diff --git a/playbooks/resolvconf.yml b/playbooks/resolvconf.yml
index 2bc4e85..03d4ce3 100644
--- a/playbooks/resolvconf.yml
+++ b/playbooks/resolvconf.yml
@@ -8,44 +8,28 @@
       name:
         - systemd-resolved 
       state: present  
+  - name: Ensure system CA certificates are up to date
+    ansible.builtin.package:
+      name: ca-certificates
+      state: latest
   - name: Make small file
     register: systemd_resolved_conf
     copy:
       dest: "/etc/systemd/resolved.conf"
-      content: |
-        #  This file is part of systemd.
-        #
-        #  systemd is free software; you can redistribute it and/or modify it under the
-        #  terms of the GNU Lesser General Public License as published by the Free
-        #  Software Foundation; either version 2.1 of the License, or (at your option)
-        #  any later version.
-        #
-        # Entries in this file show the compile time defaults. Local configuration
-        # should be created by either modifying this file, or by creating "drop-ins" in
-        # the resolved.conf.d/ subdirectory. The latter is generally recommended.
-        # Defaults can be restored by simply deleting this file and all drop-ins.
-        #
-        # Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config. 
-        # See resolved.conf(5) for details.
-
+      content: | 
         [Resolve]
-        # Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
-        # Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
-        # Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
-        # Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
-        DNS=192.168.0.88
-        FallbackDNS=192.168.0.1
+        # Направляем основной трафик на VIP keepalived и привязываем к домену серта
+        DNS=192.168.0.88#buenos-dias.guaranteedstruggle.host
+
+        # В фолбэки шлём прямые IP нод ns1 и ns2 на случай, если сам keepalived моргнёт
+        FallbackDNS=192.168.0.86#buenos-dias.guaranteedstruggle.host 192.168.0.87#buenos-dias.guaranteedstruggle.host 1.1.1.1#cloudflare-dns.com 8.8.8.8#dns.google
+
+        # Ваши локальные домены (БЕЗ ЗАПЯТЫХ! Строго через пробел)
         Domains=guaranteedstruggle.host just-for-me.internal
-        #DNSSEC=no
-        #DNSOverTLS=no
-        #MulticastDNS=yes
-        #LLMNR=yes
-        #Cache=yes
-        #CacheFromLocalhost=no
+
+        # Включаем DoT в строгом (strict) режиме для защиты от утечек
+        DNSOverTLS=strict
         DNSStubListener=yes
-        #DNSStubListenerExtra=
-        #ReadEtcHosts=yes
-        #ResolveUnicastSingleLabel=no
 
         
   - name: Make fix for resolv-conf rewriting