feat: support DNS over TLS for upstream resolvers

Add DNS over TLS (RFC 7858) support to the host DNS forwarder. A new optional `tlsServerName` field on `nameservers[]` in `ResolverConfig` enables DoT for an individual upstream; when set, queries to that nameserver use TCP+TLS on port 853 with the given name as both SNI and certificate validation name (TLS 1.2+). Signed-off-by: Erwan Leboucher <erwanleboucher@gmail.com> Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
2026-05-09 22:36:16 +02:00 · 2026-05-02 17:41:38 +02:00 · 2026-05-02 17:41:38 +02:00 · 6eec1c2293
commit 6eec1c2293
parent dee139aef0
90 changed files with 2252 additions and 659 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2026-05-07T05:09:26Z by kres 1762ab2.
+# Generated on 2026-05-07T16:29:03Z by kres 1762ab2.

 concurrency:
  group: ${{ github.head_ref || github.run_id }}
@ -3303,6 +3303,8 @@ jobs:
            withConfigPatch: '@hack/test/patches/node-address-v2.yaml'
          - test: e2e-tpm1_2
            withTpm12: "true"
+          - test: e2e-dns-over-tls
+            withConfigPatch: '@hack/test/patches/dns-over-tls.yaml'
      fail-fast: false
      max-parallel: 2
    needs:
--- a/.github/workflows/integration-misc-2-triggered.yaml
+++ b/.github/workflows/integration-misc-2-triggered.yaml
@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2026-04-27T17:59:00Z by kres e4dc583.
+# Generated on 2026-05-07T16:29:03Z by kres 1762ab2.

 concurrency:
  group: ${{ github.head_ref || github.run_id }}
@ -46,6 +46,8 @@ jobs:
            withConfigPatch: '@hack/test/patches/node-address-v2.yaml'
          - test: e2e-tpm1_2
            withTpm12: "true"
+          - test: e2e-dns-over-tls
+            withConfigPatch: '@hack/test/patches/dns-over-tls.yaml'
      fail-fast: false
      max-parallel: 2
    steps:
--- a/.kres.yaml
+++ b/.kres.yaml
@ -1066,6 +1066,8 @@ spec:
            withConfigPatch: "@hack/test/patches/node-address-v2.yaml"
          - test: e2e-tpm1_2
            withTpm12: "true"
+          - test: e2e-dns-over-tls
+            withConfigPatch: "@hack/test/patches/dns-over-tls.yaml"
      steps:
        - name: download-artifacts
          artifactStep:
--- a/api/resource/definitions/enums/enums.proto
+++ b/api/resource/definitions/enums/enums.proto
@ -143,6 +143,12 @@ enum NethelpersConntrackState {
  CONNTRACK_STATE_INVALID = 1;
 }

+// NethelpersDNSProtocol is a kind of DNS protocol.
+enum NethelpersDNSProtocol {
+  DNS_PROTOCOL_DEFAULT = 0;
+  DNS_PROTOCOL_DNS_OVER_TLS = 1;
+}
+
 // NethelpersDuplex wraps ethtool.Duplex for YAML marshaling.
 enum NethelpersDuplex {
  HALF = 0;
--- a/api/resource/definitions/network/network.proto
+++ b/api/resource/definitions/network/network.proto
@ -362,6 +362,13 @@ message LinkStatusSpec {
  VRFMasterSpec vrf_master = 33;
 }

+// NameServerSpec describes a single DNS nameserver with additional configuration.
+message NameServerSpec {
+  common.NetIP addr = 1;
+  talos.resource.definitions.enums.NethelpersDNSProtocol protocol = 2;
+  string tls_server_name = 3;
+}
+
 // NfTablesAddressMatch describes the match on the IP address.
 message NfTablesAddressMatch {
  repeated common.NetIPPrefix include_subnets = 1;
@ -529,15 +536,25 @@ message ProbeStatusSpec {

 // ResolverSpecSpec describes DNS resolvers.
 message ResolverSpecSpec {
+  // DNSServers is a flat list of DNS server IP addresses.
+  //
+  // Deprecated: This field is deprecated in favor of NameServers which contain more information.
  repeated common.NetIP dns_servers = 1;
  talos.resource.definitions.enums.NetworkConfigLayer config_layer = 2;
  repeated string search_domains = 3;
+  // NameServers is a list of DNS servers with additional configuration.
+  repeated NameServerSpec name_servers = 4;
 }

 // ResolverStatusSpec describes DNS resolvers.
 message ResolverStatusSpec {
+  // DNSServers is a flat list of DNS server IP addresses.
+  //
+  // Deprecated: This field is deprecated in favor of NameServers which contain more information.
  repeated common.NetIP dns_servers = 1;
  repeated string search_domains = 2;
+  // NameServers is a list of DNS servers with additional configuration.
+  repeated NameServerSpec name_servers = 4;
 }

 // RouteSpecSpec describes the route.
--- a/hack/release.toml
+++ b/hack/release.toml
@ -99,6 +99,14 @@ mount:
 > NOTE: Setting `secure: false` will also disable `nosuid` and `nodev`, which may have security implications. Use with caution.

 Upgrade note: apply this `VolumeConfig` patch *before* upgrading, otherwise affected workloads will fail after the next reboot. Longhorn v2 (SPDK data engine) runs the data plane inside the instance manager process and is not affected.
+"""
+
+    [notes.DoT]
+        title = "DNS over TLS (DoT) Support"
+        description = """\
+Talos now supports DNS over TLS (DoT) for secure DNS resolution.
+This feature allows Talos to encrypt DNS queries and responses, enhancing privacy and security for DNS traffic.
+The DNS protocol can be configured on a per-name server basis in the `ResolverConfig` document, allowing for flexible configuration of DNS resolution.
 """

 [make_deps]
--- a/hack/test/patches/dns-over-tls.yaml
+++ b/hack/test/patches/dns-over-tls.yaml
@ -0,0 +1,9 @@
+apiVersion: v1alpha1
+kind: ResolverConfig
+nameservers:
+    - address: 1.1.1.1
+      protocol: DoT
+      tlsServerName: cloudflare-dns.com
+    - address: 8.8.8.8
+      protocol: DoT
+      tlsServerName: dns.google
--- a/internal/app/machined/pkg/controllers/network/dns_resolve_cache_test.go
+++ b/internal/app/machined/pkg/controllers/network/dns_resolve_cache_test.go
@ -27,6 +27,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	netctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/machine"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/cluster"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )
@ -43,8 +44,29 @@ func expectedDNSRunners(port string) []resource.ID {
 	}
 }

-func (suite *DNSServer) TestResolving() {
-	dnsSlice := []string{"8.8.8.8", "1.1.1.1"}
+func (suite *DNSServer) TestResolvingDo53() {
+	suite.testResolving([]network.NameServerSpec{
+		{Addr: netip.MustParseAddr("8.8.8.8")},
+		{Addr: netip.MustParseAddr("1.1.1.1")},
+	})
+}
+
+func (suite *DNSServer) TestResolvingDoT() {
+	suite.testResolving([]network.NameServerSpec{
+		{
+			Addr:          netip.MustParseAddr("8.8.8.8"),
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "dns.google",
+		},
+		{
+			Addr:          netip.MustParseAddr("1.1.1.1"),
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "cloudflare-dns.com",
+		},
+	})
+}
+
+func (suite *DNSServer) testResolving(nameservers []network.NameServerSpec) {
 	port := getDynamicPort(suite.T())

 	cfg := network.NewHostDNSConfig(network.HostDNSConfigID)
@ -54,7 +76,7 @@ func (suite *DNSServer) TestResolving() {
 	suite.Require().NoError(suite.State().Create(suite.Ctx(), cfg))

 	resolverSpec := network.NewResolverStatus(network.NamespaceName, network.ResolverID)
-	resolverSpec.TypedSpec().DNSServers = xslices.Map(dnsSlice, netip.MustParseAddr)
+	resolverSpec.TypedSpec().NameServers = nameservers

 	suite.Require().NoError(suite.State().Create(suite.Ctx(), resolverSpec))

@ -66,7 +88,7 @@ func (suite *DNSServer) TestResolving() {
 		},
 	)

-	rtestutils.AssertLength[*network.DNSUpstream](suite.Ctx(), suite.T(), suite.State(), len(dnsSlice))
+	rtestutils.AssertLength[*network.DNSUpstream](suite.Ctx(), suite.T(), suite.State(), len(nameservers))

 	msg := &dns.Msg{
 		MsgHdr: dns.MsgHdr{
@ -107,7 +129,9 @@ func (suite *DNSServer) TestSetupStartStop() {
 	port := getDynamicPort(suite.T())

 	resolverSpec := network.NewResolverStatus(network.NamespaceName, network.ResolverID)
-	resolverSpec.TypedSpec().DNSServers = xslices.Map(dnsSlice, netip.MustParseAddr)
+	resolverSpec.TypedSpec().NameServers = xslices.Map(dnsSlice, func(addr string) network.NameServerSpec {
+		return network.NameServerSpec{Addr: netip.MustParseAddr(addr)}
+	})

 	suite.Require().NoError(suite.State().Create(suite.Ctx(), resolverSpec))

@ -311,7 +335,9 @@ func (suite *DNSUpstreams) TestOrder() {
 		{"192.168.0.1"},
 	} {
 		if !suite.Run(strings.Join(addrs, ","), func() {
-			resolverSpec.TypedSpec().DNSServers = xslices.Map(addrs, netip.MustParseAddr)
+			resolverSpec.TypedSpec().NameServers = xslices.Map(addrs, func(addr string) network.NameServerSpec {
+				return network.NameServerSpec{Addr: netip.MustParseAddr(addr)}
+			})

 			switch i {
 			case 0:
--- a/internal/app/machined/pkg/controllers/network/dns_upstream.go
+++ b/internal/app/machined/pkg/controllers/network/dns_upstream.go
@ -6,10 +6,12 @@ package network

 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"

 	"github.com/coredns/coredns/plugin/pkg/proxy"
+	"github.com/coredns/coredns/plugin/pkg/transport"
 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/safe"
@ -17,6 +19,7 @@ import (
 	"github.com/siderolabs/gen/optional"
 	"go.uber.org/zap"

+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

@ -108,17 +111,15 @@ func (ctrl *DNSUpstreamController) run(ctx context.Context, r controller.Runtime
 		return err
 	}

-	for i, srv := range rs.TypedSpec().DNSServers {
-		remoteHost := srv.String()
-
+	for i, srv := range rs.TypedSpec().NameServers {
 		if err = safe.WriterModify[*network.DNSUpstream](
 			ctx,
 			r,
-			network.NewDNSUpstream(fmt.Sprintf("#%03d %s", i, remoteHost)),
+			network.NewDNSUpstream(fmt.Sprintf("#%03d %s %s", i, srv.Protocol, srv.Addr)),
 			func(u *network.DNSUpstream) error {
 				touchedIDs[u.Metadata().ID()] = struct{}{}

-				initConn(&u.TypedSpec().Value, remoteHost, l)
+				initConn(&u.TypedSpec().Value, srv.Protocol, srv.Addr.String(), srv.TLSServerName, l)

 				return nil
 			},
@ -130,7 +131,7 @@ func (ctrl *DNSUpstreamController) run(ctx context.Context, r controller.Runtime
 	return nil
 }

-func existingConnections(ctx context.Context, r controller.Runtime) (func(*network.DNSUpstreamSpecSpec, string, *zap.Logger), error) {
+func existingConnections(ctx context.Context, r controller.Runtime) (func(*network.DNSUpstreamSpecSpec, nethelpers.DNSProtocol, string, string, *zap.Logger), error) {
 	upstream, err := safe.ReaderListAll[*network.DNSUpstream](ctx, r)
 	if err != nil {
 		return nil, err
@ -142,8 +143,23 @@ func existingConnections(ctx context.Context, r controller.Runtime) (func(*netwo
 		existingConn[u.TypedSpec().Value.Conn.Addr()] = u.TypedSpec().Value.Conn
 	}

-	return func(spec *network.DNSUpstreamSpecSpec, remoteHost string, l *zap.Logger) {
-		remoteAddr := net.JoinHostPort(remoteHost, "53")
+	return func(spec *network.DNSUpstreamSpecSpec, protocol nethelpers.DNSProtocol, remoteHost, tlsServerName string, l *zap.Logger) {
+		var port string
+
+		switch protocol {
+		case nethelpers.DNSProtocolDefault:
+			port = transport.Port
+		case nethelpers.DNSProtocolDNSOverTLS:
+			port = transport.TLSPort
+		default:
+			panic(fmt.Sprintf("unsupported DNS protocol: %s", protocol))
+		}
+
+		if tlsServerName != "" {
+			port = transport.TLSPort
+		}
+
+		remoteAddr := net.JoinHostPort(remoteHost, port)
 		if spec.Conn != nil && spec.Conn.Addr() == remoteAddr {
 			l.Debug("reusing existing upstream spec", zap.String("addr", remoteAddr))

@ -164,14 +180,36 @@ func existingConnections(ctx context.Context, r controller.Runtime) (func(*netwo
 			return
 		}

-		spec.Conn = network.NewDNSConn(proxy.NewProxy(remoteHost, remoteAddr, "dns"))
+		spec.Conn = network.NewDNSConn(newUpstreamProxy(protocol, remoteHost, remoteAddr, tlsServerName))

-		l.Debug("created new upstream connection", zap.String("addr", remoteAddr))
+		l.Debug(
+			"created new upstream connection",
+			zap.String("addr", remoteAddr),
+			zap.Stringer("protocol", protocol),
+			zap.String("tls_server_name", tlsServerName),
+		)

 		existingConn[remoteAddr] = spec.Conn
 	}, nil
 }

+func newUpstreamProxy(protocol nethelpers.DNSProtocol, remoteHost, remoteAddr, tlsServerName string) *proxy.Proxy {
+	switch protocol {
+	case nethelpers.DNSProtocolDefault:
+		return proxy.NewProxy(remoteHost, remoteAddr, transport.DNS)
+	case nethelpers.DNSProtocolDNSOverTLS:
+		p := proxy.NewProxy(remoteHost, remoteAddr, transport.TLS)
+		p.SetTLSConfig(&tls.Config{
+			ServerName: tlsServerName,
+			MinVersion: tls.VersionTLS13,
+		})
+
+		return p
+	default:
+		panic(fmt.Sprintf("unsupported DNS protocol: %s", protocol))
+	}
+}
+
 func cleanupUpstream(ctx context.Context, r controller.Runtime, touchedIDs map[resource.ID]struct{}, l *zap.Logger) {
 	list, err := safe.ReaderListAll[*network.DNSUpstream](ctx, r)
 	if err != nil {
--- a/internal/app/machined/pkg/controllers/network/etcfile.go
+++ b/internal/app/machined/pkg/controllers/network/etcfile.go
@ -30,6 +30,7 @@ import (
 	"github.com/siderolabs/talos/internal/pkg/mount/v3"
 	talosconfig "github.com/siderolabs/talos/pkg/machinery/config"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@ -170,7 +171,16 @@ func (ctrl *EtcFileController) Run(ctx context.Context, r controller.Runtime, lo
 			)

 			if len(dnsServers) == 0 {
-				dnsServers = resolverStatus.TypedSpec().DNSServers
+				dnsServers = xslices.Map(
+					xslices.Filter(
+						resolverStatus.TypedSpec().NameServers,
+						func(ns network.NameServerSpec) bool {
+							// without HostDNS support only plain DNS protocol
+							return ns.Protocol == nethelpers.DNSProtocolDefault
+						},
+					),
+					func(ns network.NameServerSpec) netip.Addr { return ns.Addr },
+				)
 			}

 			src := "resolv.conf"
@ -216,7 +226,19 @@ func pickNameservers(hostDNSCfg *network.HostDNSConfig, resolverStatus *network.
 		return localDNS
 	}

-	return slices.All(resolverStatus.TypedSpec().DNSServers)
+	return slices.All(
+		xslices.Map(
+			xslices.Filter(
+				resolverStatus.TypedSpec().NameServers,
+				func(ns network.NameServerSpec) bool {
+					return ns.Protocol == nethelpers.DNSProtocolDefault
+				},
+			),
+			func(ns network.NameServerSpec) netip.Addr {
+				return ns.Addr
+			},
+		),
+	)
 }

 func renderResolvConf(nameservers iter.Seq2[int, netip.Addr], searchDomains []string) []byte {
--- a/internal/app/machined/pkg/controllers/network/etcfile_test.go
+++ b/internal/app/machined/pkg/controllers/network/etcfile_test.go
@ -26,6 +26,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	networkcfg "github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/files"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@ -36,11 +37,12 @@ import (
 type EtcFileConfigSuite struct {
 	ctest.DefaultSuite

-	cfg            *config.MachineConfig
-	defaultAddress *network.NodeAddress
-	hostnameStatus *network.HostnameStatus
-	resolverStatus *network.ResolverStatus
-	hostDNSConfig  *network.HostDNSConfig
+	cfg                   *config.MachineConfig
+	defaultAddress        *network.NodeAddress
+	hostnameStatus        *network.HostnameStatus
+	resolverStatus        *network.ResolverStatus
+	hostDNSConfig         *network.HostDNSConfig
+	hostDNSConfigDisabled *network.HostDNSConfig

 	bindMountTarget   string
 	podResolvConfPath string
@ -109,11 +111,27 @@ func (suite *EtcFileConfigSuite) ExtraSetup() {
 	suite.hostnameStatus.TypedSpec().Domainname = "example.com"

 	suite.resolverStatus = network.NewResolverStatus(network.NamespaceName, network.ResolverID)
-	suite.resolverStatus.TypedSpec().DNSServers = []netip.Addr{
-		netip.MustParseAddr("1.1.1.1"),
-		netip.MustParseAddr("2.2.2.2"),
-		netip.MustParseAddr("3.3.3.3"),
-		netip.MustParseAddr("4.4.4.4"),
+	suite.resolverStatus.TypedSpec().NameServers = []network.NameServerSpec{
+		{
+			Addr:     netip.MustParseAddr("1.1.1.1"),
+			Protocol: nethelpers.DNSProtocolDefault,
+		},
+		{
+			Addr:     netip.MustParseAddr("2.2.2.2"),
+			Protocol: nethelpers.DNSProtocolDefault,
+		},
+		{
+			Addr:     netip.MustParseAddr("3.3.3.3"),
+			Protocol: nethelpers.DNSProtocolDNSOverTLS,
+		},
+		{
+			Addr:     netip.MustParseAddr("4.4.4.4"),
+			Protocol: nethelpers.DNSProtocolDefault,
+		},
+		{
+			Addr:     netip.MustParseAddr("5.5.5.5"),
+			Protocol: nethelpers.DNSProtocolDefault,
+		},
 	}

 	suite.hostDNSConfig = network.NewHostDNSConfig(network.HostDNSConfigID)
@ -125,6 +143,9 @@ func (suite *EtcFileConfigSuite) ExtraSetup() {
 	}
 	suite.hostDNSConfig.TypedSpec().ServiceHostDNSAddress = netip.MustParseAddr("169.254.116.108")
 	suite.hostDNSConfig.TypedSpec().ServiceHostDNSAddressV6 = netip.MustParseAddr("fd54:616c:6f73::204f:5320:444e:531")
+
+	suite.hostDNSConfigDisabled = network.NewHostDNSConfig(network.HostDNSConfigID)
+	suite.hostDNSConfigDisabled.TypedSpec().Enabled = false
 }

 type etcFileContents struct {
@ -313,6 +334,17 @@ func (suite *EtcFileConfigSuite) TestOnlyResolvers() {
 	)
 }

+func (suite *EtcFileConfigSuite) TestNoHostDNS() {
+	suite.testFiles(
+		[]resource.Resource{suite.resolverStatus, suite.hostDNSConfigDisabled},
+		etcFileContents{
+			hosts:            "127.0.0.1 localhost\n::1       localhost ip6-localhost ip6-loopback\nff02::1   ip6-allnodes\nff02::2   ip6-allrouters\n",
+			resolvConf:       "nameserver 1.1.1.1\nnameserver 2.2.2.2\nnameserver 4.4.4.4\n",
+			resolvGlobalConf: "nameserver 1.1.1.1\nnameserver 2.2.2.2\nnameserver 4.4.4.4\n",
+		},
+	)
+}
+
 func (suite *EtcFileConfigSuite) TestOnlyHostname() {
 	suite.testFiles(
 		[]resource.Resource{suite.defaultAddress, suite.hostnameStatus},
--- a/internal/app/machined/pkg/controllers/network/operator/dhcp6.go
+++ b/internal/app/machined/pkg/controllers/network/operator/dhcp6.go
@ -182,7 +182,9 @@ func (d *DHCP6) parseReply(reply *dhcpv6.Message) (leaseTime time.Duration) {

 		d.resolvers = []network.ResolverSpecSpec{
 			{
-				DNSServers:  xslices.Map(reply.Options.DNS(), convertIP),
+				NameServers: xslices.Map(reply.Options.DNS(), func(ip net.IP) network.NameServerSpec {
+					return network.NameServerSpec{Addr: convertIP(ip)}
+				}),
 				ConfigLayer: network.ConfigOperator,
 			},
 		}
--- a/internal/app/machined/pkg/controllers/network/operator/internal/dhcpparse/dhcp4.go
+++ b/internal/app/machined/pkg/controllers/network/operator/internal/dhcpparse/dhcp4.go
@ -195,7 +195,9 @@ func ParseDHCP4Ack(ack *dhcpv4.DHCPv4, linkName string, routeMetric uint32, useH

 		specs.Resolvers = []network.ResolverSpecSpec{
 			{
-				DNSServers:    xslices.Map(ack.DNS(), convertIP),
+				NameServers: xslices.Map(ack.DNS(), func(ip net.IP) network.NameServerSpec {
+					return network.NameServerSpec{Addr: convertIP(ip)}
+				}),
 				SearchDomains: searchDomains,
 				ConfigLayer:   network.ConfigOperator,
 			},
--- a/internal/app/machined/pkg/controllers/network/operator/internal/dhcpparse/dhcp4_test.go
+++ b/internal/app/machined/pkg/controllers/network/operator/internal/dhcpparse/dhcp4_test.go
@ -16,6 +16,7 @@ import (

 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network/operator/internal/dhcpparse"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
+	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

 func TestParseDHCP4Ack(t *testing.T) {
@ -179,11 +180,11 @@ func TestParseDHCP4Ack(t *testing.T) {
 		require.Len(t, specs.Resolvers, 1)
 		assert.Equal(
 			t,
-			[]netip.Addr{
-				must.Value(netip.ParseAddr("8.8.8.8"))(t),
-				must.Value(netip.ParseAddr("8.8.4.4"))(t),
+			[]network.NameServerSpec{
+				{Addr: must.Value(netip.ParseAddr("8.8.8.8"))(t)},
+				{Addr: must.Value(netip.ParseAddr("8.8.4.4"))(t)},
 			},
-			specs.Resolvers[0].DNSServers,
+			specs.Resolvers[0].NameServers,
 		)
 		assert.Equal(t, []string{"example.com"}, specs.Resolvers[0].SearchDomains,
 			"DomainName feeds the search list when DomainSearch is absent")
@ -255,7 +256,7 @@ func TestParseDHCP4Ack(t *testing.T) {
 		specs := dhcpparse.ParseDHCP4Ack(ack, linkName, routeMetric, false)

 		require.Len(t, specs.Resolvers, 1)
-		assert.Empty(t, specs.Resolvers[0].DNSServers)
+		assert.Empty(t, specs.Resolvers[0].NameServers)
 		assert.Equal(t, []string{"example.com"}, specs.Resolvers[0].SearchDomains)
 	})

--- a/internal/app/machined/pkg/controllers/network/operator_spec.go
+++ b/internal/app/machined/pkg/controllers/network/operator_spec.go
@ -344,6 +344,7 @@ func (ctrl *OperatorSpecController) reconcileOperatorOutputs(ctx context.Context
 				),
 				func(r *network.ResolverSpec) error {
 					*r.TypedSpec() = resolverSpec
+					r.TypedSpec().Convert() // convert deprecated fields for backward compatibility

 					return nil
 				},
--- a/internal/app/machined/pkg/controllers/network/platform_config.go
+++ b/internal/app/machined/pkg/controllers/network/platform_config.go
@ -92,7 +92,12 @@ func (ctrl *PlatformConfigController) Run(ctx context.Context, r controller.Runt
 				ctx, r,
 				network.NewPlatformConfig(network.NamespaceName, network.PlatformConfigActiveID),
 				func(out *network.PlatformConfig) error {
-					*out.TypedSpec() = *networkConfig
+					*out.TypedSpec() = networkConfig.DeepCopy()
+
+					// fix up resolvers as a defensive measure
+					for i := range out.TypedSpec().Resolvers {
+						out.TypedSpec().Resolvers[i].Convert()
+					}

 					return nil
 				},
--- a/internal/app/machined/pkg/controllers/network/platform_config_apply.go
+++ b/internal/app/machined/pkg/controllers/network/platform_config_apply.go
@ -279,6 +279,7 @@ func (ctrl *PlatformConfigApplyController) apply(ctx context.Context, r controll

 					*spec = newSpec.(network.ResolverSpecSpec) //nolint:forcetypeassert
 					spec.ConfigLayer = network.ConfigPlatform
+					spec.Convert() // convert deprecated fields for backward compatibility

 					return nil
 				}
--- a/internal/app/machined/pkg/controllers/network/platform_config_apply_test.go
+++ b/internal/app/machined/pkg/controllers/network/platform_config_apply_test.go
@ -190,6 +190,7 @@ func (suite *PlatformConfigApplySuite) TestResolvers() {
 	platformConfig.TypedSpec().Resolvers = []network.ResolverSpecSpec{
 		{
 			DNSServers:  []netip.Addr{netip.MustParseAddr("1.1.1.1")},
+			NameServers: []network.NameServerSpec{{Addr: netip.MustParseAddr("1.1.1.1")}},
 			ConfigLayer: network.ConfigPlatform,
 		},
 	}
@ -200,7 +201,8 @@ func (suite *PlatformConfigApplySuite) TestResolvers() {
 	}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 		spec := r.TypedSpec()

-		asrt.Equal("[1.1.1.1]", fmt.Sprintf("%s", spec.DNSServers))
+		asrt.Equal("[1.1.1.1]", fmt.Sprintf("%s", spec.DNSServers)) //nolint:staticcheck
+		asrt.Equal([]network.NameServerSpec{{Addr: netip.MustParseAddr("1.1.1.1")}}, spec.NameServers)
 		asrt.Equal(network.ConfigPlatform, spec.ConfigLayer)
 	}, rtestutils.WithNamespace(network.ConfigNamespaceName))
 }
--- a/internal/app/machined/pkg/controllers/network/platform_config_test.go
+++ b/internal/app/machined/pkg/controllers/network/platform_config_test.go
@ -102,7 +102,15 @@ func (suite *PlatformConfigSuite) TestPlatform() {
 		asrt.Equal(
 			[]string{"1.1.1.1"},
 			xslices.Map(spec.Resolvers, func(r network.ResolverSpecSpec) string {
-				return strings.Join(xslices.Map(r.DNSServers, netip.Addr.String), ", ")
+				return strings.Join(xslices.Map(r.DNSServers, netip.Addr.String), ", ") //nolint:staticcheck
+			}),
+		)
+		asrt.Equal(
+			[]string{"1.1.1.1"},
+			xslices.Map(spec.Resolvers, func(r network.ResolverSpecSpec) string {
+				return strings.Join(xslices.Map(r.NameServers, func(ns network.NameServerSpec) string {
+					return ns.Addr.String()
+				}), ", ")
 			}),
 		)
 		asrt.Equal(
@ -256,7 +264,9 @@ func (mock *platformMock) NetworkConfiguration(
 		networkConfig.Resolvers = append(
 			networkConfig.Resolvers, network.ResolverSpecSpec{
 				ConfigLayer: network.ConfigPlatform,
-				DNSServers:  mock.resolvers,
+				NameServers: xslices.Map(mock.resolvers, func(addr netip.Addr) network.NameServerSpec {
+					return network.NameServerSpec{Addr: addr}
+				}),
 			},
 		)
 	}
--- a/internal/app/machined/pkg/controllers/network/resolver_config.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_config.go
@ -15,10 +15,11 @@ import (
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/gen/optional"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"
 	"go.uber.org/zap"

-	talosconfig "github.com/siderolabs/talos/pkg/machinery/config"
+	talosconfig "github.com/siderolabs/talos/pkg/machinery/config/config"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@ -105,7 +106,7 @@ func (ctrl *ResolverConfigController) Run(ctx context.Context, r controller.Runt

 		// parse kernel cmdline for the default gateway
 		cmdlineServers := ctrl.parseCmdline(logger)
-		if cmdlineServers.DNSServers != nil {
+		if cmdlineServers.NameServers != nil {
 			specs = append(specs, cmdlineServers)
 		}

@ -177,7 +178,10 @@ func (ctrl *ResolverConfigController) apply(ctx context.Context, r controller.Ru
 }

 func (ctrl *ResolverConfigController) getDefault(cfg talosconfig.Config, hostnameStatus *network.HostnameStatusSpec) (spec network.ResolverSpecSpec) {
-	spec.DNSServers = []netip.Addr{netip.MustParseAddr(constants.DefaultPrimaryResolver), netip.MustParseAddr(constants.DefaultSecondaryResolver)}
+	spec.NameServers = []network.NameServerSpec{
+		{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+		{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
+	}
 	spec.ConfigLayer = network.ConfigDefault

 	if cfg == nil ||
@ -209,7 +213,9 @@ func (ctrl *ResolverConfigController) parseCmdline(logger *zap.Logger) (spec net
 		return spec
 	}

-	spec.DNSServers = settings.DNSAddresses
+	spec.NameServers = xslices.Map(settings.DNSAddresses, func(addr netip.Addr) network.NameServerSpec {
+		return network.NameServerSpec{Addr: addr}
+	})
 	spec.ConfigLayer = network.ConfigCmdline

 	return spec
@ -229,7 +235,14 @@ func (ctrl *ResolverConfigController) parseMachineConfiguration(cfgProvider talo
 		return spec, false
 	}

-	spec.DNSServers = slices.Clone(resolvers)
+	spec.NameServers = xslices.Map(resolvers, func(r talosconfig.NetworkResolver) network.NameServerSpec {
+		return network.NameServerSpec{
+			Addr:          r.Addr,
+			Protocol:      r.Protocol,
+			TLSServerName: r.TLSServerName,
+		}
+	})
+
 	spec.SearchDomains = slices.Clone(searchDomains)
 	spec.ConfigLayer = network.ConfigMachineConfiguration

--- a/internal/app/machined/pkg/controllers/network/resolver_config_test.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_config_test.go
@ -21,6 +21,7 @@ import (
 	networkcfg "github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )
@ -38,10 +39,10 @@ func (suite *ResolverConfigSuite) TestDefaults() {
 			"default/resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(
-				[]netip.Addr{
-					netip.MustParseAddr(constants.DefaultPrimaryResolver),
-					netip.MustParseAddr(constants.DefaultSecondaryResolver),
-				}, r.TypedSpec().DNSServers,
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+					{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
+				}, r.TypedSpec().NameServers,
 			)
 			asrt.Empty(r.TypedSpec().SearchDomains)
 			asrt.Equal(network.ConfigDefault, r.TypedSpec().ConfigLayer)
@ -87,10 +88,10 @@ func (suite *ResolverConfigSuite) TestWithHostnameStatus() {
 			"default/resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(
-				[]netip.Addr{
-					netip.MustParseAddr(constants.DefaultPrimaryResolver),
-					netip.MustParseAddr(constants.DefaultSecondaryResolver),
-				}, r.TypedSpec().DNSServers,
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+					{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
+				}, r.TypedSpec().NameServers,
 			)
 			asrt.Equal([]string{"example.org"}, r.TypedSpec().SearchDomains)
 			asrt.Equal(network.ConfigDefault, r.TypedSpec().ConfigLayer)
@ -145,10 +146,10 @@ func (suite *ResolverConfigSuite) TestCmdline() {
 			"cmdline/resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(
-				[]netip.Addr{
-					netip.MustParseAddr("10.0.0.1"),
-					netip.MustParseAddr("10.0.0.2"),
-				}, r.TypedSpec().DNSServers,
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr("10.0.0.1")},
+					{Addr: netip.MustParseAddr("10.0.0.2")},
+				}, r.TypedSpec().NameServers,
 			)
 			asrt.Empty(r.TypedSpec().SearchDomains)
 		},
@ -185,16 +186,16 @@ func (suite *ResolverConfigSuite) TestMachineConfigurationLegacy() {

 	suite.Create(cfg)

-	ctest.AssertResources(
+	ctest.AssertResources( //nolint:dupl
 		suite,
 		[]string{
 			"configuration/resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(
-				[]netip.Addr{
-					netip.MustParseAddr("2.2.2.2"),
-					netip.MustParseAddr("3.3.3.3"),
-				}, r.TypedSpec().DNSServers,
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr("2.2.2.2")},
+					{Addr: netip.MustParseAddr("3.3.3.3")},
+				}, r.TypedSpec().NameServers,
 			)

 			asrt.Equal(
@ -237,16 +238,16 @@ func (suite *ResolverConfigSuite) TestMachineConfigurationNewStyle() {
 	cfg := config.NewMachineConfig(ctr)
 	suite.Create(cfg)

-	ctest.AssertResources(
+	ctest.AssertResources( //nolint:dupl
 		suite,
 		[]string{
 			"configuration/resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(
-				[]netip.Addr{
-					netip.MustParseAddr("2.2.2.2"),
-					netip.MustParseAddr("3.3.3.3"),
-				}, r.TypedSpec().DNSServers,
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr("2.2.2.2")},
+					{Addr: netip.MustParseAddr("3.3.3.3")},
+				}, r.TypedSpec().NameServers,
 			)

 			asrt.Equal(
@ -262,6 +263,47 @@ func (suite *ResolverConfigSuite) TestMachineConfigurationNewStyle() {
 	ctest.AssertNoResource[*network.ResolverSpec](suite, "configuration/resolvers", rtestutils.WithNamespace(network.ConfigNamespaceName))
 }

+func (suite *ResolverConfigSuite) TestMachineConfigurationDNSOverTLS() {
+	suite.Require().NoError(suite.Runtime().RegisterController(&netctrl.ResolverConfigController{}))
+
+	rc := networkcfg.NewResolverConfigV1Alpha1()
+	rc.ResolverNameservers = []networkcfg.NameserverConfig{
+		{
+			Address:       networkcfg.Addr{Addr: netip.MustParseAddr("9.9.9.9")},
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "dns.quad9.net",
+		},
+		{
+			Address: networkcfg.Addr{Addr: netip.MustParseAddr("8.8.8.8")},
+		},
+	}
+
+	ctr, err := container.New(rc)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	ctest.AssertResources(
+		suite,
+		[]string{
+			"configuration/resolvers",
+		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
+			asrt.Equal(
+				[]network.NameServerSpec{
+					{
+						Addr:          netip.MustParseAddr("9.9.9.9"),
+						Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+						TLSServerName: "dns.quad9.net",
+					},
+					{Addr: netip.MustParseAddr("8.8.8.8")},
+				}, r.TypedSpec().NameServers,
+			)
+		},
+		rtestutils.WithNamespace(network.ConfigNamespaceName),
+	)
+}
+
 func TestResolverConfigSuite(t *testing.T) {
 	t.Parallel()

--- a/internal/app/machined/pkg/controllers/network/resolver_merge.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_merge.go
@ -7,7 +7,6 @@ package network

 import (
 	"cmp"
-	"net/netip"
 	"slices"

 	"github.com/cosi-project/runtime/pkg/controller"
@ -50,21 +49,23 @@ func NewResolverMergeController() controller.Controller {
 				switch spec.ConfigLayer { //nolint:exhaustive
 				case final.ConfigLayer:
 					// simply append server lists on the same layer
-					final.DNSServers = append(final.DNSServers, spec.DNSServers...)
+					final.NameServers = append(final.NameServers, spec.NameServers...)
 				case network.ConfigMachineConfiguration:
 					// machine configuration overrides previous layers, but only when DNS servers are set
-					if len(spec.DNSServers) > 0 {
-						final.DNSServers = slices.Clone(spec.DNSServers)
+					if len(spec.NameServers) > 0 {
+						final.NameServers = slices.Clone(spec.NameServers)
 					}
 				default:
 					// otherwise, do a smart merge across IPv4/IPv6
-					mergeDNSServers(&final.DNSServers, spec.DNSServers)
+					mergeNameServers(&final.NameServers, spec.NameServers)
 				}

 				final.ConfigLayer = spec.ConfigLayer
 			}

-			if final.DNSServers != nil {
+			if final.NameServers != nil {
+				final.Convert() // convert deprecated fields for backward compatibility
+
 				return map[resource.ID]*network.ResolverSpecSpec{
 					network.ResolverID: &final,
 				}
@ -75,25 +76,25 @@ func NewResolverMergeController() controller.Controller {
 	)
 }

-func mergeDNSServers(dst *[]netip.Addr, src []netip.Addr) {
+func mergeNameServers(dst *[]network.NameServerSpec, src []network.NameServerSpec) {
 	if *dst == nil {
 		*dst = slices.Clone(src)

 		return
 	}

-	srcHasV4 := slices.IndexFunc(src, netip.Addr.Is4) != -1
-	srcHasV6 := slices.IndexFunc(src, netip.Addr.Is6) != -1
-	dstHasV4 := slices.IndexFunc(*dst, netip.Addr.Is4) != -1
-	dstHasV6 := slices.IndexFunc(*dst, netip.Addr.Is6) != -1
+	srcHasV4 := slices.IndexFunc(src, func(ns network.NameServerSpec) bool { return ns.Addr.Is4() }) != -1
+	srcHasV6 := slices.IndexFunc(src, func(ns network.NameServerSpec) bool { return ns.Addr.Is6() }) != -1
+	dstHasV4 := slices.IndexFunc(*dst, func(ns network.NameServerSpec) bool { return ns.Addr.Is4() }) != -1
+	dstHasV6 := slices.IndexFunc(*dst, func(ns network.NameServerSpec) bool { return ns.Addr.Is6() }) != -1

 	// if old set has IPv4, and new one doesn't, preserve IPv4
 	// and same vice versa for IPv6
 	switch {
 	case dstHasV4 && !srcHasV4:
-		*dst = slices.Concat(src, xslices.Filter(*dst, netip.Addr.Is4))
+		*dst = slices.Concat(src, xslices.Filter(*dst, func(ns network.NameServerSpec) bool { return ns.Addr.Is4() }))
 	case dstHasV6 && !srcHasV6:
-		*dst = slices.Concat(src, xslices.Filter(*dst, netip.Addr.Is6))
+		*dst = slices.Concat(src, xslices.Filter(*dst, func(ns network.NameServerSpec) bool { return ns.Addr.Is6() }))
 	default:
 		*dst = slices.Clone(src)
 	}
--- a/internal/app/machined/pkg/controllers/network/resolver_merge_test.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_merge_test.go
@ -17,6 +17,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	netctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

@ -31,28 +32,34 @@ func (suite *ResolverMergeSuite) assertResolvers(requiredIDs []string, check fun
 func (suite *ResolverMergeSuite) TestMerge() {
 	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
 	*def.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers: []netip.Addr{
-			netip.MustParseAddr(constants.DefaultPrimaryResolver),
-			netip.MustParseAddr(constants.DefaultSecondaryResolver),
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+			{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
 		},
 		ConfigLayer: network.ConfigDefault,
 	}

 	dhcp1 := network.NewResolverSpec(network.ConfigNamespaceName, "dhcp/eth0")
 	*dhcp1.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr("1.1.2.0")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("1.1.2.0")},
+		},
 		ConfigLayer: network.ConfigOperator,
 	}

 	dhcp2 := network.NewResolverSpec(network.ConfigNamespaceName, "dhcp/eth1")
 	*dhcp2.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr("1.1.2.1")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("1.1.2.1")},
+		},
 		ConfigLayer: network.ConfigOperator,
 	}

 	static := network.NewResolverSpec(network.ConfigNamespaceName, "configuration/resolvers")
 	*static.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:    []netip.Addr{netip.MustParseAddr("2.2.2.2")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("2.2.2.2")},
+		},
 		SearchDomains: []string{"example.com", "example.org", "example.net"},
 		ConfigLayer:   network.ConfigMachineConfiguration,
 	}
@ -65,7 +72,15 @@ func (suite *ResolverMergeSuite) TestMerge() {
 		[]string{
 			"resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
-			asrt.Equal(*static.TypedSpec(), *r.TypedSpec())
+			asrt.Equal(
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr("2.2.2.2")},
+				}, r.TypedSpec().NameServers,
+			)
+			asrt.Equal(
+				[]netip.Addr{netip.MustParseAddr("2.2.2.2")}, r.TypedSpec().DNSServers, //nolint:staticcheck
+			)
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
 			asrt.Equal([]string{"example.com", "example.org", "example.net"}, r.TypedSpec().SearchDomains)
 		},
 	)
@ -76,7 +91,13 @@ func (suite *ResolverMergeSuite) TestMerge() {
 		[]string{
 			"resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
-			asrt.Equal([]netip.Addr{netip.MustParseAddr("1.1.2.0"), netip.MustParseAddr("1.1.2.1")}, r.TypedSpec().DNSServers)
+			asrt.Equal(
+				[]network.NameServerSpec{
+					{Addr: netip.MustParseAddr("1.1.2.0")},
+					{Addr: netip.MustParseAddr("1.1.2.1")},
+				}, r.TypedSpec().NameServers,
+			)
+			asrt.Equal([]netip.Addr{netip.MustParseAddr("1.1.2.0"), netip.MustParseAddr("1.1.2.1")}, r.TypedSpec().DNSServers) //nolint:staticcheck
 		},
 	)
 }
@ -84,22 +105,27 @@ func (suite *ResolverMergeSuite) TestMerge() {
 func (suite *ResolverMergeSuite) TestMergeIPv46() {
 	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
 	*def.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers: []netip.Addr{
-			netip.MustParseAddr(constants.DefaultPrimaryResolver),
-			netip.MustParseAddr(constants.DefaultSecondaryResolver),
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+			{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
 		},
 		ConfigLayer: network.ConfigDefault,
 	}

 	platform := network.NewResolverSpec(network.ConfigNamespaceName, "platform/resolvers")
 	*platform.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr("1.1.2.0"), netip.MustParseAddr("fe80::1")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("1.1.2.0")},
+			{Addr: netip.MustParseAddr("fe80::1")},
+		},
 		ConfigLayer: network.ConfigPlatform,
 	}

 	dhcp := network.NewResolverSpec(network.ConfigNamespaceName, "dhcp/eth1")
 	*dhcp.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr("1.1.2.1")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("1.1.2.1")},
+		},
 		ConfigLayer: network.ConfigOperator,
 	}

@ -112,7 +138,11 @@ func (suite *ResolverMergeSuite) TestMergeIPv46() {
 			"resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(network.ConfigOperator, r.TypedSpec().ConfigLayer)
-			asrt.Equal(`["1.1.2.1" "fe80::1"]`, fmt.Sprintf("%q", r.TypedSpec().DNSServers))
+			asrt.Equal([]network.NameServerSpec{
+				{Addr: netip.MustParseAddr("1.1.2.1")},
+				{Addr: netip.MustParseAddr("fe80::1")},
+			}, r.TypedSpec().NameServers)
+			asrt.Equal(`["1.1.2.1" "fe80::1"]`, fmt.Sprintf("%q", r.TypedSpec().DNSServers)) //nolint:staticcheck
 		},
 	)
 }
@ -120,16 +150,18 @@ func (suite *ResolverMergeSuite) TestMergeIPv46() {
 func (suite *ResolverMergeSuite) TestMergeSearchDomainsOnlyConfig() {
 	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
 	*def.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers: []netip.Addr{
-			netip.MustParseAddr(constants.DefaultPrimaryResolver),
-			netip.MustParseAddr(constants.DefaultSecondaryResolver),
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+			{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
 		},
 		ConfigLayer: network.ConfigDefault,
 	}

 	dhcp := network.NewResolverSpec(network.ConfigNamespaceName, "dhcp/eth0")
 	*dhcp.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:    []netip.Addr{netip.MustParseAddr("192.168.131.1")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("192.168.131.1")},
+		},
 		SearchDomains: []string{"somewhere.com", "home.lab"},
 		ConfigLayer:   network.ConfigOperator,
 	}
@ -148,7 +180,11 @@ func (suite *ResolverMergeSuite) TestMergeSearchDomainsOnlyConfig() {
 		[]string{
 			"resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
-			asrt.Equal([]netip.Addr{netip.MustParseAddr("192.168.131.1")}, r.TypedSpec().DNSServers)
+			asrt.Equal([]netip.Addr{netip.MustParseAddr("192.168.131.1")}, r.TypedSpec().DNSServers) //nolint:staticcheck
+			asrt.Equal([]network.NameServerSpec{
+				{Addr: netip.MustParseAddr("192.168.131.1")},
+			}, r.TypedSpec().NameServers)
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
 			asrt.Equal([]string{"another.lab", "somewhere.com", "home.lab"}, r.TypedSpec().SearchDomains)
 		},
 	)
@ -157,16 +193,18 @@ func (suite *ResolverMergeSuite) TestMergeSearchDomainsOnlyConfig() {
 func (suite *ResolverMergeSuite) TestMergeIPv6OnlyConfig() {
 	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
 	*def.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers: []netip.Addr{
-			netip.MustParseAddr(constants.DefaultPrimaryResolver),
-			netip.MustParseAddr(constants.DefaultSecondaryResolver),
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+			{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
 		},
 		ConfigLayer: network.ConfigDefault,
 	}

 	cfg := network.NewResolverSpec(network.ConfigNamespaceName, "cfg/resolvers")
 	*cfg.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr("fe80::1")},
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr("fe80::1")},
+		},
 		ConfigLayer: network.ConfigMachineConfiguration,
 	}

@ -179,7 +217,65 @@ func (suite *ResolverMergeSuite) TestMergeIPv6OnlyConfig() {
 			"resolvers",
 		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
 			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
-			asrt.Equal(`["fe80::1"]`, fmt.Sprintf("%q", r.TypedSpec().DNSServers))
+			asrt.Equal([]network.NameServerSpec{
+				{Addr: netip.MustParseAddr("fe80::1")},
+			}, r.TypedSpec().NameServers)
+			asrt.Equal(`["fe80::1"]`, fmt.Sprintf("%q", r.TypedSpec().DNSServers)) //nolint:staticcheck
+		},
+	)
+}
+
+func (suite *ResolverMergeSuite) TestMergeDNSOverTLS() {
+	def := network.NewResolverSpec(network.ConfigNamespaceName, "default/resolvers")
+	*def.TypedSpec() = network.ResolverSpecSpec{
+		NameServers: []network.NameServerSpec{
+			{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+			{Addr: netip.MustParseAddr(constants.DefaultSecondaryResolver)},
+		},
+		ConfigLayer: network.ConfigDefault,
+	}
+
+	static := network.NewResolverSpec(network.ConfigNamespaceName, "configuration/resolvers")
+	*static.TypedSpec() = network.ResolverSpecSpec{
+		NameServers: []network.NameServerSpec{
+			{
+				Addr:          netip.MustParseAddr("9.9.9.9"),
+				Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+				TLSServerName: "dns.quad9.net",
+			},
+			{
+				Addr: netip.MustParseAddr("8.8.8.8"),
+			},
+		},
+		ConfigLayer: network.ConfigMachineConfiguration,
+	}
+
+	for _, res := range []resource.Resource{def, static} {
+		suite.Create(res)
+	}
+
+	suite.assertResolvers(
+		[]string{
+			"resolvers",
+		}, func(r *network.ResolverSpec, asrt *assert.Assertions) {
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
+			asrt.Equal(
+				[]netip.Addr{netip.MustParseAddr("9.9.9.9"), netip.MustParseAddr("8.8.8.8")},
+				r.TypedSpec().DNSServers, //nolint:staticcheck
+			)
+			asrt.Equal(
+				[]network.NameServerSpec{
+					{
+						Addr:          netip.MustParseAddr("9.9.9.9"),
+						Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+						TLSServerName: "dns.quad9.net",
+					},
+					{
+						Addr: netip.MustParseAddr("8.8.8.8"),
+					},
+				},
+				r.TypedSpec().NameServers,
+			)
 		},
 	)
 }
--- a/internal/app/machined/pkg/controllers/network/resolver_spec.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_spec.go
@ -7,11 +7,13 @@ package network
 import (
 	"context"
 	"fmt"
+	"slices"

 	"github.com/cosi-project/runtime/pkg/controller"
 	"github.com/cosi-project/runtime/pkg/resource"
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/xslices"
 	"go.uber.org/zap"

 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@ -88,13 +90,14 @@ func (ctrl *ResolverSpecController) Run(ctx context.Context, r controller.Runtim
 			case resource.PhaseRunning:
 				logger.Info(
 					"setting resolvers",
-					zap.Stringers("resolvers", spec.TypedSpec().DNSServers),
-					zap.Strings("searchDomains", spec.TypedSpec().SearchDomains),
+					zap.Strings("resolvers", xslices.Map(spec.TypedSpec().NameServers, network.NameServerSpec.String)),
+					zap.Strings("search_domains", spec.TypedSpec().SearchDomains),
 				)

 				if err = safe.WriterModify(ctx, r, network.NewResolverStatus(network.NamespaceName, spec.Metadata().ID()), func(r *network.ResolverStatus) error {
-					r.TypedSpec().DNSServers = spec.TypedSpec().DNSServers
+					r.TypedSpec().DNSServers = slices.Clone(spec.TypedSpec().DNSServers) //nolint:staticcheck
 					r.TypedSpec().SearchDomains = spec.TypedSpec().SearchDomains
+					r.TypedSpec().NameServers = slices.Clone(spec.TypedSpec().NameServers)

 					return nil
 				}); err != nil {
--- a/internal/app/machined/pkg/controllers/network/resolver_spec_test.go
+++ b/internal/app/machined/pkg/controllers/network/resolver_spec_test.go
@ -27,14 +27,16 @@ func (suite *ResolverSpecSuite) TestSpec() {

 	spec := network.NewResolverSpec(network.NamespaceName, "resolvers")
 	*spec.TypedSpec() = network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{netip.MustParseAddr(constants.DefaultPrimaryResolver)},
+		NameServers: []network.NameServerSpec{{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)}},
+		DNSServers:  []netip.Addr{netip.MustParseAddr(constants.DefaultPrimaryResolver)}, //nolint:staticcheck // backward compatibility
 		ConfigLayer: network.ConfigDefault,
 	}

 	suite.Create(spec)

 	ctest.AssertResource(suite, "resolvers", func(r *network.ResolverStatus, asrt *assert.Assertions) {
-		asrt.Equal([]netip.Addr{netip.MustParseAddr(constants.DefaultPrimaryResolver)}, r.TypedSpec().DNSServers)
+		asrt.Equal([]netip.Addr{netip.MustParseAddr(constants.DefaultPrimaryResolver)}, r.TypedSpec().DNSServers) //nolint:staticcheck // backward compatibility
+		asrt.Equal([]network.NameServerSpec{{Addr: netip.MustParseAddr(constants.DefaultPrimaryResolver)}}, r.TypedSpec().NameServers)
 	})
 }

--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/aws.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/aws.go
@ -26,6 +26,7 @@ import (
 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/internal/netutils"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
 	"github.com/siderolabs/talos/pkg/machinery/imager/quirks"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 	runtimeres "github.com/siderolabs/talos/pkg/machinery/resources/runtime"
 )
@ -224,10 +225,18 @@ func (a *AWS) ParseMetadata(metadata *MetadataConfig) (*runtime.PlatformNetworkC

 			dns, _ := netip.ParseAddr(awsIPv6DNSServer) //nolint:errcheck

-			networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-				DNSServers:  []netip.Addr{dns},
+			resolverSpec := network.ResolverSpecSpec{
+				NameServers: []network.NameServerSpec{
+					{
+						Addr:     dns,
+						Protocol: nethelpers.DNSProtocolDefault,
+					},
+				},
 				ConfigLayer: network.ConfigPlatform,
-			})
+			}
+			resolverSpec.Convert()
+
+			networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 		}
 	}

--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/testdata/expected-v6.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/testdata/expected-v6.yaml
@ -15,6 +15,10 @@ hostnames:
 resolvers:
    - dnsServers:
        - fd00:ec2::253
+      nameServers:
+        - addr: fd00:ec2::253
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers:
    - timeServers:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/testdata/expected-v6only.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/aws/testdata/expected-v6only.yaml
@ -15,6 +15,10 @@ hostnames:
 resolvers:
    - dnsServers:
        - fd00:ec2::253
+      nameServers:
+        - addr: fd00:ec2::253
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers:
    - timeServers:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/container/container.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/container/container.go
@ -72,7 +72,7 @@ func (c *Container) NetworkConfiguration(ctx context.Context, _ state.State, ch
 		return err
 	}

-	if len(resolverSpec.DNSServers) > 0 {
+	if len(resolverSpec.NameServers) > 0 {
 		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/container/internal/files/resolv.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/container/internal/files/resolv.go
@ -9,6 +9,7 @@ import (
 	"net/netip"
 	"os"

+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

@ -34,9 +35,14 @@ func ReadResolvConf(path string) (network.ResolverSpecSpec, error) {
 		line = bytes.TrimSpace(bytes.TrimPrefix(line, []byte("nameserver")))

 		if addr, err := netip.ParseAddr(string(line)); err == nil {
-			resolverSpec.DNSServers = append(resolverSpec.DNSServers, addr)
+			resolverSpec.NameServers = append(resolverSpec.NameServers, network.NameServerSpec{
+				Addr:     addr,
+				Protocol: nethelpers.DNSProtocolDefault,
+			})
 		}
 	}

+	resolverSpec.Convert()
+
 	return resolverSpec, nil
 }
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/container/internal/files/resolv_test.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/container/internal/files/resolv_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime/v1alpha1/platform/container/internal/files"
+	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

 func TestReadResolvConf(t *testing.T) {
@ -19,8 +20,8 @@ func TestReadResolvConf(t *testing.T) {
 	spec, err := files.ReadResolvConf("testdata/resolv.conf")
 	require.NoError(t, err)

-	require.Equal(t, []netip.Addr{
-		netip.MustParseAddr("127.0.0.53"),
-		netip.MustParseAddr("::1"),
-	}, spec.DNSServers)
+	require.Equal(t, []network.NameServerSpec{
+		{Addr: netip.MustParseAddr("127.0.0.53")},
+		{Addr: netip.MustParseAddr("::1")},
+	}, spec.NameServers)
 }
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/digitalocean/digitalocean.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/digitalocean/digitalocean.go
@ -13,6 +13,7 @@ import (
 	"strconv"

 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
@ -62,10 +63,18 @@ func (d *DigitalOcean) ParseMetadata(metadata *MetadataConfig) (*runtime.Platfor
 			}
 		}

-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:  dnsIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			ConfigLayer: network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	networkConfig.Links = append(networkConfig.Links, network.LinkSpecSpec{
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/digitalocean/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/digitalocean/testdata/expected.yaml
@ -83,6 +83,13 @@ resolvers:
    - dnsServers:
        - 67.207.67.2
        - 67.207.67.3
+      nameServers:
+        - addr: 67.207.67.2
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 67.207.67.3
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators: []
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/gcp/gcp.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/gcp/gcp.go
@ -56,10 +56,18 @@ func (g *GCP) ParseMetadata(metadata *MetadataConfig, interfaces []NetworkInterf

 	dns, _ := netip.ParseAddr(gcpResolverServer) //nolint:errcheck

-	networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{dns},
+	resolverSpec := network.ResolverSpecSpec{
+		NameServers: []network.NameServerSpec{
+			{
+				Addr:     dns,
+				Protocol: nethelpers.DNSProtocolDefault,
+			},
+		},
 		ConfigLayer: network.ConfigPlatform,
-	})
+	}
+	resolverSpec.Convert()
+
+	networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)

 	networkConfig.TimeServers = append(networkConfig.TimeServers, network.TimeServerSpecSpec{
 		NTPServers:  []string{gcpTimeServer},
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/gcp/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/gcp/testdata/expected.yaml
@ -33,6 +33,10 @@ hostnames:
 resolvers:
    - dnsServers:
        - 169.254.169.254
+      nameServers:
+        - addr: 169.254.169.254
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers:
    - timeServers:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/metadata.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/metadata.go
@ -22,6 +22,7 @@ import (
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/siderolabs/gen/maps"
+	"github.com/siderolabs/gen/xslices"
 	yaml "go.yaml.in/yaml/v4"

 	networkadapter "github.com/siderolabs/talos/internal/app/machined/pkg/adapters/network"
@ -427,10 +428,18 @@ func (n *Nocloud) applyNetworkConfigV1(ctx context.Context, config *NetworkConfi
 				}
 			}

-			networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-				DNSServers:  dnsIPs,
+			resolverSpec := network.ResolverSpecSpec{
+				NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+					return network.NameServerSpec{
+						Addr:     addr,
+						Protocol: nethelpers.DNSProtocolDefault,
+					}
+				}),
 				ConfigLayer: network.ConfigPlatform,
-			})
+			}
+			resolverSpec.Convert()
+
+			networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 		case "bond":
 			name := ntwrk.Interfaces

@ -917,10 +926,18 @@ func (n *Nocloud) applyNetworkConfigV2(ctx context.Context, config *NetworkConfi
 	}

 	if len(dnsIPs) > 0 {
-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:  dnsIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			ConfigLayer: network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	return needsReconcile, nil
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v1-pnap.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v1-pnap.yaml
@ -96,6 +96,13 @@ resolvers:
    - dnsServers:
        - 8.8.8.8
        - 8.8.4.4
+      nameServers:
+        - addr: 8.8.8.8
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 8.8.4.4
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators: []
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v1.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v1.yaml
@ -94,6 +94,10 @@ hostnames:
 resolvers:
    - dnsServers:
        - 192.168.1.1
+      nameServers:
+        - addr: 192.168.1.1
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators: []
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v2-nocloud-ipv6-on-link.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v2-nocloud-ipv6-on-link.yaml
@ -76,6 +76,13 @@ resolvers:
    - dnsServers:
        - 1.1.1.1
        - 2606:4700:4700::1111
+      nameServers:
+        - addr: 1.1.1.1
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 2606:4700:4700::1111
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators: []
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v2.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/nocloud/testdata/expected-v2.yaml
@ -192,6 +192,16 @@ resolvers:
        - 8.8.8.8
        - 1.1.1.1
        - 2.2.2.2
+      nameServers:
+        - addr: 8.8.8.8
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 1.1.1.1
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 2.2.2.2
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/dns_test.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/dns_test.go
@ -103,7 +103,7 @@ NAME = "test"

 			var dnsStrs []string

-			for _, ip := range resolver.DNSServers {
+			for _, ip := range resolver.DNSServers { //nolint:staticcheck
 				dnsStrs = append(dnsStrs, ip.String())
 			}

--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/opennebula.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/opennebula.go
@ -17,6 +17,7 @@ import (

 	"github.com/cosi-project/runtime/pkg/state"
 	"github.com/hashicorp/go-envparse"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
@ -827,11 +828,19 @@ func (o *OpenNebula) ParseMetadata(st state.State, oneContextPlain []byte) (*run
 	}

 	if len(allDNSIPs)+len(allSearchDomains) > 0 {
-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:    allDNSIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(allDNSIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			SearchDomains: allSearchDomains,
 			ConfigLayer:   network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	hostnameSpec := network.HostnameSpecSpec{
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/testdata/expected.yaml
@ -66,6 +66,19 @@ resolvers:
        - 192.168.1.1
        - 8.8.8.8
        - 1.1.1.1
+      nameServers:
+        - addr: 9.9.9.9
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 192.168.1.1
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 8.8.8.8
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 1.1.1.1
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
      searchDomains:
        - global.example.com
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/testdata/expected_no_network_flag.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/opennebula/testdata/expected_no_network_flag.yaml
@ -66,6 +66,19 @@ resolvers:
        - 192.168.1.1
        - 8.8.8.8
        - 1.1.1.1
+      nameServers:
+        - addr: 9.9.9.9
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 192.168.1.1
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 8.8.8.8
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 1.1.1.1
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
      searchDomains:
        - global.example.com
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/openstack/openstack.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/openstack/openstack.go
@ -20,6 +20,7 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"

 	networkadapter "github.com/siderolabs/talos/internal/app/machined/pkg/adapters/network"
@ -82,10 +83,18 @@ func (o *OpenStack) ParseMetadata(
 	}

 	if len(dnsIPs) > 0 {
-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:  dnsIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			ConfigLayer: network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	hostInterfaces, err := safe.StateListAll[*network.LinkStatus](ctx, st)
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/openstack/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/openstack/testdata/expected.yaml
@ -187,6 +187,13 @@ resolvers:
    - dnsServers:
        - 8.8.8.8
        - 1.1.1.1
+      nameServers:
+        - addr: 8.8.8.8
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 1.1.1.1
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/oracle/oracle.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/oracle/oracle.go
@ -101,10 +101,18 @@ func (o *Oracle) ParseMetadata(interfaceAddresses []NetworkConfig, metadata *Met

 	dns, _ := netip.ParseAddr(oracleResolverServer) //nolint:errcheck

-	networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-		DNSServers:  []netip.Addr{dns},
+	resolverSpec := network.ResolverSpecSpec{
+		NameServers: []network.NameServerSpec{
+			{
+				Addr:     dns,
+				Protocol: nethelpers.DNSProtocolDefault,
+			},
+		},
 		ConfigLayer: network.ConfigPlatform,
-	})
+	}
+	resolverSpec.Convert()
+
+	networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)

 	networkConfig.TimeServers = append(networkConfig.TimeServers, network.TimeServerSpecSpec{
 		NTPServers:  []string{oracleTimeServer},
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/oracle/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/oracle/testdata/expected.yaml
@ -20,6 +20,10 @@ hostnames:
 resolvers:
    - dnsServers:
        - 169.254.169.254
+      nameServers:
+        - addr: 169.254.169.254
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers:
    - timeServers:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/upcloud/testdata/expected.yaml
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/upcloud/testdata/expected.yaml
@ -56,6 +56,19 @@ resolvers:
        - 94.237.40.9
        - 2a04:3540:53::1
        - 2a04:3544:53::1
+      nameServers:
+        - addr: 94.237.127.9
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 94.237.40.9
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 2a04:3540:53::1
+          protocol: Do53
+          tlsServerName: ""
+        - addr: 2a04:3544:53::1
+          protocol: Do53
+          tlsServerName: ""
      layer: platform
 timeServers: []
 operators:
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/upcloud/upcloud.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/upcloud/upcloud.go
@ -12,6 +12,7 @@ import (
 	"net/netip"

 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/xslices"
 	"github.com/siderolabs/go-procfs/procfs"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
@ -155,10 +156,18 @@ func (u *UpCloud) ParseMetadata(metadata *MetadataConfig) (*runtime.PlatformNetw
 	}

 	if len(dnsIPs) > 0 {
-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:  dnsIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			ConfigLayer: network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	for _, ipStr := range publicIPs {
--- a/internal/app/machined/pkg/runtime/v1alpha1/platform/vmware/metadata.go
+++ b/internal/app/machined/pkg/runtime/v1alpha1/platform/vmware/metadata.go
@ -14,6 +14,7 @@ import (

 	"github.com/cosi-project/runtime/pkg/safe"
 	"github.com/cosi-project/runtime/pkg/state"
+	"github.com/siderolabs/gen/xslices"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
@ -256,10 +257,18 @@ func (v *VMware) ApplyNetworkConfigV2(ctx context.Context, st state.State, confi
 	}

 	if len(dnsIPs) > 0 {
-		networkConfig.Resolvers = append(networkConfig.Resolvers, network.ResolverSpecSpec{
-			DNSServers:  dnsIPs,
+		resolverSpec := network.ResolverSpecSpec{
+			NameServers: xslices.Map(dnsIPs, func(addr netip.Addr) network.NameServerSpec {
+				return network.NameServerSpec{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}),
 			ConfigLayer: network.ConfigPlatform,
-		})
+		}
+		resolverSpec.Convert()
+
+		networkConfig.Resolvers = append(networkConfig.Resolvers, resolverSpec)
 	}

 	return nil
--- a/internal/pkg/dashboard/components/networkinfo.go
+++ b/internal/pkg/dashboard/components/networkinfo.go
@ -243,7 +243,7 @@ func (widget *NetworkInfo) gateway(statuses []*network.RouteStatus) string {
 }

 func (widget *NetworkInfo) resolvers(status *network.ResolverStatus) string {
-	strs := xslices.Map(status.TypedSpec().DNSServers, netip.Addr.String)
+	strs := xslices.Map(status.TypedSpec().DNSServers, netip.Addr.String) //nolint:staticcheck // backward compatibility

 	if len(strs) == 0 {
 		return none
--- a/internal/pkg/dashboard/formdata.go
+++ b/internal/pkg/dashboard/formdata.go
@ -12,6 +12,7 @@ import (
 	"unicode"

 	"github.com/hashicorp/go-multierror"
+	"github.com/siderolabs/gen/xslices"

 	"github.com/siderolabs/talos/internal/app/machined/pkg/runtime"
 	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
@ -74,10 +75,13 @@ func (formData *NetworkConfigFormData) ToPlatformNetworkConfig() (*runtime.Platf
 	if len(dnsServers) > 0 {
 		config.Resolvers = []network.ResolverSpecSpec{
 			{
-				DNSServers:  dnsServers,
+				NameServers: xslices.Map(dnsServers, func(addr netip.Addr) network.NameServerSpec {
+					return network.NameServerSpec{Addr: addr}
+				}),
 				ConfigLayer: network.ConfigPlatform,
 			},
 		}
+		config.Resolvers[0].Convert() // handle conversion for backward compatibility
 	}

 	timeServers := formData.splitInputList(formData.TimeServers)
--- a/internal/pkg/dashboard/formdata_test.go
+++ b/internal/pkg/dashboard/formdata_test.go
@ -118,6 +118,10 @@ func TestFilledFormNoIface(t *testing.T) {
 				ConfigLayer: network.ConfigPlatform,
 			}},
 			Resolvers: []network.ResolverSpecSpec{{
+				NameServers: []network.NameServerSpec{
+					{Addr: netip.MustParseAddr("1.2.3.4")},
+					{Addr: netip.MustParseAddr("5.6.7.8")},
+				},
 				DNSServers: []netip.Addr{
 					netip.MustParseAddr("1.2.3.4"),
 					netip.MustParseAddr("5.6.7.8"),
--- a/pkg/machinery/api/resource/definitions/enums/enums.pb.go
+++ b/pkg/machinery/api/resource/definitions/enums/enums.pb.go
@ -857,6 +857,53 @@ func (NethelpersConntrackState) EnumDescriptor() ([]byte, []int) {
 	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{14}
 }

+// NethelpersDNSProtocol is a kind of DNS protocol.
+type NethelpersDNSProtocol int32
+
+const (
+	NethelpersDNSProtocol_DNS_PROTOCOL_DEFAULT      NethelpersDNSProtocol = 0
+	NethelpersDNSProtocol_DNS_PROTOCOL_DNS_OVER_TLS NethelpersDNSProtocol = 1
+)
+
+// Enum value maps for NethelpersDNSProtocol.
+var (
+	NethelpersDNSProtocol_name = map[int32]string{
+		0: "DNS_PROTOCOL_DEFAULT",
+		1: "DNS_PROTOCOL_DNS_OVER_TLS",
+	}
+	NethelpersDNSProtocol_value = map[string]int32{
+		"DNS_PROTOCOL_DEFAULT":      0,
+		"DNS_PROTOCOL_DNS_OVER_TLS": 1,
+	}
+)
+
+func (x NethelpersDNSProtocol) Enum() *NethelpersDNSProtocol {
+	p := new(NethelpersDNSProtocol)
+	*p = x
+	return p
+}
+
+func (x NethelpersDNSProtocol) String() string {
+	return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (NethelpersDNSProtocol) Descriptor() protoreflect.EnumDescriptor {
+	return file_resource_definitions_enums_enums_proto_enumTypes[15].Descriptor()
+}
+
+func (NethelpersDNSProtocol) Type() protoreflect.EnumType {
+	return &file_resource_definitions_enums_enums_proto_enumTypes[15]
+}
+
+func (x NethelpersDNSProtocol) Number() protoreflect.EnumNumber {
+	return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use NethelpersDNSProtocol.Descriptor instead.
+func (NethelpersDNSProtocol) EnumDescriptor() ([]byte, []int) {
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{15}
+}
+
 // NethelpersDuplex wraps ethtool.Duplex for YAML marshaling.
 type NethelpersDuplex int32

@ -891,11 +938,11 @@ func (x NethelpersDuplex) String() string {
 }

 func (NethelpersDuplex) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[15].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[16].Descriptor()
 }

 func (NethelpersDuplex) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[15]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[16]
 }

 func (x NethelpersDuplex) Number() protoreflect.EnumNumber {
@ -904,7 +951,7 @@ func (x NethelpersDuplex) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersDuplex.Descriptor instead.
 func (NethelpersDuplex) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{15}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{16}
 }

 // NethelpersFailOverMAC is a MAC failover mode.
@ -941,11 +988,11 @@ func (x NethelpersFailOverMAC) String() string {
 }

 func (NethelpersFailOverMAC) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[16].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[17].Descriptor()
 }

 func (NethelpersFailOverMAC) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[16]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[17]
 }

 func (x NethelpersFailOverMAC) Number() protoreflect.EnumNumber {
@ -954,7 +1001,7 @@ func (x NethelpersFailOverMAC) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersFailOverMAC.Descriptor instead.
 func (NethelpersFailOverMAC) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{16}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{17}
 }

 // NethelpersFamily is a network family.
@ -991,11 +1038,11 @@ func (x NethelpersFamily) String() string {
 }

 func (NethelpersFamily) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[17].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[18].Descriptor()
 }

 func (NethelpersFamily) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[17]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[18]
 }

 func (x NethelpersFamily) Number() protoreflect.EnumNumber {
@ -1004,7 +1051,7 @@ func (x NethelpersFamily) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersFamily.Descriptor instead.
 func (NethelpersFamily) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{17}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{18}
 }

 // NethelpersICMPType is a ICMP packet type.
@ -1047,11 +1094,11 @@ func (x NethelpersICMPType) String() string {
 }

 func (NethelpersICMPType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[18].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[19].Descriptor()
 }

 func (NethelpersICMPType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[18]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[19]
 }

 func (x NethelpersICMPType) Number() protoreflect.EnumNumber {
@ -1060,7 +1107,7 @@ func (x NethelpersICMPType) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersICMPType.Descriptor instead.
 func (NethelpersICMPType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{18}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{19}
 }

 // NethelpersLACPRate is a LACP rate.
@ -1094,11 +1141,11 @@ func (x NethelpersLACPRate) String() string {
 }

 func (NethelpersLACPRate) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[19].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[20].Descriptor()
 }

 func (NethelpersLACPRate) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[19]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[20]
 }

 func (x NethelpersLACPRate) Number() protoreflect.EnumNumber {
@ -1107,7 +1154,7 @@ func (x NethelpersLACPRate) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersLACPRate.Descriptor instead.
 func (NethelpersLACPRate) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{19}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{20}
 }

 // NethelpersLinkType is a link type.
@ -1366,11 +1413,11 @@ func (x NethelpersLinkType) String() string {
 }

 func (NethelpersLinkType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[20].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[21].Descriptor()
 }

 func (NethelpersLinkType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[20]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[21]
 }

 func (x NethelpersLinkType) Number() protoreflect.EnumNumber {
@ -1379,7 +1426,7 @@ func (x NethelpersLinkType) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersLinkType.Descriptor instead.
 func (NethelpersLinkType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{20}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{21}
 }

 // NethelpersMatchOperator is a netfilter match operator.
@ -1413,11 +1460,11 @@ func (x NethelpersMatchOperator) String() string {
 }

 func (NethelpersMatchOperator) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[21].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[22].Descriptor()
 }

 func (NethelpersMatchOperator) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[21]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[22]
 }

 func (x NethelpersMatchOperator) Number() protoreflect.EnumNumber {
@ -1426,7 +1473,7 @@ func (x NethelpersMatchOperator) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersMatchOperator.Descriptor instead.
 func (NethelpersMatchOperator) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{21}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{22}
 }

 // NethelpersNfTablesChainHook wraps nftables.ChainHook for YAML marshaling.
@ -1469,11 +1516,11 @@ func (x NethelpersNfTablesChainHook) String() string {
 }

 func (NethelpersNfTablesChainHook) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[22].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[23].Descriptor()
 }

 func (NethelpersNfTablesChainHook) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[22]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[23]
 }

 func (x NethelpersNfTablesChainHook) Number() protoreflect.EnumNumber {
@ -1482,7 +1529,7 @@ func (x NethelpersNfTablesChainHook) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersNfTablesChainHook.Descriptor instead.
 func (NethelpersNfTablesChainHook) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{22}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{23}
 }

 // NethelpersNfTablesChainPriority wraps nftables.ChainPriority for YAML marshaling.
@ -1552,11 +1599,11 @@ func (x NethelpersNfTablesChainPriority) String() string {
 }

 func (NethelpersNfTablesChainPriority) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[23].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[24].Descriptor()
 }

 func (NethelpersNfTablesChainPriority) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[23]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[24]
 }

 func (x NethelpersNfTablesChainPriority) Number() protoreflect.EnumNumber {
@ -1565,7 +1612,7 @@ func (x NethelpersNfTablesChainPriority) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersNfTablesChainPriority.Descriptor instead.
 func (NethelpersNfTablesChainPriority) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{23}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{24}
 }

 // NethelpersNfTablesVerdict wraps nftables.Verdict for YAML marshaling.
@ -1599,11 +1646,11 @@ func (x NethelpersNfTablesVerdict) String() string {
 }

 func (NethelpersNfTablesVerdict) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[24].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[25].Descriptor()
 }

 func (NethelpersNfTablesVerdict) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[24]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[25]
 }

 func (x NethelpersNfTablesVerdict) Number() protoreflect.EnumNumber {
@ -1612,7 +1659,7 @@ func (x NethelpersNfTablesVerdict) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersNfTablesVerdict.Descriptor instead.
 func (NethelpersNfTablesVerdict) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{24}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{25}
 }

 // NethelpersOperationalState wraps rtnetlink.OperationalState for YAML marshaling.
@ -1661,11 +1708,11 @@ func (x NethelpersOperationalState) String() string {
 }

 func (NethelpersOperationalState) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[25].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[26].Descriptor()
 }

 func (NethelpersOperationalState) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[25]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[26]
 }

 func (x NethelpersOperationalState) Number() protoreflect.EnumNumber {
@ -1674,7 +1721,7 @@ func (x NethelpersOperationalState) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersOperationalState.Descriptor instead.
 func (NethelpersOperationalState) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{25}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{26}
 }

 // NethelpersPort wraps ethtool.Port for YAML marshaling.
@ -1726,11 +1773,11 @@ func (x NethelpersPort) String() string {
 }

 func (NethelpersPort) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[26].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[27].Descriptor()
 }

 func (NethelpersPort) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[26]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[27]
 }

 func (x NethelpersPort) Number() protoreflect.EnumNumber {
@ -1739,7 +1786,7 @@ func (x NethelpersPort) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersPort.Descriptor instead.
 func (NethelpersPort) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{26}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{27}
 }

 // NethelpersPrimaryReselect is an ARP targets mode.
@ -1776,11 +1823,11 @@ func (x NethelpersPrimaryReselect) String() string {
 }

 func (NethelpersPrimaryReselect) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[27].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[28].Descriptor()
 }

 func (NethelpersPrimaryReselect) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[27]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[28]
 }

 func (x NethelpersPrimaryReselect) Number() protoreflect.EnumNumber {
@ -1789,7 +1836,7 @@ func (x NethelpersPrimaryReselect) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersPrimaryReselect.Descriptor instead.
 func (NethelpersPrimaryReselect) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{27}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{28}
 }

 // NethelpersProtocol is a inet protocol.
@ -1832,11 +1879,11 @@ func (x NethelpersProtocol) String() string {
 }

 func (NethelpersProtocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[28].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[29].Descriptor()
 }

 func (NethelpersProtocol) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[28]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[29]
 }

 func (x NethelpersProtocol) Number() protoreflect.EnumNumber {
@ -1845,7 +1892,7 @@ func (x NethelpersProtocol) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersProtocol.Descriptor instead.
 func (NethelpersProtocol) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{28}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{29}
 }

 // NethelpersRouteFlag wraps RTM_F_* constants.
@ -1900,11 +1947,11 @@ func (x NethelpersRouteFlag) String() string {
 }

 func (NethelpersRouteFlag) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[29].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[30].Descriptor()
 }

 func (NethelpersRouteFlag) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[29]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[30]
 }

 func (x NethelpersRouteFlag) Number() protoreflect.EnumNumber {
@ -1913,7 +1960,7 @@ func (x NethelpersRouteFlag) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersRouteFlag.Descriptor instead.
 func (NethelpersRouteFlag) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{29}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{30}
 }

 // NethelpersRouteProtocol is a routing protocol.
@ -2007,11 +2054,11 @@ func (x NethelpersRouteProtocol) String() string {
 }

 func (NethelpersRouteProtocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[30].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[31].Descriptor()
 }

 func (NethelpersRouteProtocol) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[30]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[31]
 }

 func (x NethelpersRouteProtocol) Number() protoreflect.EnumNumber {
@ -2020,7 +2067,7 @@ func (x NethelpersRouteProtocol) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersRouteProtocol.Descriptor instead.
 func (NethelpersRouteProtocol) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{30}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{31}
 }

 // NethelpersRouteType is a route type.
@ -2084,11 +2131,11 @@ func (x NethelpersRouteType) String() string {
 }

 func (NethelpersRouteType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[31].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[32].Descriptor()
 }

 func (NethelpersRouteType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[31]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[32]
 }

 func (x NethelpersRouteType) Number() protoreflect.EnumNumber {
@ -2097,7 +2144,7 @@ func (x NethelpersRouteType) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersRouteType.Descriptor instead.
 func (NethelpersRouteType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{31}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{32}
 }

 // NethelpersRoutingRuleAction is a routing rule action.
@ -2140,11 +2187,11 @@ func (x NethelpersRoutingRuleAction) String() string {
 }

 func (NethelpersRoutingRuleAction) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[32].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[33].Descriptor()
 }

 func (NethelpersRoutingRuleAction) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[32]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[33]
 }

 func (x NethelpersRoutingRuleAction) Number() protoreflect.EnumNumber {
@ -2153,7 +2200,7 @@ func (x NethelpersRoutingRuleAction) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersRoutingRuleAction.Descriptor instead.
 func (NethelpersRoutingRuleAction) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{32}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{33}
 }

 // NethelpersRoutingTable is a routing table ID.
@ -2949,11 +2996,11 @@ func (x NethelpersRoutingTable) String() string {
 }

 func (NethelpersRoutingTable) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[33].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[34].Descriptor()
 }

 func (NethelpersRoutingTable) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[33]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[34]
 }

 func (x NethelpersRoutingTable) Number() protoreflect.EnumNumber {
@ -2962,7 +3009,7 @@ func (x NethelpersRoutingTable) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersRoutingTable.Descriptor instead.
 func (NethelpersRoutingTable) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{33}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{34}
 }

 // NethelpersScope is an address scope.
@ -3005,11 +3052,11 @@ func (x NethelpersScope) String() string {
 }

 func (NethelpersScope) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[34].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[35].Descriptor()
 }

 func (NethelpersScope) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[34]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[35]
 }

 func (x NethelpersScope) Number() protoreflect.EnumNumber {
@ -3018,7 +3065,7 @@ func (x NethelpersScope) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersScope.Descriptor instead.
 func (NethelpersScope) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{34}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{35}
 }

 // NethelpersVLANProtocol is a VLAN protocol.
@ -3055,11 +3102,11 @@ func (x NethelpersVLANProtocol) String() string {
 }

 func (NethelpersVLANProtocol) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[35].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[36].Descriptor()
 }

 func (NethelpersVLANProtocol) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[35]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[36]
 }

 func (x NethelpersVLANProtocol) Number() protoreflect.EnumNumber {
@ -3068,7 +3115,7 @@ func (x NethelpersVLANProtocol) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersVLANProtocol.Descriptor instead.
 func (NethelpersVLANProtocol) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{35}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{36}
 }

 // NethelpersWOLMode wraps ethtool.WOLMode for YAML marshaling.
@ -3120,11 +3167,11 @@ func (x NethelpersWOLMode) String() string {
 }

 func (NethelpersWOLMode) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[36].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[37].Descriptor()
 }

 func (NethelpersWOLMode) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[36]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[37]
 }

 func (x NethelpersWOLMode) Number() protoreflect.EnumNumber {
@ -3133,7 +3180,7 @@ func (x NethelpersWOLMode) Number() protoreflect.EnumNumber {

 // Deprecated: Use NethelpersWOLMode.Descriptor instead.
 func (NethelpersWOLMode) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{36}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{37}
 }

 // BlockEncryptionKeyType describes encryption key type.
@ -3173,11 +3220,11 @@ func (x BlockEncryptionKeyType) String() string {
 }

 func (BlockEncryptionKeyType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[37].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[38].Descriptor()
 }

 func (BlockEncryptionKeyType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[37]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[38]
 }

 func (x BlockEncryptionKeyType) Number() protoreflect.EnumNumber {
@ -3186,7 +3233,7 @@ func (x BlockEncryptionKeyType) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockEncryptionKeyType.Descriptor instead.
 func (BlockEncryptionKeyType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{37}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{38}
 }

 // BlockEncryptionProviderType describes encryption provider type.
@ -3220,11 +3267,11 @@ func (x BlockEncryptionProviderType) String() string {
 }

 func (BlockEncryptionProviderType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[38].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[39].Descriptor()
 }

 func (BlockEncryptionProviderType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[38]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[39]
 }

 func (x BlockEncryptionProviderType) Number() protoreflect.EnumNumber {
@ -3233,7 +3280,7 @@ func (x BlockEncryptionProviderType) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockEncryptionProviderType.Descriptor instead.
 func (BlockEncryptionProviderType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{38}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{39}
 }

 // BlockFilesystemType describes filesystem type.
@ -3282,11 +3329,11 @@ func (x BlockFilesystemType) String() string {
 }

 func (BlockFilesystemType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[39].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[40].Descriptor()
 }

 func (BlockFilesystemType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[39]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[40]
 }

 func (x BlockFilesystemType) Number() protoreflect.EnumNumber {
@ -3295,7 +3342,7 @@ func (x BlockFilesystemType) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockFilesystemType.Descriptor instead.
 func (BlockFilesystemType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{39}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{40}
 }

 // BlockFSParameterType describes Filesystem Parameter type.
@ -3332,11 +3379,11 @@ func (x BlockFSParameterType) String() string {
 }

 func (BlockFSParameterType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[40].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[41].Descriptor()
 }

 func (BlockFSParameterType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[40]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[41]
 }

 func (x BlockFSParameterType) Number() protoreflect.EnumNumber {
@ -3345,7 +3392,7 @@ func (x BlockFSParameterType) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockFSParameterType.Descriptor instead.
 func (BlockFSParameterType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{40}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{41}
 }

 // BlockVolumePhase describes volume phase.
@ -3397,11 +3444,11 @@ func (x BlockVolumePhase) String() string {
 }

 func (BlockVolumePhase) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[41].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[42].Descriptor()
 }

 func (BlockVolumePhase) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[41]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[42]
 }

 func (x BlockVolumePhase) Number() protoreflect.EnumNumber {
@ -3410,7 +3457,7 @@ func (x BlockVolumePhase) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockVolumePhase.Descriptor instead.
 func (BlockVolumePhase) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{41}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{42}
 }

 // BlockVolumeType describes volume type.
@ -3459,11 +3506,11 @@ func (x BlockVolumeType) String() string {
 }

 func (BlockVolumeType) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[42].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[43].Descriptor()
 }

 func (BlockVolumeType) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[42]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[43]
 }

 func (x BlockVolumeType) Number() protoreflect.EnumNumber {
@ -3472,7 +3519,7 @@ func (x BlockVolumeType) Number() protoreflect.EnumNumber {

 // Deprecated: Use BlockVolumeType.Descriptor instead.
 func (BlockVolumeType) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{42}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{43}
 }

 // CriImageCacheStatus describes image cache status type.
@ -3512,11 +3559,11 @@ func (x CriImageCacheStatus) String() string {
 }

 func (CriImageCacheStatus) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[43].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[44].Descriptor()
 }

 func (CriImageCacheStatus) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[43]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[44]
 }

 func (x CriImageCacheStatus) Number() protoreflect.EnumNumber {
@ -3525,7 +3572,7 @@ func (x CriImageCacheStatus) Number() protoreflect.EnumNumber {

 // Deprecated: Use CriImageCacheStatus.Descriptor instead.
 func (CriImageCacheStatus) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{43}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{44}
 }

 // CriImageCacheCopyStatus describes image cache copy status type.
@ -3565,11 +3612,11 @@ func (x CriImageCacheCopyStatus) String() string {
 }

 func (CriImageCacheCopyStatus) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[44].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[45].Descriptor()
 }

 func (CriImageCacheCopyStatus) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[44]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[45]
 }

 func (x CriImageCacheCopyStatus) Number() protoreflect.EnumNumber {
@ -3578,7 +3625,7 @@ func (x CriImageCacheCopyStatus) Number() protoreflect.EnumNumber {

 // Deprecated: Use CriImageCacheCopyStatus.Descriptor instead.
 func (CriImageCacheCopyStatus) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{44}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{45}
 }

 // KubespanPeerState is KubeSpan peer current state.
@ -3615,11 +3662,11 @@ func (x KubespanPeerState) String() string {
 }

 func (KubespanPeerState) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[45].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[46].Descriptor()
 }

 func (KubespanPeerState) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[45]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[46]
 }

 func (x KubespanPeerState) Number() protoreflect.EnumNumber {
@ -3628,7 +3675,7 @@ func (x KubespanPeerState) Number() protoreflect.EnumNumber {

 // Deprecated: Use KubespanPeerState.Descriptor instead.
 func (KubespanPeerState) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{45}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{46}
 }

 // NetworkConfigLayer describes network configuration layers, with lowest priority first.
@ -3671,11 +3718,11 @@ func (x NetworkConfigLayer) String() string {
 }

 func (NetworkConfigLayer) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[46].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[47].Descriptor()
 }

 func (NetworkConfigLayer) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[46]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[47]
 }

 func (x NetworkConfigLayer) Number() protoreflect.EnumNumber {
@ -3684,7 +3731,7 @@ func (x NetworkConfigLayer) Number() protoreflect.EnumNumber {

 // Deprecated: Use NetworkConfigLayer.Descriptor instead.
 func (NetworkConfigLayer) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{46}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{47}
 }

 // NetworkOperator enumerates Talos network operators.
@ -3721,11 +3768,11 @@ func (x NetworkOperator) String() string {
 }

 func (NetworkOperator) Descriptor() protoreflect.EnumDescriptor {
-	return file_resource_definitions_enums_enums_proto_enumTypes[47].Descriptor()
+	return file_resource_definitions_enums_enums_proto_enumTypes[48].Descriptor()
 }

 func (NetworkOperator) Type() protoreflect.EnumType {
-	return &file_resource_definitions_enums_enums_proto_enumTypes[47]
+	return &file_resource_definitions_enums_enums_proto_enumTypes[48]
 }

 func (x NetworkOperator) Number() protoreflect.EnumNumber {
@ -3734,7 +3781,7 @@ func (x NetworkOperator) Number() protoreflect.EnumNumber {

 // Deprecated: Use NetworkOperator.Descriptor instead.
 func (NetworkOperator) EnumDescriptor() ([]byte, []int) {
-	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{47}
+	return file_resource_definitions_enums_enums_proto_rawDescGZIP(), []int{48}
 }

 var File_resource_definitions_enums_enums_proto protoreflect.FileDescriptor
@ -3827,7 +3874,10 @@ const file_resource_definitions_enums_enums_proto_rawDesc = "" +
 	"\x13CONNTRACK_STATE_NEW\x10\b\x12\x1b\n" +
 	"\x17CONNTRACK_STATE_RELATED\x10\x04\x12\x1f\n" +
 	"\x1bCONNTRACK_STATE_ESTABLISHED\x10\x02\x12\x1b\n" +
-	"\x17CONNTRACK_STATE_INVALID\x10\x01*4\n" +
+	"\x17CONNTRACK_STATE_INVALID\x10\x01*P\n" +
+	"\x15NethelpersDNSProtocol\x12\x18\n" +
+	"\x14DNS_PROTOCOL_DEFAULT\x10\x00\x12\x1d\n" +
+	"\x19DNS_PROTOCOL_DNS_OVER_TLS\x10\x01*4\n" +
 	"\x10NethelpersDuplex\x12\b\n" +
 	"\x04HALF\x10\x00\x12\b\n" +
 	"\x04FULL\x10\x01\x12\f\n" +
@ -4419,7 +4469,7 @@ func file_resource_definitions_enums_enums_proto_rawDescGZIP() []byte {
 	return file_resource_definitions_enums_enums_proto_rawDescData
 }

-var file_resource_definitions_enums_enums_proto_enumTypes = make([]protoimpl.EnumInfo, 48)
+var file_resource_definitions_enums_enums_proto_enumTypes = make([]protoimpl.EnumInfo, 49)
 var file_resource_definitions_enums_enums_proto_goTypes = []any{
 	(RuntimeMachineStage)(0),             // 0: talos.resource.definitions.enums.RuntimeMachineStage
 	(RuntimeSELinuxState)(0),             // 1: talos.resource.definitions.enums.RuntimeSELinuxState
@ -4436,39 +4486,40 @@ var file_resource_definitions_enums_enums_proto_goTypes = []any{
 	(NethelpersBondXmitHashPolicy)(0),    // 12: talos.resource.definitions.enums.NethelpersBondXmitHashPolicy
 	(NethelpersClientIdentifier)(0),      // 13: talos.resource.definitions.enums.NethelpersClientIdentifier
 	(NethelpersConntrackState)(0),        // 14: talos.resource.definitions.enums.NethelpersConntrackState
-	(NethelpersDuplex)(0),                // 15: talos.resource.definitions.enums.NethelpersDuplex
-	(NethelpersFailOverMAC)(0),           // 16: talos.resource.definitions.enums.NethelpersFailOverMAC
-	(NethelpersFamily)(0),                // 17: talos.resource.definitions.enums.NethelpersFamily
-	(NethelpersICMPType)(0),              // 18: talos.resource.definitions.enums.NethelpersICMPType
-	(NethelpersLACPRate)(0),              // 19: talos.resource.definitions.enums.NethelpersLACPRate
-	(NethelpersLinkType)(0),              // 20: talos.resource.definitions.enums.NethelpersLinkType
-	(NethelpersMatchOperator)(0),         // 21: talos.resource.definitions.enums.NethelpersMatchOperator
-	(NethelpersNfTablesChainHook)(0),     // 22: talos.resource.definitions.enums.NethelpersNfTablesChainHook
-	(NethelpersNfTablesChainPriority)(0), // 23: talos.resource.definitions.enums.NethelpersNfTablesChainPriority
-	(NethelpersNfTablesVerdict)(0),       // 24: talos.resource.definitions.enums.NethelpersNfTablesVerdict
-	(NethelpersOperationalState)(0),      // 25: talos.resource.definitions.enums.NethelpersOperationalState
-	(NethelpersPort)(0),                  // 26: talos.resource.definitions.enums.NethelpersPort
-	(NethelpersPrimaryReselect)(0),       // 27: talos.resource.definitions.enums.NethelpersPrimaryReselect
-	(NethelpersProtocol)(0),              // 28: talos.resource.definitions.enums.NethelpersProtocol
-	(NethelpersRouteFlag)(0),             // 29: talos.resource.definitions.enums.NethelpersRouteFlag
-	(NethelpersRouteProtocol)(0),         // 30: talos.resource.definitions.enums.NethelpersRouteProtocol
-	(NethelpersRouteType)(0),             // 31: talos.resource.definitions.enums.NethelpersRouteType
-	(NethelpersRoutingRuleAction)(0),     // 32: talos.resource.definitions.enums.NethelpersRoutingRuleAction
-	(NethelpersRoutingTable)(0),          // 33: talos.resource.definitions.enums.NethelpersRoutingTable
-	(NethelpersScope)(0),                 // 34: talos.resource.definitions.enums.NethelpersScope
-	(NethelpersVLANProtocol)(0),          // 35: talos.resource.definitions.enums.NethelpersVLANProtocol
-	(NethelpersWOLMode)(0),               // 36: talos.resource.definitions.enums.NethelpersWOLMode
-	(BlockEncryptionKeyType)(0),          // 37: talos.resource.definitions.enums.BlockEncryptionKeyType
-	(BlockEncryptionProviderType)(0),     // 38: talos.resource.definitions.enums.BlockEncryptionProviderType
-	(BlockFilesystemType)(0),             // 39: talos.resource.definitions.enums.BlockFilesystemType
-	(BlockFSParameterType)(0),            // 40: talos.resource.definitions.enums.BlockFSParameterType
-	(BlockVolumePhase)(0),                // 41: talos.resource.definitions.enums.BlockVolumePhase
-	(BlockVolumeType)(0),                 // 42: talos.resource.definitions.enums.BlockVolumeType
-	(CriImageCacheStatus)(0),             // 43: talos.resource.definitions.enums.CriImageCacheStatus
-	(CriImageCacheCopyStatus)(0),         // 44: talos.resource.definitions.enums.CriImageCacheCopyStatus
-	(KubespanPeerState)(0),               // 45: talos.resource.definitions.enums.KubespanPeerState
-	(NetworkConfigLayer)(0),              // 46: talos.resource.definitions.enums.NetworkConfigLayer
-	(NetworkOperator)(0),                 // 47: talos.resource.definitions.enums.NetworkOperator
+	(NethelpersDNSProtocol)(0),           // 15: talos.resource.definitions.enums.NethelpersDNSProtocol
+	(NethelpersDuplex)(0),                // 16: talos.resource.definitions.enums.NethelpersDuplex
+	(NethelpersFailOverMAC)(0),           // 17: talos.resource.definitions.enums.NethelpersFailOverMAC
+	(NethelpersFamily)(0),                // 18: talos.resource.definitions.enums.NethelpersFamily
+	(NethelpersICMPType)(0),              // 19: talos.resource.definitions.enums.NethelpersICMPType
+	(NethelpersLACPRate)(0),              // 20: talos.resource.definitions.enums.NethelpersLACPRate
+	(NethelpersLinkType)(0),              // 21: talos.resource.definitions.enums.NethelpersLinkType
+	(NethelpersMatchOperator)(0),         // 22: talos.resource.definitions.enums.NethelpersMatchOperator
+	(NethelpersNfTablesChainHook)(0),     // 23: talos.resource.definitions.enums.NethelpersNfTablesChainHook
+	(NethelpersNfTablesChainPriority)(0), // 24: talos.resource.definitions.enums.NethelpersNfTablesChainPriority
+	(NethelpersNfTablesVerdict)(0),       // 25: talos.resource.definitions.enums.NethelpersNfTablesVerdict
+	(NethelpersOperationalState)(0),      // 26: talos.resource.definitions.enums.NethelpersOperationalState
+	(NethelpersPort)(0),                  // 27: talos.resource.definitions.enums.NethelpersPort
+	(NethelpersPrimaryReselect)(0),       // 28: talos.resource.definitions.enums.NethelpersPrimaryReselect
+	(NethelpersProtocol)(0),              // 29: talos.resource.definitions.enums.NethelpersProtocol
+	(NethelpersRouteFlag)(0),             // 30: talos.resource.definitions.enums.NethelpersRouteFlag
+	(NethelpersRouteProtocol)(0),         // 31: talos.resource.definitions.enums.NethelpersRouteProtocol
+	(NethelpersRouteType)(0),             // 32: talos.resource.definitions.enums.NethelpersRouteType
+	(NethelpersRoutingRuleAction)(0),     // 33: talos.resource.definitions.enums.NethelpersRoutingRuleAction
+	(NethelpersRoutingTable)(0),          // 34: talos.resource.definitions.enums.NethelpersRoutingTable
+	(NethelpersScope)(0),                 // 35: talos.resource.definitions.enums.NethelpersScope
+	(NethelpersVLANProtocol)(0),          // 36: talos.resource.definitions.enums.NethelpersVLANProtocol
+	(NethelpersWOLMode)(0),               // 37: talos.resource.definitions.enums.NethelpersWOLMode
+	(BlockEncryptionKeyType)(0),          // 38: talos.resource.definitions.enums.BlockEncryptionKeyType
+	(BlockEncryptionProviderType)(0),     // 39: talos.resource.definitions.enums.BlockEncryptionProviderType
+	(BlockFilesystemType)(0),             // 40: talos.resource.definitions.enums.BlockFilesystemType
+	(BlockFSParameterType)(0),            // 41: talos.resource.definitions.enums.BlockFSParameterType
+	(BlockVolumePhase)(0),                // 42: talos.resource.definitions.enums.BlockVolumePhase
+	(BlockVolumeType)(0),                 // 43: talos.resource.definitions.enums.BlockVolumeType
+	(CriImageCacheStatus)(0),             // 44: talos.resource.definitions.enums.CriImageCacheStatus
+	(CriImageCacheCopyStatus)(0),         // 45: talos.resource.definitions.enums.CriImageCacheCopyStatus
+	(KubespanPeerState)(0),               // 46: talos.resource.definitions.enums.KubespanPeerState
+	(NetworkConfigLayer)(0),              // 47: talos.resource.definitions.enums.NetworkConfigLayer
+	(NetworkOperator)(0),                 // 48: talos.resource.definitions.enums.NetworkOperator
 }
 var file_resource_definitions_enums_enums_proto_depIdxs = []int32{
 	0, // [0:0] is the sub-list for method output_type
@ -4488,7 +4539,7 @@ func file_resource_definitions_enums_enums_proto_init() {
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_resource_definitions_enums_enums_proto_rawDesc), len(file_resource_definitions_enums_enums_proto_rawDesc)),
-			NumEnums:      48,
+			NumEnums:      49,
 			NumMessages:   0,
 			NumExtensions: 0,
 			NumServices:   0,
--- a/pkg/machinery/api/resource/definitions/network/network.pb.go
+++ b/pkg/machinery/api/resource/definitions/network/network.pb.go
--- a/pkg/machinery/api/resource/definitions/network/network_vtproto.pb.go
+++ b/pkg/machinery/api/resource/definitions/network/network_vtproto.pb.go
@ -2443,6 +2443,73 @@ func (m *LinkStatusSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 	return len(dAtA) - i, nil
 }

+func (m *NameServerSpec) MarshalVT() (dAtA []byte, err error) {
+	if m == nil {
+		return nil, nil
+	}
+	size := m.SizeVT()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalToSizedBufferVT(dAtA[:size])
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NameServerSpec) MarshalToVT(dAtA []byte) (int, error) {
+	size := m.SizeVT()
+	return m.MarshalToSizedBufferVT(dAtA[:size])
+}
+
+func (m *NameServerSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
+	if m == nil {
+		return 0, nil
+	}
+	i := len(dAtA)
+	_ = i
+	var l int
+	_ = l
+	if m.unknownFields != nil {
+		i -= len(m.unknownFields)
+		copy(dAtA[i:], m.unknownFields)
+	}
+	if len(m.TlsServerName) > 0 {
+		i -= len(m.TlsServerName)
+		copy(dAtA[i:], m.TlsServerName)
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(len(m.TlsServerName)))
+		i--
+		dAtA[i] = 0x1a
+	}
+	if m.Protocol != 0 {
+		i = protohelpers.EncodeVarint(dAtA, i, uint64(m.Protocol))
+		i--
+		dAtA[i] = 0x10
+	}
+	if m.Addr != nil {
+		if vtmsg, ok := interface{}(m.Addr).(interface {
+			MarshalToSizedBufferVT([]byte) (int, error)
+		}); ok {
+			size, err := vtmsg.MarshalToSizedBufferVT(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+		} else {
+			encoded, err := proto.Marshal(m.Addr)
+			if err != nil {
+				return 0, err
+			}
+			i -= len(encoded)
+			copy(dAtA[i:], encoded)
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(len(encoded)))
+		}
+		i--
+		dAtA[i] = 0xa
+	}
+	return len(dAtA) - i, nil
+}
+
 func (m *NfTablesAddressMatch) MarshalVT() (dAtA []byte, err error) {
 	if m == nil {
 		return nil, nil
@ -3783,6 +3850,18 @@ func (m *ResolverSpecSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.NameServers) > 0 {
+		for iNdEx := len(m.NameServers) - 1; iNdEx >= 0; iNdEx-- {
+			size, err := m.NameServers[iNdEx].MarshalToSizedBufferVT(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+			i--
+			dAtA[i] = 0x22
+		}
+	}
 	if len(m.SearchDomains) > 0 {
 		for iNdEx := len(m.SearchDomains) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.SearchDomains[iNdEx])
@ -3854,6 +3933,18 @@ func (m *ResolverStatusSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) {
 		i -= len(m.unknownFields)
 		copy(dAtA[i:], m.unknownFields)
 	}
+	if len(m.NameServers) > 0 {
+		for iNdEx := len(m.NameServers) - 1; iNdEx >= 0; iNdEx-- {
+			size, err := m.NameServers[iNdEx].MarshalToSizedBufferVT(dAtA[:i])
+			if err != nil {
+				return 0, err
+			}
+			i -= size
+			i = protohelpers.EncodeVarint(dAtA, i, uint64(size))
+			i--
+			dAtA[i] = 0x22
+		}
+	}
 	if len(m.SearchDomains) > 0 {
 		for iNdEx := len(m.SearchDomains) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.SearchDomains[iNdEx])
@ -6169,6 +6260,33 @@ func (m *LinkStatusSpec) SizeVT() (n int) {
 	return n
 }

+func (m *NameServerSpec) SizeVT() (n int) {
+	if m == nil {
+		return 0
+	}
+	var l int
+	_ = l
+	if m.Addr != nil {
+		if size, ok := interface{}(m.Addr).(interface {
+			SizeVT() int
+		}); ok {
+			l = size.SizeVT()
+		} else {
+			l = proto.Size(m.Addr)
+		}
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	if m.Protocol != 0 {
+		n += 1 + protohelpers.SizeOfVarint(uint64(m.Protocol))
+	}
+	l = len(m.TlsServerName)
+	if l > 0 {
+		n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+	}
+	n += len(m.unknownFields)
+	return n
+}
+
 func (m *NfTablesAddressMatch) SizeVT() (n int) {
 	if m == nil {
 		return 0
@ -6705,6 +6823,12 @@ func (m *ResolverSpecSpec) SizeVT() (n int) {
 			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 		}
 	}
+	if len(m.NameServers) > 0 {
+		for _, e := range m.NameServers {
+			l = e.SizeVT()
+			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+		}
+	}
 	n += len(m.unknownFields)
 	return n
 }
@ -6733,6 +6857,12 @@ func (m *ResolverStatusSpec) SizeVT() (n int) {
 			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
 		}
 	}
+	if len(m.NameServers) > 0 {
+		for _, e := range m.NameServers {
+			l = e.SizeVT()
+			n += 1 + l + protohelpers.SizeOfVarint(uint64(l))
+		}
+	}
 	n += len(m.unknownFields)
 	return n
 }
@ -13508,6 +13638,152 @@ func (m *LinkStatusSpec) UnmarshalVT(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *NameServerSpec) UnmarshalVT(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return protohelpers.ErrIntOverflow
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= uint64(b&0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NameServerSpec: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NameServerSpec: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Addr", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			if m.Addr == nil {
+				m.Addr = &common.NetIP{}
+			}
+			if unmarshal, ok := interface{}(m.Addr).(interface {
+				UnmarshalVT([]byte) error
+			}); ok {
+				if err := unmarshal.UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+					return err
+				}
+			} else {
+				if err := proto.Unmarshal(dAtA[iNdEx:postIndex], m.Addr); err != nil {
+					return err
+				}
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Protocol", wireType)
+			}
+			m.Protocol = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.Protocol |= enums.NethelpersDNSProtocol(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field TlsServerName", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.TlsServerName = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if (skippy < 0) || (iNdEx+skippy) < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.unknownFields = append(m.unknownFields, dAtA[iNdEx:iNdEx+skippy]...)
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *NfTablesAddressMatch) UnmarshalVT(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@ -16626,6 +16902,40 @@ func (m *ResolverSpecSpec) UnmarshalVT(dAtA []byte) error {
 			}
 			m.SearchDomains = append(m.SearchDomains, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NameServers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NameServers = append(m.NameServers, &NameServerSpec{})
+			if err := m.NameServers[len(m.NameServers)-1].UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
@ -16751,6 +17061,40 @@ func (m *ResolverStatusSpec) UnmarshalVT(dAtA []byte) error {
 			}
 			m.SearchDomains = append(m.SearchDomains, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field NameServers", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return protohelpers.ErrIntOverflow
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return protohelpers.ErrInvalidLength
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.NameServers = append(m.NameServers, &NameServerSpec{})
+			if err := m.NameServers[len(m.NameServers)-1].UnmarshalVT(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := protohelpers.Skip(dAtA[iNdEx:])
--- a/pkg/machinery/config/config/network.go
+++ b/pkg/machinery/config/config/network.go
@ -113,9 +113,16 @@ type NetworkHostnameConfig interface {
 	AutoHostname() nethelpers.AutoHostnameKind
 }

+// NetworkResolver is a single instance of a DNS resolver configuration.
+type NetworkResolver struct {
+	Addr          netip.Addr
+	Protocol      nethelpers.DNSProtocol
+	TLSServerName string
+}
+
 // NetworkResolverConfig defines a resolver configuration.
 type NetworkResolverConfig interface {
-	Resolvers() []netip.Addr
+	Resolvers() []NetworkResolver
 	SearchDomains() []string
 	DisableSearchDomain() bool
 }
--- a/pkg/machinery/config/container/validate.go
+++ b/pkg/machinery/config/container/validate.go
@ -14,6 +14,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config"
 	"github.com/siderolabs/talos/pkg/machinery/config/machine"
 	"github.com/siderolabs/talos/pkg/machinery/config/validation"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 )

 // Validate checks configuration and returns warnings and fatal errors (as multierror).
@ -133,6 +134,24 @@ func (container *Container) validateContainer(mode validation.RuntimeMode) error
 		}
 	}

+	// DNS protocols besides plain UDP/TCP can't be used without HostDNS
+	if dnsConfig := container.NetworkResolverConfig(); dnsConfig != nil {
+		hasNonDefaultDNS := false
+
+		for _, ns := range dnsConfig.Resolvers() {
+			if ns.Protocol != nethelpers.DNSProtocolDefault {
+				hasNonDefaultDNS = true
+			}
+		}
+
+		if hasNonDefaultDNS {
+			hostDNSConfig := container.NetworkHostDNSConfig()
+			if hostDNSConfig == nil || !hostDNSConfig.HostDNSEnabled() {
+				errs = multierror.Append(errs, fmt.Errorf("hostDNS must be enabled when using non-default DNS protocols"))
+			}
+		}
+	}
+
 	// control plane specific checks
 	if container.Machine() != nil && container.Machine().Type().IsControlPlane() {
 		hasLegacyEtcdEncryptionConfig := container.Cluster() != nil && (container.Cluster().SecretboxEncryptionSecret() != "" || container.Cluster().AESCBCEncryptionSecret() != "")
--- a/pkg/machinery/config/container/validate_test.go
+++ b/pkg/machinery/config/container/validate_test.go
@ -20,6 +20,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config/types/siderolink"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/siderolabs/talos/pkg/machinery/constants"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	blockres "github.com/siderolabs/talos/pkg/machinery/resources/block"
 )

@ -257,6 +258,17 @@ func TestValidateContainer(t *testing.T) {
 		HostDNSForwardKubeDNSToHost: new(true),
 	}

+	resolverConfigDoT := network.NewResolverConfigV1Alpha1()
+	resolverConfigDoT.ResolverNameservers = []network.NameserverConfig{
+		{
+			Address: network.Addr{
+				Addr: netip.MustParseAddr("1.1.1.1"),
+			},
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "cloudflare-dns.com",
+		},
+	}
+
 	for _, tt := range []struct {
 		name        string
 		documents   []config.Document
@ -307,6 +319,15 @@ func TestValidateContainer(t *testing.T) {
 			documents:   []config.Document{hostDNSResolverConfig, v1alpha1Cfg},
 			inContainer: true,
 		},
+		{
+			name:          "DoT without hostDNS",
+			documents:     []config.Document{resolverConfigDoT},
+			expectedError: "1 error occurred:\n\t* hostDNS must be enabled when using non-default DNS protocols\n\n",
+		},
+		{
+			name:      "DoT with hostDNS",
+			documents: []config.Document{resolverConfigDoT, v1alpha1CfgHostDNS},
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
@ -314,15 +335,13 @@ func TestValidateContainer(t *testing.T) {
 			ctr, err := container.New(tt.documents...)
 			require.NoError(t, err)

-			warnings, err := ctr.Validate(validationMode{inContainer: tt.inContainer})
+			_, err = ctr.Validate(validationMode{inContainer: tt.inContainer})

 			if tt.expectedError == "" {
 				require.NoError(t, err)
 			} else {
 				require.EqualError(t, err, tt.expectedError)
 			}
-
-			require.Nil(t, warnings)
 		})
 	}
 }
--- a/pkg/machinery/config/machine/type_string.go
+++ b/pkg/machinery/config/machine/type_string.go
@ -19,8 +19,9 @@ const _Type_name = "unknowninitcontrolplaneworker"
 var _Type_index = [...]uint8{0, 7, 11, 23, 29}

 func (i Type) String() string {
-	if i < 0 || i >= Type(len(_Type_index)-1) {
+	idx := int(i) - 0
+	if i < 0 || idx >= len(_Type_index)-1 {
 		return "Type(" + strconv.FormatInt(int64(i), 10) + ")"
 	}
-	return _Type_name[_Type_index[i]:_Type_index[i+1]]
+	return _Type_name[_Type_index[idx]:_Type_index[idx+1]]
 }
--- a/pkg/machinery/config/schemas/config.schema.json
+++ b/pkg/machinery/config/schemas/config.schema.json
@ -2779,6 +2779,23 @@
          "description": "The IP address of the nameserver.\n",
          "markdownDescription": "The IP address of the nameserver.",
          "x-intellij-html-description": "\u003cp\u003eThe IP address of the nameserver.\u003c/p\u003e\n"
+        },
+        "protocol": {
+          "enum": [
+            "Do53",
+            "DoT"
+          ],
+          "title": "protocol",
+          "description": "A DNS protocol to use.\n\nThe default protocol is plain DNS (Do53) (DNS over TCP/UDP), but this can be set\nto DoT to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\n\nNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.\n",
+          "markdownDescription": "A DNS protocol to use.\n\nThe default protocol is plain DNS (`Do53`) (DNS over TCP/UDP), but this can be set\nto `DoT` to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\n\nNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.",
+          "x-intellij-html-description": "\u003cp\u003eA DNS protocol to use.\u003c/p\u003e\n\n\u003cp\u003eThe default protocol is plain DNS (\u003ccode\u003eDo53\u003c/code\u003e) (DNS over TCP/UDP), but this can be set\nto \u003ccode\u003eDoT\u003c/code\u003e to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\u003c/p\u003e\n\n\u003cp\u003eNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.\u003c/p\u003e\n"
+        },
+        "tlsServerName": {
+          "type": "string",
+          "title": "tlsServerName",
+          "description": "TLS server name to validate the nameserver certificate against.\n\nThis field should be set, if the protocol is set to DoT.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.\n",
+          "markdownDescription": "TLS server name to validate the nameserver certificate against.\n\nThis field should be set, if the protocol is set to `DoT`.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.",
+          "x-intellij-html-description": "\u003cp\u003eTLS server name to validate the nameserver certificate against.\u003c/p\u003e\n\n\u003cp\u003eThis field should be set, if the protocol is set to \u003ccode\u003eDoT\u003c/code\u003e.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.\u003c/p\u003e\n"
        }
      },
      "additionalProperties": false,
--- a/pkg/machinery/config/types/network/network_doc.go
+++ b/pkg/machinery/config/types/network/network_doc.go
@ -1513,6 +1513,8 @@ func (ResolverConfigV1Alpha1) Doc() *encoder.Doc {

 	doc.AddExample("", exampleResolverConfigV1Alpha3())

+	doc.AddExample("", exampleResolverConfigV1Alpha4())
+
 	return doc
 }

@ -1535,10 +1537,29 @@ func (NameserverConfig) Doc() *encoder.Doc {
 				Description: "The IP address of the nameserver.",
 				Comments:    [3]string{"" /* encoder.HeadComment */, "The IP address of the nameserver." /* encoder.LineComment */, "" /* encoder.FootComment */},
 			},
+			{
+				Name:        "protocol",
+				Type:        "DNSProtocol",
+				Note:        "",
+				Description: "A DNS protocol to use.\n\nThe default protocol is plain DNS (`Do53`) (DNS over TCP/UDP), but this can be set\nto `DoT` to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\n\nNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.",
+				Comments:    [3]string{"" /* encoder.HeadComment */, "A DNS protocol to use." /* encoder.LineComment */, "" /* encoder.FootComment */},
+				Values: []string{
+					"Do53",
+					"DoT",
+				},
+			},
+			{
+				Name:        "tlsServerName",
+				Type:        "string",
+				Note:        "",
+				Description: "TLS server name to validate the nameserver certificate against.\n\nThis field should be set, if the protocol is set to `DoT`.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.",
+				Comments:    [3]string{"" /* encoder.HeadComment */, "TLS server name to validate the nameserver certificate against." /* encoder.LineComment */, "" /* encoder.FootComment */},
+			},
 		},
 	}

 	doc.Fields[0].AddExample("", Addr{netip.MustParseAddr("10.0.0.1")})
+	doc.Fields[2].AddExample("", "dns1.example.com")

 	return doc
 }
--- a/pkg/machinery/config/types/network/resolver.go
+++ b/pkg/machinery/config/types/network/resolver.go
@ -8,6 +8,7 @@ package network

 import (
 	"errors"
+	"fmt"
 	"net/netip"
 	"slices"

@ -21,6 +22,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config/types/meta"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
 	"github.com/siderolabs/talos/pkg/machinery/config/validation"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 )

 // ResolverKind is a ResolverConfig document kind.
@ -51,6 +53,7 @@ var (
 //	  - value: exampleResolverConfigV1Alpha1()
 //	  - value: exampleResolverConfigV1Alpha2()
 //	  - value: exampleResolverConfigV1Alpha3()
+//	  - value: exampleResolverConfigV1Alpha4()
 //	alias: ResolverConfig
 //	schemaRoot: true
 //	schemaMeta: v1alpha1/ResolverConfig
@ -89,6 +92,32 @@ type NameserverConfig struct {
 	//     type: string
 	//     pattern: ^[0-9a-f.:]+$
 	Address Addr `yaml:"address"`
+	//   description: |
+	//     A DNS protocol to use.
+	//
+	//     The default protocol is plain DNS (`Do53`) (DNS over TCP/UDP), but this can be set
+	//     to `DoT` to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.
+	//
+	//     Note: DNS over TLS requires a correct system clock to validate certificates.
+	//     If NTP is configured with hostnames that need to be resolved through DoT, the
+	//     boot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the
+	//     hardware clock, configure NTP servers by IP, or keep at least one plain-DNS
+	//     fallback nameserver.
+	//   values:
+	//     - "Do53"
+	//     - "DoT"
+	Protocol nethelpers.DNSProtocol `yaml:"protocol,omitempty"`
+	//   description: |
+	//     TLS server name to validate the nameserver certificate against.
+	//
+	//     This field should be set, if the protocol is set to `DoT`.
+	//     The value is used both as the SNI sent during the TLS handshake and as the name
+	//     verified against the server certificate.
+	//
+	//   examples:
+	//     - value: >
+	//        "dns1.example.com"
+	TLSServerName string `yaml:"tlsServerName,omitempty"`
 }

 // SearchDomainsConfig represents search domains configuration.
@ -180,6 +209,24 @@ func exampleResolverConfigV1Alpha3() *ResolverConfigV1Alpha1 {
 	return cfg
 }

+func exampleResolverConfigV1Alpha4() *ResolverConfigV1Alpha1 {
+	cfg := NewResolverConfigV1Alpha1()
+	cfg.ResolverNameservers = []NameserverConfig{
+		{
+			Address:       Addr{netip.MustParseAddr("9.9.9.9")},
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "dns.quad9.net",
+		},
+		{
+			Address:       Addr{netip.MustParseAddr("2620:fe::fe")},
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "dns.quad9.net",
+		},
+	}
+
+	return cfg
+}
+
 // Clone implements config.Document interface.
 func (s *ResolverConfigV1Alpha1) Clone() config.Document {
 	return s.DeepCopy()
@ -209,8 +256,13 @@ func (s *ResolverConfigV1Alpha1) V1Alpha1ConflictValidate(v1alpha1Cfg *v1alpha1.
 }

 // Validate implements config.Validator interface.
+//
+//nolint:gocyclo
 func (s *ResolverConfigV1Alpha1) Validate(validation.RuntimeMode, ...validation.Option) ([]string, error) {
-	var errs error
+	var (
+		warnings []string
+		errs     error
+	)

 	if !value.IsZero(s.ResolverHostDNS) {
 		if !s.HostDNSEnabled() {
@ -224,13 +276,50 @@ func (s *ResolverConfigV1Alpha1) Validate(validation.RuntimeMode, ...validation.
 		}
 	}

-	return nil, errs
+	nonRegularDNS := 0
+
+	for idx, ns := range s.ResolverNameservers {
+		switch ns.Protocol {
+		case nethelpers.DNSProtocolDNSOverTLS:
+			nonRegularDNS++
+
+			if ns.TLSServerName == "" {
+				errs = errors.Join(errs, fmt.Errorf("tlsServerName must be set when protocol is DoT: entry %d", idx))
+			}
+
+		case nethelpers.DNSProtocolDefault:
+			if ns.TLSServerName != "" {
+				errs = errors.Join(errs, fmt.Errorf("tlsServerName must be empty when protocol is Do53: entry %d", idx))
+			}
+		default:
+			errs = errors.Join(errs, fmt.Errorf("unsupported DNS protocol: entry %d", idx))
+		}
+
+		if !ns.Address.IsValid() {
+			errs = errors.Join(errs, fmt.Errorf("nameserver address must be a valid IP: entry %d", idx))
+		}
+	}
+
+	if nonRegularDNS > 0 && nonRegularDNS == len(s.ResolverNameservers) {
+		warnings = append(
+			warnings,
+			"all configured nameservers use DNS over TLS: validating certificates requires a correct system clock, "+
+				"so boot may stall when NTP servers are configured by hostname; consider keeping at least one plain-DNS fallback "+
+				"or configuring NTP servers by IP address",
+		)
+	}
+
+	return warnings, errs
 }

 // Resolvers implements NetworkResolverConfig interface.
-func (s *ResolverConfigV1Alpha1) Resolvers() []netip.Addr {
-	return xslices.Map(s.ResolverNameservers, func(ns NameserverConfig) netip.Addr {
-		return ns.Address.Addr
+func (s *ResolverConfigV1Alpha1) Resolvers() []config.NetworkResolver {
+	return xslices.Map(s.ResolverNameservers, func(ns NameserverConfig) config.NetworkResolver {
+		return config.NetworkResolver{
+			Addr:          ns.Address.Addr,
+			Protocol:      ns.Protocol,
+			TLSServerName: ns.TLSServerName,
+		}
 	})
 }

--- a/pkg/machinery/config/types/network/resolver_test.go
+++ b/pkg/machinery/config/types/network/resolver_test.go
@ -17,6 +17,7 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/config/types/meta"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 )

 //go:embed testdata/resolverconfig.yaml
@ -34,7 +35,9 @@ func TestResolverConfigMarshalStability(t *testing.T) {
 			Address: network.Addr{Addr: netip.MustParseAddr("10.0.0.1")},
 		},
 		{
-			Address: network.Addr{Addr: netip.MustParseAddr("2001:4860:4860::8888")},
+			Address:       network.Addr{Addr: netip.MustParseAddr("2001:4860:4860::8888")},
+			Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+			TLSServerName: "dns.google",
 		},
 	}
 	cfg.ResolverSearchDomains = network.SearchDomainsConfig{
@ -92,7 +95,9 @@ func TestResolverConfigUnmarshal(t *testing.T) {
 				Address: network.Addr{Addr: netip.MustParseAddr("10.0.0.1")},
 			},
 			{
-				Address: network.Addr{Addr: netip.MustParseAddr("2001:4860:4860::8888")},
+				Address:       network.Addr{Addr: netip.MustParseAddr("2001:4860:4860::8888")},
+				Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+				TLSServerName: "dns.google",
 			},
 		},
 		ResolverSearchDomains: network.SearchDomainsConfig{
@ -224,11 +229,16 @@ func TestResolverV1Alpha1ConflictValidate(t *testing.T) {
 func TestResolverV1Alpha1Validate(t *testing.T) {
 	t.Parallel()

+	const dotOnlyWarning = "all configured nameservers use DNS over TLS: validating certificates requires a correct system clock, " +
+		"so boot may stall when NTP servers are configured by hostname; consider keeping at least one plain-DNS fallback " +
+		"or configuring NTP servers by IP address"
+
 	for _, test := range []struct {
 		name string
 		cfg  func() *network.ResolverConfigV1Alpha1

-		expectedError string
+		expectedError    string
+		expectedWarnings []string
 	}{
 		{
 			name: "empty",
@ -275,12 +285,97 @@ func TestResolverV1Alpha1Validate(t *testing.T) {
 				return cfg
 			},
 		},
+		{
+			name: "DoT mixed with plain DNS, no warning",
+			cfg: func() *network.ResolverConfigV1Alpha1 {
+				cfg := network.NewResolverConfigV1Alpha1()
+				cfg.ResolverNameservers = []network.NameserverConfig{
+					{
+						Address:       network.Addr{Addr: netip.MustParseAddr("9.9.9.9")},
+						Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+						TLSServerName: "dns.quad9.net",
+					},
+					{
+						Address: network.Addr{Addr: netip.MustParseAddr("8.8.8.8")},
+					},
+				}
+
+				return cfg
+			},
+		},
+		{
+			name: "DoT only, warns about clock dependency",
+			cfg: func() *network.ResolverConfigV1Alpha1 {
+				cfg := network.NewResolverConfigV1Alpha1()
+				cfg.ResolverNameservers = []network.NameserverConfig{
+					{
+						Address:       network.Addr{Addr: netip.MustParseAddr("9.9.9.9")},
+						Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+						TLSServerName: "dns.quad9.net",
+					},
+					{
+						Address:       network.Addr{Addr: netip.MustParseAddr("1.1.1.1")},
+						Protocol:      nethelpers.DNSProtocolDNSOverTLS,
+						TLSServerName: "cloudflare-dns.com",
+					},
+				}
+
+				return cfg
+			},
+			expectedWarnings: []string{dotOnlyWarning},
+		},
+		{
+			name: "tlsServerName without an address",
+			cfg: func() *network.ResolverConfigV1Alpha1 {
+				cfg := network.NewResolverConfigV1Alpha1()
+				cfg.ResolverNameservers = []network.NameserverConfig{
+					{
+						TLSServerName: "dns.quad9.net",
+					},
+				}
+
+				return cfg
+			},
+			expectedError: "tlsServerName must be empty when protocol is Do53: entry 0\nnameserver address must be a valid IP: entry 0",
+		},
+		{
+			name: "DoT without tlsServerName",
+			cfg: func() *network.ResolverConfigV1Alpha1 {
+				cfg := network.NewResolverConfigV1Alpha1()
+				cfg.ResolverNameservers = []network.NameserverConfig{
+					{
+						Address:  network.Addr{Addr: netip.MustParseAddr("9.9.9.9")},
+						Protocol: nethelpers.DNSProtocolDNSOverTLS,
+					},
+				}
+
+				return cfg
+			},
+			expectedError:    "tlsServerName must be set when protocol is DoT: entry 0",
+			expectedWarnings: []string{dotOnlyWarning},
+		},
+		{
+			name: "Do53 with tlsServerName set",
+			cfg: func() *network.ResolverConfigV1Alpha1 {
+				cfg := network.NewResolverConfigV1Alpha1()
+				cfg.ResolverNameservers = []network.NameserverConfig{
+					{
+						Address:       network.Addr{Addr: netip.MustParseAddr("8.8.8.8")},
+						Protocol:      nethelpers.DNSProtocolDefault,
+						TLSServerName: "dns.google",
+					},
+				}
+
+				return cfg
+			},
+			expectedError: "tlsServerName must be empty when protocol is Do53: entry 0",
+		},
 	} {
 		t.Run(test.name, func(t *testing.T) {
 			t.Parallel()

 			warnings, err := test.cfg().Validate(validationMode{})
-			assert.Nil(t, warnings)
+			assert.Equal(t, test.expectedWarnings, warnings)

 			if test.expectedError != "" {
 				assert.EqualError(t, err, test.expectedError)
--- a/pkg/machinery/config/types/network/testdata/resolverconfig.yaml
+++ b/pkg/machinery/config/types/network/testdata/resolverconfig.yaml
@ -3,6 +3,8 @@ kind: ResolverConfig
 nameservers:
    - address: 10.0.0.1
    - address: 2001:4860:4860::8888
+      protocol: DoT
+      tlsServerName: dns.google
 searchDomains:
    domains:
        - example.org
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_network_bridge.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_network_bridge.go
@ -48,16 +48,19 @@ func (c *Config) AutoHostname() nethelpers.AutoHostnameKind {
 }

 // Resolvers implements config.NetworkResolverConfig interface.
-func (c *Config) Resolvers() []netip.Addr {
+func (c *Config) Resolvers() []config.NetworkResolver {
 	if c.MachineConfig == nil || c.MachineConfig.MachineNetwork == nil {
 		return nil
 	}

-	var result []netip.Addr
+	var result []config.NetworkResolver

 	for _, r := range c.MachineConfig.MachineNetwork.NameServers {
 		if addr, err := netip.ParseAddr(r); err == nil {
-			result = append(result, addr)
+			result = append(result, config.NetworkResolver{
+				Addr:     addr,
+				Protocol: nethelpers.DNSProtocolDefault,
+			})
 		}
 	}

--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_network_bridge_test.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_network_bridge_test.go
@ -9,10 +9,11 @@ import (
 	"testing"
 	"time"

+	"github.com/siderolabs/gen/xslices"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/siderolabs/talos/pkg/machinery/config"
+	"github.com/siderolabs/talos/pkg/machinery/config/config"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/types/v1alpha1"
@ -355,7 +356,12 @@ func TestResolverBridging(t *testing.T) {

 			require.NotNil(t, resolverConfig)

-			assert.Equal(t, test.expectedNameservers, resolverConfig.Resolvers())
+			assert.Equal(t, xslices.Map(test.expectedNameservers, func(addr netip.Addr) config.NetworkResolver {
+				return config.NetworkResolver{
+					Addr:     addr,
+					Protocol: nethelpers.DNSProtocolDefault,
+				}
+			}), resolverConfig.Resolvers())
 			assert.Equal(t, test.expectedSearchDomains, resolverConfig.SearchDomains())
 			assert.Equal(t, test.expectedDisableSearch, resolverConfig.DisableSearchDomain())
 		})
--- a/pkg/machinery/nethelpers/arpalltargets_enumer.go
+++ b/pkg/machinery/nethelpers/arpalltargets_enumer.go
@ -1,4 +1,4 @@
-// Code generated by "enumer -type=ARPAllTargets,ARPValidate,AddressFlag,AddressSortAlgorithm,ADSelect,ADLACPActive,AutoHostnameKind,BondMode,BondXmitHashPolicy,ClientIdentifier,ConntrackState,DefaultAction,Duplex,Family,LACPRate,LinkFlag,LinkType,MatchOperator,NfTablesChainHook,NfTablesChainPriority,NfTablesVerdict,OperationalState,Port,PrimaryReselect,Protocol,RouteFlag,RouteProtocol,RouteType,RoutingRuleAction,RoutingTable,Scope,Status,VLANProtocol,WOLMode -linecomment -text"; DO NOT EDIT.
+// Code generated by "enumer -type=ARPAllTargets,ARPValidate,AddressFlag,AddressSortAlgorithm,ADSelect,ADLACPActive,AutoHostnameKind,BondMode,BondXmitHashPolicy,ClientIdentifier,ConntrackState,DefaultAction,DNSProtocol,Duplex,Family,LACPRate,LinkFlag,LinkType,MatchOperator,NfTablesChainHook,NfTablesChainPriority,NfTablesVerdict,OperationalState,Port,PrimaryReselect,Protocol,RouteFlag,RouteProtocol,RouteType,RoutingRuleAction,RoutingTable,Scope,Status,VLANProtocol,WOLMode -linecomment -text"; DO NOT EDIT.

 package nethelpers

@ -1127,6 +1127,88 @@ func (i *DefaultAction) UnmarshalText(text []byte) error {
 	return err
 }

+const _DNSProtocolName = "Do53DoT"
+
+var _DNSProtocolIndex = [...]uint8{0, 4, 7}
+
+const _DNSProtocolLowerName = "do53dot"
+
+func (i DNSProtocol) String() string {
+	if i >= DNSProtocol(len(_DNSProtocolIndex)-1) {
+		return fmt.Sprintf("DNSProtocol(%d)", i)
+	}
+	return _DNSProtocolName[_DNSProtocolIndex[i]:_DNSProtocolIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _DNSProtocolNoOp() {
+	var x [1]struct{}
+	_ = x[DNSProtocolDefault-(0)]
+	_ = x[DNSProtocolDNSOverTLS-(1)]
+}
+
+var _DNSProtocolValues = []DNSProtocol{DNSProtocolDefault, DNSProtocolDNSOverTLS}
+
+var _DNSProtocolNameToValueMap = map[string]DNSProtocol{
+	_DNSProtocolName[0:4]:      DNSProtocolDefault,
+	_DNSProtocolLowerName[0:4]: DNSProtocolDefault,
+	_DNSProtocolName[4:7]:      DNSProtocolDNSOverTLS,
+	_DNSProtocolLowerName[4:7]: DNSProtocolDNSOverTLS,
+}
+
+var _DNSProtocolNames = []string{
+	_DNSProtocolName[0:4],
+	_DNSProtocolName[4:7],
+}
+
+// DNSProtocolString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func DNSProtocolString(s string) (DNSProtocol, error) {
+	if val, ok := _DNSProtocolNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _DNSProtocolNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to DNSProtocol values", s)
+}
+
+// DNSProtocolValues returns all values of the enum
+func DNSProtocolValues() []DNSProtocol {
+	return _DNSProtocolValues
+}
+
+// DNSProtocolStrings returns a slice of all String values of the enum
+func DNSProtocolStrings() []string {
+	strs := make([]string, len(_DNSProtocolNames))
+	copy(strs, _DNSProtocolNames)
+	return strs
+}
+
+// IsADNSProtocol returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i DNSProtocol) IsADNSProtocol() bool {
+	for _, v := range _DNSProtocolValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
+
+// MarshalText implements the encoding.TextMarshaler interface for DNSProtocol
+func (i DNSProtocol) MarshalText() ([]byte, error) {
+	return []byte(i.String()), nil
+}
+
+// UnmarshalText implements the encoding.TextUnmarshaler interface for DNSProtocol
+func (i *DNSProtocol) UnmarshalText(text []byte) error {
+	var err error
+	*i, err = DNSProtocolString(string(text))
+	return err
+}
+
 const (
 	_DuplexName_0      = "HalfFull"
 	_DuplexLowerName_0 = "halffull"
--- a/pkg/machinery/nethelpers/dnsprotocol.go
+++ b/pkg/machinery/nethelpers/dnsprotocol.go
@ -0,0 +1,16 @@
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package nethelpers
+
+// DNSProtocol is a kind of DNS protocol.
+type DNSProtocol byte
+
+// DNSProtocol constants.
+//
+//structprotogen:gen_enum
+const (
+	DNSProtocolDefault    DNSProtocol = iota // Do53
+	DNSProtocolDNSOverTLS                    // DoT
+)
--- a/pkg/machinery/nethelpers/nethelpers.go
+++ b/pkg/machinery/nethelpers/nethelpers.go
@ -5,5 +5,5 @@
 // Package nethelpers provides types and type wrappers to support network resources.
 package nethelpers

-//go:generate go tool github.com/dmarkham/enumer -type=ARPAllTargets,ARPValidate,AddressFlag,AddressSortAlgorithm,ADSelect,ADLACPActive,AutoHostnameKind,BondMode,BondXmitHashPolicy,ClientIdentifier,ConntrackState,DefaultAction,Duplex,Family,LACPRate,LinkFlag,LinkType,MatchOperator,NfTablesChainHook,NfTablesChainPriority,NfTablesVerdict,OperationalState,Port,PrimaryReselect,Protocol,RouteFlag,RouteProtocol,RouteType,RoutingRuleAction,RoutingTable,Scope,Status,VLANProtocol,WOLMode -linecomment -text
+//go:generate go tool github.com/dmarkham/enumer -type=ARPAllTargets,ARPValidate,AddressFlag,AddressSortAlgorithm,ADSelect,ADLACPActive,AutoHostnameKind,BondMode,BondXmitHashPolicy,ClientIdentifier,ConntrackState,DefaultAction,DNSProtocol,Duplex,Family,LACPRate,LinkFlag,LinkType,MatchOperator,NfTablesChainHook,NfTablesChainPriority,NfTablesVerdict,OperationalState,Port,PrimaryReselect,Protocol,RouteFlag,RouteProtocol,RouteType,RoutingRuleAction,RoutingTable,Scope,Status,VLANProtocol,WOLMode -linecomment -text
 //go:generate go tool github.com/dmarkham/enumer -type=FailOverMAC -linecomment
--- a/pkg/machinery/resources/network/address_spec_test.go
+++ b/pkg/machinery/resources/network/address_spec_test.go
@ -17,6 +17,8 @@ import (
 )

 func TestAddressSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.AddressSpecSpec{
 		Address:     netip.MustParsePrefix("192.168.3.6/27"),
 		LinkName:    "eth0",
--- a/pkg/machinery/resources/network/condition_test.go
+++ b/pkg/machinery/resources/network/condition_test.go
@ -20,11 +20,11 @@ import (
 )

 func TestCondition(t *testing.T) {
+	t.Parallel()
+
 	ctx, ctxCancel := context.WithTimeout(t.Context(), time.Second)
 	t.Cleanup(ctxCancel)

-	t.Parallel()
-
 	for _, tt := range []struct {
 		Name     string
 		Status   network.StatusSpec
--- a/pkg/machinery/resources/network/deep_copy.generated.go
+++ b/pkg/machinery/resources/network/deep_copy.generated.go
@ -594,6 +594,10 @@ func (o ResolverSpecSpec) DeepCopy() ResolverSpecSpec {
 		cp.DNSServers = make([]netip.Addr, len(o.DNSServers))
 		copy(cp.DNSServers, o.DNSServers)
 	}
+	if o.NameServers != nil {
+		cp.NameServers = make([]NameServerSpec, len(o.NameServers))
+		copy(cp.NameServers, o.NameServers)
+	}
 	if o.SearchDomains != nil {
 		cp.SearchDomains = make([]string, len(o.SearchDomains))
 		copy(cp.SearchDomains, o.SearchDomains)
@ -608,6 +612,10 @@ func (o ResolverStatusSpec) DeepCopy() ResolverStatusSpec {
 		cp.DNSServers = make([]netip.Addr, len(o.DNSServers))
 		copy(cp.DNSServers, o.DNSServers)
 	}
+	if o.NameServers != nil {
+		cp.NameServers = make([]NameServerSpec, len(o.NameServers))
+		copy(cp.NameServers, o.NameServers)
+	}
 	if o.SearchDomains != nil {
 		cp.SearchDomains = make([]string, len(o.SearchDomains))
 		copy(cp.SearchDomains, o.SearchDomains)
--- a/pkg/machinery/resources/network/device_config_spec_test.go
+++ b/pkg/machinery/resources/network/device_config_spec_test.go
@ -16,6 +16,8 @@ import (
 )

 func TestDeviceConfigProtobufMarshal(t *testing.T) {
+	t.Parallel()
+
 	d := &v1alpha1.Device{
 		DeviceInterface: "eth0",
 		DeviceAddresses: []string{"10.0.0.8/32"},
--- a/pkg/machinery/resources/network/hostname_spec_test.go
+++ b/pkg/machinery/resources/network/hostname_spec_test.go
@ -15,6 +15,8 @@ import (
 )

 func TestHostnameSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.HostnameSpecSpec{
 		Hostname:    "foo",
 		Domainname:  "example.com",
--- a/pkg/machinery/resources/network/link_spec_test.go
+++ b/pkg/machinery/resources/network/link_spec_test.go
@ -19,6 +19,8 @@ import (
 )

 func TestLinkSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.LinkSpecSpec{
 		Name:       "eth0",
 		Logical:    true,
--- a/pkg/machinery/resources/network/link_status_test.go
+++ b/pkg/machinery/resources/network/link_status_test.go
@ -21,6 +21,8 @@ import (
 )

 func TestLinkStatusMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	hwAddr, err := net.ParseMAC("01:23:45:67:89:ab")
 	require.NoError(t, err)

--- a/pkg/machinery/resources/network/link_test.go
+++ b/pkg/machinery/resources/network/link_test.go
@ -15,6 +15,8 @@ import (
 )

 func TestWireguardPeer(t *testing.T) {
+	t.Parallel()
+
 	key1 := "2t4fMmV1fBhI6RgoUzHp9BoWLT7oq0C/fOV17f7FqTI="
 	key2 := "zHyf80qsjQ1EfiXkjxaLf9K9VZ6YRwcXx8GrpXQ6/yQ="

--- a/pkg/machinery/resources/network/network_test.go
+++ b/pkg/machinery/resources/network/network_test.go
@ -23,6 +23,8 @@ import (
 )

 func TestRegisterResource(t *testing.T) {
+	t.Parallel()
+
 	ctx := t.Context()

 	resources := state.WrapCore(namespaced.NewState(inmem.Build))
--- a/pkg/machinery/resources/network/operator_spec_test.go
+++ b/pkg/machinery/resources/network/operator_spec_test.go
@ -16,6 +16,8 @@ import (
 )

 func TestOperatorSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.OperatorSpecSpec{
 		Operator:  network.OperatorDHCP4,
 		LinkName:  "eth0",
--- a/pkg/machinery/resources/network/resolver_spec.go
+++ b/pkg/machinery/resources/network/resolver_spec.go
@ -11,7 +11,9 @@ import (
 	"github.com/cosi-project/runtime/pkg/resource/meta"
 	"github.com/cosi-project/runtime/pkg/resource/protobuf"
 	"github.com/cosi-project/runtime/pkg/resource/typed"
+	"github.com/siderolabs/gen/xslices"

+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/proto"
 )

@ -24,13 +26,39 @@ type ResolverSpec = typed.Resource[ResolverSpecSpec, ResolverSpecExtension]
 // ResolverID is the ID of the singleton instance.
 const ResolverID resource.ID = "resolvers"

+// NameServerSpec describes a single DNS nameserver with additional configuration.
+//
+//gotagsrewrite:gen
+type NameServerSpec struct {
+	Addr          netip.Addr             `yaml:"addr" protobuf:"1"`
+	Protocol      nethelpers.DNSProtocol `yaml:"protocol" protobuf:"2"`
+	TLSServerName string                 `yaml:"tlsServerName" protobuf:"3"`
+}
+
+// String returns a string representation of the NameServerSpec for logging purposes.
+func (ns NameServerSpec) String() string {
+	switch ns.Protocol {
+	case nethelpers.DNSProtocolDNSOverTLS:
+		return ns.Addr.String() + " (DoT, TLS Server Name: " + ns.TLSServerName + ")"
+	case nethelpers.DNSProtocolDefault:
+		return ns.Addr.String()
+	default:
+		return ns.Addr.String() + " (Unknown Protocol)"
+	}
+}
+
 // ResolverSpecSpec describes DNS resolvers.
 //
 //gotagsrewrite:gen
 type ResolverSpecSpec struct {
-	DNSServers    []netip.Addr `yaml:"dnsServers" protobuf:"1"`
-	ConfigLayer   ConfigLayer  `yaml:"layer" protobuf:"2"`
-	SearchDomains []string     `yaml:"searchDomains,omitempty" protobuf:"3"`
+	// DNSServers is a flat list of DNS server IP addresses.
+	//
+	// Deprecated: This field is deprecated in favor of NameServers which contain more information.
+	DNSServers []netip.Addr `yaml:"dnsServers" protobuf:"1"`
+	// NameServers is a list of DNS servers with additional configuration.
+	NameServers   []NameServerSpec `yaml:"nameServers,omitempty" protobuf:"4"`
+	ConfigLayer   ConfigLayer      `yaml:"layer" protobuf:"2"`
+	SearchDomains []string         `yaml:"searchDomains,omitempty" protobuf:"3"`
 }

 // NewResolverSpec initializes a ResolverSpec resource.
@ -41,6 +69,22 @@ func NewResolverSpec(namespace resource.Namespace, id resource.ID) *ResolverSpec
 	)
 }

+// Convert handles conversion of deprecated fields to the new ones and vice versa for backward compatibility.
+func (s *ResolverSpecSpec) Convert() {
+	if s.NameServers == nil && s.DNSServers != nil {
+		s.NameServers = xslices.Map(s.DNSServers, func(addr netip.Addr) NameServerSpec {
+			return NameServerSpec{
+				Addr:     addr,
+				Protocol: nethelpers.DNSProtocolDefault,
+			}
+		})
+	} else if s.DNSServers == nil && s.NameServers != nil {
+		s.DNSServers = xslices.Map(s.NameServers, func(ns NameServerSpec) netip.Addr {
+			return ns.Addr
+		})
+	}
+}
+
 // ResolverSpecExtension provides auxiliary methods for ResolverSpec.
 type ResolverSpecExtension struct{}

--- a/pkg/machinery/resources/network/resolver_spec_test.go
+++ b/pkg/machinery/resources/network/resolver_spec_test.go
@ -12,10 +12,13 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.yaml.in/yaml/v4"

+	"github.com/siderolabs/talos/pkg/machinery/nethelpers"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )

 func TestResolverSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.ResolverSpecSpec{
 		DNSServers:    []netip.Addr{netip.MustParseAddr("1.1.1.1"), netip.MustParseAddr("8.8.8.8")},
 		ConfigLayer:   network.ConfigPlatform,
@ -33,3 +36,28 @@ func TestResolverSpecMarshalYAML(t *testing.T) {

 	assert.Equal(t, spec, spec2)
 }
+
+func TestResolverSpecConvert(t *testing.T) {
+	t.Parallel()
+
+	spec := network.ResolverSpecSpec{
+		DNSServers:    []netip.Addr{netip.MustParseAddr("1.1.1.1"), netip.MustParseAddr("8.8.8.8")},
+		ConfigLayer:   network.ConfigPlatform,
+		SearchDomains: []string{"example.com"},
+	}
+	spec.Convert()
+
+	assert.Equal(t, []network.NameServerSpec{
+		{Addr: netip.MustParseAddr("1.1.1.1")},
+		{Addr: netip.MustParseAddr("8.8.8.8")},
+	}, spec.NameServers)
+
+	spec = network.ResolverSpecSpec{
+		NameServers:   []network.NameServerSpec{{Addr: netip.MustParseAddr("3.3.3.3"), Protocol: nethelpers.DNSProtocolDefault, TLSServerName: "dns.example.com"}},
+		ConfigLayer:   network.ConfigPlatform,
+		SearchDomains: []string{"example.com"},
+	}
+	spec.Convert()
+
+	assert.Equal(t, []netip.Addr{netip.MustParseAddr("3.3.3.3")}, spec.DNSServers)
+}
--- a/pkg/machinery/resources/network/resolver_status.go
+++ b/pkg/machinery/resources/network/resolver_status.go
@ -25,8 +25,13 @@ type ResolverStatus = typed.Resource[ResolverStatusSpec, ResolverStatusExtension
 //
 //gotagsrewrite:gen
 type ResolverStatusSpec struct {
-	DNSServers    []netip.Addr `yaml:"dnsServers" protobuf:"1"`
-	SearchDomains []string     `yaml:"searchDomains" protobuf:"2"`
+	// DNSServers is a flat list of DNS server IP addresses.
+	//
+	// Deprecated: This field is deprecated in favor of NameServers which contain more information.
+	DNSServers []netip.Addr `yaml:"dnsServers" protobuf:"1"`
+	// NameServers is a list of DNS servers with additional configuration.
+	NameServers   []NameServerSpec `yaml:"nameServers,omitempty" protobuf:"4"`
+	SearchDomains []string         `yaml:"searchDomains" protobuf:"2"`
 }

 // NewResolverStatus initializes a ResolverStatus resource.
--- a/pkg/machinery/resources/network/route_spec_test.go
+++ b/pkg/machinery/resources/network/route_spec_test.go
@ -17,6 +17,8 @@ import (
 )

 func TestRoutSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.RouteSpecSpec{
 		Family:      nethelpers.FamilyInet6,
 		Destination: netip.MustParsePrefix("192.168.3.4/25"),
--- a/pkg/machinery/resources/network/timeserver_spec_test.go
+++ b/pkg/machinery/resources/network/timeserver_spec_test.go
@ -15,6 +15,8 @@ import (
 )

 func TestTimeServerSpecMarshalYAML(t *testing.T) {
+	t.Parallel()
+
 	spec := network.TimeServerSpecSpec{
 		NTPServers:  []string{"pool.ntp.org"},
 		ConfigLayer: network.ConfigPlatform,
--- a/pkg/machinery/resources/network/ula_test.go
+++ b/pkg/machinery/resources/network/ula_test.go
@ -13,5 +13,7 @@ import (
 )

 func TestULAPrefix(t *testing.T) {
+	t.Parallel()
+
 	assert.Equal(t, "fd7f:175a:b97c:5602::/64", network.ULAPrefix("8XuV9TZHW08DOk3bVxQjH9ih_TBKjnh-j44tsCLSBzo=", network.ULAKubeSpan).String())
 }
--- a/website/content/v1.14/reference/api.md
+++ b/website/content/v1.14/reference/api.md
@ -310,6 +310,7 @@ description: Talos gRPC API reference.
    - [NethelpersBondXmitHashPolicy](#talos.resource.definitions.enums.NethelpersBondXmitHashPolicy)
    - [NethelpersClientIdentifier](#talos.resource.definitions.enums.NethelpersClientIdentifier)
    - [NethelpersConntrackState](#talos.resource.definitions.enums.NethelpersConntrackState)
+    - [NethelpersDNSProtocol](#talos.resource.definitions.enums.NethelpersDNSProtocol)
    - [NethelpersDuplex](#talos.resource.definitions.enums.NethelpersDuplex)
    - [NethelpersFailOverMAC](#talos.resource.definitions.enums.NethelpersFailOverMAC)
    - [NethelpersFamily](#talos.resource.definitions.enums.NethelpersFamily)
@ -544,6 +545,7 @@ description: Talos gRPC API reference.
    - [LinkRefreshSpec](#talos.resource.definitions.network.LinkRefreshSpec)
    - [LinkSpecSpec](#talos.resource.definitions.network.LinkSpecSpec)
    - [LinkStatusSpec](#talos.resource.definitions.network.LinkStatusSpec)
+    - [NameServerSpec](#talos.resource.definitions.network.NameServerSpec)
    - [NfTablesAddressMatch](#talos.resource.definitions.network.NfTablesAddressMatch)
    - [NfTablesChainSpec](#talos.resource.definitions.network.NfTablesChainSpec)
    - [NfTablesClampMSS](#talos.resource.definitions.network.NfTablesClampMSS)
@ -5316,6 +5318,18 @@ NethelpersConntrackState is a conntrack state.



+<a name="talos.resource.definitions.enums.NethelpersDNSProtocol"></a>
+
+### NethelpersDNSProtocol
+NethelpersDNSProtocol is a kind of DNS protocol.
+
+| Name | Number | Description |
+| ---- | ------ | ----------- |
+| DNS_PROTOCOL_DEFAULT | 0 |  |
+| DNS_PROTOCOL_DNS_OVER_TLS | 1 |  |
+
+
+
 <a name="talos.resource.definitions.enums.NethelpersDuplex"></a>

 ### NethelpersDuplex
@ -9584,6 +9598,23 @@ LinkStatusSpec describes status of rendered secrets.



+<a name="talos.resource.definitions.network.NameServerSpec"></a>
+
+### NameServerSpec
+NameServerSpec describes a single DNS nameserver with additional configuration.
+
+
+| Field | Type | Label | Description |
+| ----- | ---- | ----- | ----------- |
+| addr | [common.NetIP](#common.NetIP) |  |  |
+| protocol | [talos.resource.definitions.enums.NethelpersDNSProtocol](#talos.resource.definitions.enums.NethelpersDNSProtocol) |  |  |
+| tls_server_name | [string](#string) |  |  |
+
+
+
+
+
+
 <a name="talos.resource.definitions.network.NfTablesAddressMatch"></a>

 ### NfTablesAddressMatch
@ -9938,9 +9969,10 @@ ResolverSpecSpec describes DNS resolvers.

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| dns_servers | [common.NetIP](#common.NetIP) | repeated |  |
+| dns_servers | [common.NetIP](#common.NetIP) | repeated | DNSServers is a flat list of DNS server IP addresses.<br><br>Deprecated: This field is deprecated in favor of NameServers which contain more information. |
 | config_layer | [talos.resource.definitions.enums.NetworkConfigLayer](#talos.resource.definitions.enums.NetworkConfigLayer) |  |  |
 | search_domains | [string](#string) | repeated |  |
+| name_servers | [NameServerSpec](#talos.resource.definitions.network.NameServerSpec) | repeated | NameServers is a list of DNS servers with additional configuration. |



@ -9955,8 +9987,9 @@ ResolverStatusSpec describes DNS resolvers.

 | Field | Type | Label | Description |
 | ----- | ---- | ----- | ----------- |
-| dns_servers | [common.NetIP](#common.NetIP) | repeated |  |
+| dns_servers | [common.NetIP](#common.NetIP) | repeated | DNSServers is a flat list of DNS server IP addresses.<br><br>Deprecated: This field is deprecated in favor of NameServers which contain more information. |
 | search_domains | [string](#string) | repeated |  |
+| name_servers | [NameServerSpec](#talos.resource.definitions.network.NameServerSpec) | repeated | NameServers is a list of DNS servers with additional configuration. |



--- a/website/content/v1.14/reference/configuration/network/resolverconfig.md
+++ b/website/content/v1.14/reference/configuration/network/resolverconfig.md
@ -19,7 +19,13 @@ kind: ResolverConfig
 # A list of nameservers (DNS servers) to use for resolving domain names.
 nameservers:
    - address: 1.1.1.1 # The IP address of the nameserver.
+
+      # # TLS server name to validate the nameserver certificate against.
+      # tlsServerName: dns1.example.com
    - address: ff08::1 # The IP address of the nameserver.
+
+      # # TLS server name to validate the nameserver certificate against.
+      # tlsServerName: dns1.example.com
 # Configuration for search domains (in /etc/resolv.conf).
 searchDomains:
    # A list of search domains to be used for DNS resolution.
@ -45,6 +51,19 @@ hostDNS:
    resolveMemberNames: true # Resolve member hostnames using the host DNS resolver.
 {{< /highlight >}}

+{{< highlight yaml >}}
+apiVersion: v1alpha1
+kind: ResolverConfig
+# A list of nameservers (DNS servers) to use for resolving domain names.
+nameservers:
+    - address: 9.9.9.9 # The IP address of the nameserver.
+      protocol: DoT # A DNS protocol to use.
+      tlsServerName: dns.quad9.net # TLS server name to validate the nameserver certificate against.
+    - address: 2620:fe::fe # The IP address of the nameserver.
+      protocol: DoT # A DNS protocol to use.
+      tlsServerName: dns.quad9.net # TLS server name to validate the nameserver certificate against.
+{{< /highlight >}}
+

 | Field | Type | Description | Value(s) |
 |-------|------|-------------|----------|
@ -67,6 +86,10 @@ NameserverConfig represents a single nameserver configuration.
 |`address` |Addr |The IP address of the nameserver. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
 address: 10.0.0.1
 {{< /highlight >}}</details> | |
+|`protocol` |DNSProtocol |A DNS protocol to use.<br><br>The default protocol is plain DNS (`Do53`) (DNS over TCP/UDP), but this can be set<br>to `DoT` to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.<br><br>Note: DNS over TLS requires a correct system clock to validate certificates.<br>If NTP is configured with hostnames that need to be resolved through DoT, the<br>boot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the<br>hardware clock, configure NTP servers by IP, or keep at least one plain-DNS<br>fallback nameserver.  |`Do53`<br />`DoT`<br /> |
+|`tlsServerName` |string |TLS server name to validate the nameserver certificate against.<br><br>This field should be set, if the protocol is set to `DoT`.<br>The value is used both as the SNI sent during the TLS handshake and as the name<br>verified against the server certificate. <details><summary>Show example(s)</summary>{{< highlight yaml >}}
+tlsServerName: dns1.example.com
+{{< /highlight >}}</details> | |



--- a/website/content/v1.14/schemas/config.schema.json
+++ b/website/content/v1.14/schemas/config.schema.json
@ -2779,6 +2779,23 @@
          "description": "The IP address of the nameserver.\n",
          "markdownDescription": "The IP address of the nameserver.",
          "x-intellij-html-description": "\u003cp\u003eThe IP address of the nameserver.\u003c/p\u003e\n"
+        },
+        "protocol": {
+          "enum": [
+            "Do53",
+            "DoT"
+          ],
+          "title": "protocol",
+          "description": "A DNS protocol to use.\n\nThe default protocol is plain DNS (Do53) (DNS over TCP/UDP), but this can be set\nto DoT to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\n\nNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.\n",
+          "markdownDescription": "A DNS protocol to use.\n\nThe default protocol is plain DNS (`Do53`) (DNS over TCP/UDP), but this can be set\nto `DoT` to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\n\nNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.",
+          "x-intellij-html-description": "\u003cp\u003eA DNS protocol to use.\u003c/p\u003e\n\n\u003cp\u003eThe default protocol is plain DNS (\u003ccode\u003eDo53\u003c/code\u003e) (DNS over TCP/UDP), but this can be set\nto \u003ccode\u003eDoT\u003c/code\u003e to use DNS over TLS (RFC 7858) for encrypted DNS queries to this nameserver.\u003c/p\u003e\n\n\u003cp\u003eNote: DNS over TLS requires a correct system clock to validate certificates.\nIf NTP is configured with hostnames that need to be resolved through DoT, the\nboot may stall: NTP needs DNS, and DoT needs valid time. Either rely on the\nhardware clock, configure NTP servers by IP, or keep at least one plain-DNS\nfallback nameserver.\u003c/p\u003e\n"
+        },
+        "tlsServerName": {
+          "type": "string",
+          "title": "tlsServerName",
+          "description": "TLS server name to validate the nameserver certificate against.\n\nThis field should be set, if the protocol is set to DoT.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.\n",
+          "markdownDescription": "TLS server name to validate the nameserver certificate against.\n\nThis field should be set, if the protocol is set to `DoT`.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.",
+          "x-intellij-html-description": "\u003cp\u003eTLS server name to validate the nameserver certificate against.\u003c/p\u003e\n\n\u003cp\u003eThis field should be set, if the protocol is set to \u003ccode\u003eDoT\u003c/code\u003e.\nThe value is used both as the SNI sent during the TLS handshake and as the name\nverified against the server certificate.\u003c/p\u003e\n"
        }
      },
      "additionalProperties": false,