
-# DoT doesn't work and captive portals attack? See README.md
-# Also requires not panicking if you need something AdGuard is blocking.
-[Resolve]
-DNS=2a00:5a60::ad2:ff#dns.adguard.com 176.103.130.131#dns.adguard.com 2a00:5a60::ad1:ff#dns.adguard.com 176.103.130.130#dns.adguard.com
-Domains=~.
-# In case of adblocking DNS it makes no sense to start disabling these,
-# especially DNSOverTLS, so there won't be non-strict version.
-DNSSEC=true
-DNSOverTLS=true
-Cache=true