diff --git a/basics.yml b/basics.yml
index f65aa81..b77f28c 100644
--- a/basics.yml
+++ b/basics.yml
@@ -165,6 +165,21 @@
         state: present
       notify: localectl
 
+    - name: DigitalCourage encrypted DNS (DoT) via TLS systemd-resolved without censorship
+      blockinfile:
+        path: /etc/systemd/resolved.conf.d/digitalcourage-dot.conf
+        mode: "0444"
+        owner: root
+        group: root
+        create: yes
+        insertbefore: BOF # Beginning of the file
+        marker: "# {mark} ANSIBLE MANAGED BLOCK"
+        block: |
+          [Resolve]
+          DNS=5.9.164.112#dns3.digitalcourage.de 2a01:4f8:251:554::2#dns3.digitalcourage.de
+          DNSOverTLS=opportunistic
+        backup: yes
+      
     - name: SSHD hardening
       blockinfile:
         path: /etc/ssh/sshd_config.d/hardening.conf