diff --git a/config/common/common-scripts.yml b/config/common/common-scripts.yml
index 50bfc97..e68fe70 100644
--- a/config/common/common-scripts.yml
+++ b/config/common/common-scripts.yml
@@ -2,6 +2,5 @@ type: script
 scripts:
   - authselect.sh
   - setfilepermissions.sh
-  - securedns.sh
   # this sets up the proper policy & signing files for signed images to work
   - signing.sh
\ No newline at end of file
diff --git a/config/files/usr/etc/systemd/resolved.conf.d/securedns.conf b/config/files/usr/etc/systemd/resolved.conf.d/securedns.conf
new file mode 100644
index 0000000..51cb74e
--- /dev/null
+++ b/config/files/usr/etc/systemd/resolved.conf.d/securedns.conf
@@ -0,0 +1,2 @@
+DNSSEC=allow-downgrade
+DNSOverTLS=opportunistic
diff --git a/config/scripts/securedns.sh b/config/scripts/securedns.sh
deleted file mode 100644
index 80c1a1b..0000000
--- a/config/scripts/securedns.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/usr/bin/env bash
-
-# Tell build process to exit if there are any errors.
-set -oue pipefail
-
-# https://wiki.archlinux.org/title/systemd-resolved#DNSSEC
-sed -i 's/#DNSSEC=no/DNSSEC=allow-downgrade/' /usr/etc/systemd/resolved.conf
-
-# https://wiki.archlinux.org/title/systemd-resolved#DNS_over_TLS
-sed -i 's/#DNSOverTLS=no/DNSOverTLS=opportunistic/' /usr/etc/systemd/resolved.conf