diff --git a/modules/system/meta/ports.nix b/modules/system/meta/ports.nix
index 68e3a0b..739161c 100644
--- a/modules/system/meta/ports.nix
+++ b/modules/system/meta/ports.nix
@@ -61,18 +61,5 @@ in
           message = mkErrorMessage duplicateUdpPorts;
         }
       ];
-
-    meta.ports =
-      let
-        resolvedPorts = lib.mkIf config.services.resolved.enable [
-          53
-          5353
-          5355
-        ];
-      in
-      {
-        tcp.list = resolvedPorts;
-        udp.list = resolvedPorts;
-      };
   };
 }
diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix
new file mode 100644
index 0000000..37fdb73
--- /dev/null
+++ b/modules/system/services/resolved.nix
@@ -0,0 +1,26 @@
+{ config, lib, ... }:
+let
+  ports = [
+    53
+    5353
+    5355
+  ];
+in
+{
+  options.custom.services.resolved.enable = lib.mkEnableOption "" // {
+    default = config.systemd.network.enable;
+  };
+
+  config = lib.mkIf config.custom.services.resolved.enable {
+    meta.ports = {
+      tcp.list = ports;
+      udp.list = ports;
+    };
+
+    services.resolved = {
+      enable = true;
+      dnssec = "allow-downgrade";
+      dnsovertls = "opportunistic";
+    };
+  };
+}