diff --git a/roles/systemd_resolved/defaults/main.yml b/roles/systemd_resolved/defaults/main.yml
index 9f65322..d18d853 100644
--- a/roles/systemd_resolved/defaults/main.yml
+++ b/roles/systemd_resolved/defaults/main.yml
@@ -11,6 +11,7 @@ systemd_resolved_dnsovertls: false
 systemd_resolved_cache: true
 systemd_resolved_dnsstublistener: udp
 systemd_resolved_readetchosts: true
+systemd_resolved_nss: false
 systemd_resolved_package_name: systemd-resolved
 systemd_resolved_package_version: ""
 systemd_resolved_package_state: present
diff --git a/roles/systemd_resolved/tasks/main.yml b/roles/systemd_resolved/tasks/main.yml
index 387dba3..8d2e890 100644
--- a/roles/systemd_resolved/tasks/main.yml
+++ b/roles/systemd_resolved/tasks/main.yml
@@ -9,6 +9,9 @@
       ansible.builtin.import_tasks: environment.yml
     - name: Ensure systemd resolved package
       ansible.builtin.import_tasks: package.yml
+    - name: Ensure systemd resolved nss
+      ansible.builtin.import_tasks: nss.yml
+      when: systemd_resolved_nss
     - name: Ensure systemd resolved resolved.conf
       ansible.builtin.import_tasks: resolved.conf.yml
     - name: Ensure systemd resolved systemd service
diff --git a/roles/systemd_resolved/tasks/nss.yml b/roles/systemd_resolved/tasks/nss.yml
new file mode 100644
index 0000000..11d67f0
--- /dev/null
+++ b/roles/systemd_resolved/tasks/nss.yml
@@ -0,0 +1,14 @@
+---
+- name: "ensure systemd resolved nss configuration is correct"
+  ansible.builtin.fail:
+    msg: "Please add resolve to nss_configuration.hosts"
+  when:
+    - "'resolve' not in nss_configuration.hosts"
+
+- name: "ensure nss-resolve package"
+  ansible.builtin.apt:
+    name: "libnss-resolve"
+
+- name: "ensure systemd resolved nss"
+  include_role:
+    name: "nss"
diff --git a/roles/systemd_resolved/tasks/resolv.conf.yml b/roles/systemd_resolved/tasks/resolv.conf.yml
index 7090d47..b712788 100644
--- a/roles/systemd_resolved/tasks/resolv.conf.yml
+++ b/roles/systemd_resolved/tasks/resolv.conf.yml
@@ -7,6 +7,7 @@
     force: true
   become: true
   when: not systemd_resolved_dnsstublistener
+    and systemd_resolved_nss
 
 - name: Ensure stub resolv.conf
   ansible.builtin.file:
@@ -16,3 +17,4 @@
     force: true
   become: true
   when: systemd_resolved_dnsstublistener
+    and not systemd_resolved_nss