diff --git a/roles/os_config/handlers/main.yml b/roles/os_config/handlers/main.yml
index 29ed091..34e382d 100644
--- a/roles/os_config/handlers/main.yml
+++ b/roles/os_config/handlers/main.yml
@@ -1,5 +1,10 @@
 # vim: ft=yaml.ansible
 ---
+- name: Restart systemd-resolved
+  ansible.builtin.service:
+    name: systemd-resolved
+    state: restarted
+
 - name: Create .env for apt-update-push
   ansible.builtin.template:
     src: env.j2
@@ -35,4 +40,3 @@
   ansible.builtin.service:
     name: sshd
     state: restarted
-  listen: sshd
diff --git a/roles/os_config/tasks/base.yml b/roles/os_config/tasks/base.yml
index 2c92f2f..d9cee31 100644
--- a/roles/os_config/tasks/base.yml
+++ b/roles/os_config/tasks/base.yml
@@ -8,6 +8,22 @@
   community.general.timezone:
     name: "{{ timezone }}"
 
+- name: Set /etc/resolv.conf symlink
+  ansible.builtin.file:
+    path: /etc/resolv.conf
+    src: /run/systemd/resolve/resolv.conf
+    owner: root
+    force: true
+    state: link
+
+- name: Disable systemd-resolved stub resolver
+  ansible.builtin.lineinfile:
+    path: /etc/systemd/resolved.conf
+    regexp: '^#?DNSStubListener='
+    line: 'DNSStubListener=no'
+    state: present
+  notify: Restart systemd-resolved
+
 - name: Upgrade system packages
   ansible.builtin.apt:
     update_cache: true
diff --git a/roles/os_config/tasks/main.yml b/roles/os_config/tasks/main.yml
index e1bab68..d38b58a 100644
--- a/roles/os_config/tasks/main.yml
+++ b/roles/os_config/tasks/main.yml
@@ -27,3 +27,6 @@
   ansible.builtin.import_tasks: disks.yml
   tags:
     - reboot
+
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
diff --git a/roles/os_config/tasks/ssh.yml b/roles/os_config/tasks/ssh.yml
index 236d04a..31e54db 100644
--- a/roles/os_config/tasks/ssh.yml
+++ b/roles/os_config/tasks/ssh.yml
@@ -6,7 +6,7 @@
     regexp: '^#?PubkeyAuthentication '
     line: PubkeyAuthentication yes
     state: present
-  notify: sshd
+  notify: Restart sshd
 
 - name: Disallow SSH login with password
   ansible.builtin.lineinfile:
@@ -14,7 +14,7 @@
     regexp: '^#?PasswordAuthentication '
     line: PasswordAuthentication no
     state: present
-  notify: sshd
+  notify: Restart sshd
 
 - name: Disallow root login over SSH
   ansible.builtin.lineinfile:
@@ -22,4 +22,4 @@
     regexp: '^#?PermitRootLogin '
     line: PermitRootLogin no
     state: present
-  notify: sshd
+  notify: Restart sshd