diff --git a/etc/systemd/resolved.conf.d/11-family-compat.conf b/etc/systemd/resolved.conf.d/11-family-compat.conf
new file mode 100644
index 00000000..260cca9d
--- /dev/null
+++ b/etc/systemd/resolved.conf.d/11-family-compat.conf
@@ -0,0 +1,22 @@
+# DNS0 and Quad9 should be a good combination for family that just works
+# regardless of restrictive networks, thus opportunistic DoT. DNSSEC is a
+# risk in systemd-resolved. https://github.com/systemd/systemd/issues/10579 &
+# https://github.com/systemd/systemd/issues/9867
+[Resolve]
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=2a0f:fc80::#dns0.eu 2a0f:fc81::#dns0.eu
+DNS=193.110.81.0#dns0.eu 185.253.5.0#dns0.eu
+DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
+DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
+FallbackDNS=
+FallbackDNS=::1
+FallbackDNS=127.0.0.1
+Domains=~.
+#DNSSEC=allow-downgrade
+#DNSSEC=true
+#DNSSEC=false
+DNSOverTLS=opportunistic
+Cache=true
+# vim: filetype=systemd