diff --git a/etc/systemd/resolved.conf.d/nextdns-compat.conf b/etc/systemd/resolved.conf.d/nextdns-compat.conf
new file mode 100644
index 00000000..d964db1a
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/nextdns-compat.conf
@@ -0,0 +1,7 @@
+# NextDNS / systemd-resolved. For non-tech people? See README.md
+[Resolve]
+2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
+Domains=~.
+DNSSEC=allow-downgrade
+DNSOverTLS=opportunistic
+Cache=true
diff --git a/etc/systemd/resolved.conf.d/nextdns-strict.conf b/etc/systemd/resolved.conf.d/nextdns-strict.conf
new file mode 100644
index 00000000..3ac91881
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/nextdns-strict.conf
@@ -0,0 +1,8 @@
+# NextDNS / systemd-resolved. For people who don't panic when DNSSEC or
+# DoT doesn't work and captive portals attack? See README.md
+[Resolve]
+2a07:a8c0::#dns.nextdns.io 2a07:a8c1::#dns.nextdns.io 45.90.28.0#dns.nextdns.io 45.90.30.0#dns.nextdns.io
+Domains=~.
+DNSSEC=true
+DNSOverTLS=true
+Cache=true