diff --git a/etc/opt/chromium/policies/managed/.editorconfig b/etc/opt/chromium/policies/managed/.editorconfig
new file mode 100644
index 00000000..fdf565d5
--- /dev/null
+++ b/etc/opt/chromium/policies/managed/.editorconfig
@@ -0,0 +1,5 @@
+root = false
+
+[*.badidea]
+indent_style = space
+indent_size = 2
diff --git a/etc/opt/chromium/policies/managed/.gitattributes b/etc/opt/chromium/policies/managed/.gitattributes
new file mode 100644
index 00000000..d81350cf
--- /dev/null
+++ b/etc/opt/chromium/policies/managed/.gitattributes
@@ -0,0 +1 @@
+dns-over-https.json.badidea	linguist-language=json
diff --git a/etc/opt/chromium/policies/managed/dns-over-https.json.badidea b/etc/opt/chromium/policies/managed/dns-over-https.json.badidea
new file mode 100644
index 00000000..2931dbf5
--- /dev/null
+++ b/etc/opt/chromium/policies/managed/dns-over-https.json.badidea
@@ -0,0 +1,9 @@
+{
+  "comment": "This is a bad idea, because I don't know other DNS servers that
+  perform DNSSEC in addition to DNS-over-HTTPS, I just know these two do and
+  Quad9 doesn't. This would otherwise be the unbound.conf.d/dns-over-tls.conf
+  equivalent.",
+  "DnsOverHttpsMode": "automatic",
+  "DnsOverHttpsTemplates": "https://open.dns0.eu/
+  https://doh.applied-privacy.net/query"
+}