diff --git a/etc/resolv.conf-generate.bash b/etc/resolv.conf-generate.bash
index 346fd317..2b504c16 100755
--- a/etc/resolv.conf-generate.bash
+++ b/etc/resolv.conf-generate.bash
@@ -17,7 +17,7 @@ rm -v /etc/resolv.conf
 # Actual resolv.conf creation. OK, this could read resolv.conf in this
 # directory, but I like this being self-contained.
 # tee -p = operate in a more appropriate MODE with pipes.
-printf 'nameserver ::1\nnameserver 127.0.0.1\nnameserver 127.0.0.53\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
+printf 'nameserver 127.0.0.53\nnameserver 127.0.0.1\nnameserver ::1\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n' | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf
diff --git a/etc/traditional-resolv.conf-generate.bash b/etc/traditional-resolv.conf-generate.bash
index 202df570..1808cf7c 100755
--- a/etc/traditional-resolv.conf-generate.bash
+++ b/etc/traditional-resolv.conf-generate.bash
@@ -20,10 +20,9 @@ chmod -v +w /etc/resolv.conf
 # Or it's a symlink to e.g. /run/systemd/resolve/stub-resolv.conf
 rm -v /etc/resolv.conf
 
-# No trust-ad here as chances are these resolvers are unencrypted and the
-# path to them isn't trusted.
+# trust-ad is here, because are you really going to use untrusted remote resolvers?
 # tee -p = operate in a more appropriate MODE with pipes.
-printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:1 attempts:5 rotate edns0\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf
+printf "nameserver %b\nnameserver %b\nnameserver %b\nsearch .\noptions timeout:1 attempts:5 rotate edns0 trust-ad\n" "$1" "$2" "$3" | tee -p /etc/resolv.conf
 
 # Remove all other permissions than everyone reading resolv.conf
 chmod -v a=r /etc/resolv.conf