diff --git a/internal/app/machined/pkg/system/services/networkd.go b/internal/app/machined/pkg/system/services/networkd.go
index 8e58f1849..6b57a5407 100644
--- a/internal/app/machined/pkg/system/services/networkd.go
+++ b/internal/app/machined/pkg/system/services/networkd.go
@@ -115,6 +115,7 @@ func (n *Networkd) Runner(r runtime.Runtime) (runner.Runner, error) {
 				strings.ToUpper("CAP_" + capability.CAP_NET_ADMIN.String()),
 				strings.ToUpper("CAP_" + capability.CAP_SYS_ADMIN.String()),
 				strings.ToUpper("CAP_" + capability.CAP_NET_RAW.String()),
+				strings.ToUpper("CAP_" + capability.CAP_NET_BIND_SERVICE.String()),
 			}),
 			oci.WithHostNamespace(specs.NetworkNamespace),
 			oci.WithMounts(mounts),
diff --git a/internal/app/networkd/pkg/networkd/networkd.go b/internal/app/networkd/pkg/networkd/networkd.go
index e4dc334f3..91e682dcd 100644
--- a/internal/app/networkd/pkg/networkd/networkd.go
+++ b/internal/app/networkd/pkg/networkd/networkd.go
@@ -60,8 +60,6 @@ func New(config config.Provider) (*Networkd, error) {
 		resolvers []string
 	)
 
-	resolvers = []string{DefaultPrimaryResolver, DefaultSecondaryResolver}
-
 	netconf := make(map[string][]nic.Option)
 
 	if option = procfs.ProcCmdline().Get("ip").First(); option != nil {
@@ -203,20 +201,29 @@ func (n *Networkd) Configure() (err error) {
 		}
 	}
 
-	resolvers := []string{}
+	// prefer resolvers from the configuration
+	resolvers := append([]string(nil), n.resolvers...)
 
-	for _, netif := range n.Interfaces {
-		for _, method := range netif.AddressMethod {
-			if !method.Valid() {
-				continue
-			}
+	// if no resolvers configured, use addressing method resolvers
+	if len(resolvers) == 0 {
+		for _, netif := range n.Interfaces {
+			for _, method := range netif.AddressMethod {
+				if !method.Valid() {
+					continue
+				}
 
-			for _, resolver := range method.Resolvers() {
-				resolvers = append(resolvers, resolver.String())
+				for _, resolver := range method.Resolvers() {
+					resolvers = append(resolvers, resolver.String())
+				}
 			}
 		}
 	}
 
+	// use default resolvers if nothing is configured
+	if len(resolvers) == 0 {
+		resolvers = append(resolvers, DefaultPrimaryResolver, DefaultSecondaryResolver)
+	}
+
 	// Set hostname must be before the resolv configuration
 	// so we can ensure the hosts domainname is set properly
 	// before we write the search stanza
@@ -224,10 +231,6 @@ func (n *Networkd) Configure() (err error) {
 		return err
 	}
 
-	if len(resolvers) == 0 {
-		resolvers = n.resolvers
-	}
-
 	if err = writeResolvConf(resolvers); err != nil {
 		return err
 	}