diff --git a/README.md b/README.md
index 649fd41..a7f4441 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,13 @@ are aligned with the `CISS.debian.installer` baseline, ensuring a unified crypto
 an installed system. For an overview of the entire build process, see:
 **[MAN_CISS_ISO_BOOT_CHAIN.md](docs/MAN_CISS_ISO_BOOT_CHAIN.md)**
 
+When built with the ``--dhcp-centurion`` profile, the live system ships with a strict network and resolver policy: 
+``systemd-networkd`` and ``systemd-resolved`` are pre-configured to use ``DNS-over-TLS (DoT)`` exclusively against the 
+**CenturionDNS** resolver infrastructure; plain DNS is not used and connectivity failures are treated as hard errors. DNSSEC 
+validation is enforced in a fail-closed manner: zones with invalid or broken signatures result in ``SERVFAIL`` and are not 
+silently downgraded. Multicast name resolution via ``mDNS`` and ``LLMNR`` is disabled globally to avoid unintended name leakage
+and spoofing surfaces.
+
 Check out more leading world-class services powered by Centurion Intelligence Consulting Agency:
 * [CenturionDNS Resolver](https://eddns.eu/)
 * [CenturionDNS Blocklist](https://dns.eddns.eu/blocklists/centurion_titanium_ultimate.txt)