diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md
index f530477..1e26169 100644
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -94,7 +94,7 @@ In the `molecule-bash` container, run `ansible-playbook` as in [deploy.yml](work
 On the host,
 
 ```
-docker cp molecule-bash:${path_to_download_dir} .
+docker cp molecule-bash:/tmp/download .
 ```
 
 Edit the `ovpn` file if necessary, and establish a VPN connection.
diff --git a/ansible/roles/openvpn/tasks/server/prepare/install.yml b/ansible/roles/openvpn/tasks/server/prepare/install.yml
index 259a923..68f2038 100644
--- a/ansible/roles/openvpn/tasks/server/prepare/install.yml
+++ b/ansible/roles/openvpn/tasks/server/prepare/install.yml
@@ -36,6 +36,7 @@
   - name: update cache
     ansible.builtin.apt:
       update_cache: yes
+    changed_when: False
 
   - name: install openvpn
     ansible.builtin.apt:
diff --git a/ansible/roles/openvpn/tasks/server/prepare/main.yml b/ansible/roles/openvpn/tasks/server/prepare/main.yml
index 32988a0..daf4dbe 100644
--- a/ansible/roles/openvpn/tasks/server/prepare/main.yml
+++ b/ansible/roles/openvpn/tasks/server/prepare/main.yml
@@ -1,6 +1,9 @@
 - name: import system tasks
   ansible.builtin.import_tasks: system.yml
 
+- name: import resolved tasks
+  ansible.builtin.import_tasks: resolved.yml
+
 - name: update package cache
   action: "{{ ansible_pkg_mgr }} update_cache=yes"
   changed_when: False
diff --git a/ansible/roles/openvpn/tasks/server/prepare/resolved.yml b/ansible/roles/openvpn/tasks/server/prepare/resolved.yml
new file mode 100644
index 0000000..6037068
--- /dev/null
+++ b/ansible/roles/openvpn/tasks/server/prepare/resolved.yml
@@ -0,0 +1,27 @@
+- name: check if UDP port 53 is in use
+  ansible.builtin.shell:
+    cmd: ss -nlu | tr '\t' ' ' | tr -s ' ' | cut -d ' ' -f 4 | grep ':53$'
+  register: ss_udp_53_result
+  ignore_errors: true
+  changed_when: False
+
+- name: stop the stub listener
+  when: ss_udp_53_result is succeeded
+  block:
+  - name: ln
+    ansible.builtin.file:
+      state: link
+      force: true
+      src: ../run/systemd/resolve/resolv.conf
+      path: /etc/resolv.conf
+
+  - name: resolved.conf
+    ansible.builtin.lineinfile:
+      path: /etc/systemd/resolved.conf
+      regexp: '^DNSStubListener='
+      line: DNSStubListener=no
+
+  - name: restart resolved
+    ansible.builtin.service:
+      name: systemd-resolved
+      state: restarted # reload unsupported