diff --git a/install.sh b/install.sh
index d3ee8b6..87f12c6 100644
--- a/install.sh
+++ b/install.sh
@@ -381,6 +381,63 @@ check_requirements() {
     log "System requirements checked"
 }
 
+# Ensure DNS works and configure resolvers if needed
+ensure_dns_working() {
+    info "Verifying DNS resolution..."
+
+    # Quick success path
+    if getent hosts deb.debian.org >/dev/null 2>&1 || getent hosts github.com >/dev/null 2>&1; then
+        log "DNS is working"
+        return 0
+    fi
+
+    warning "DNS not resolving. Attempting automatic fix..."
+
+    # Try systemd-resolved if available
+    if command -v resolvectl >/dev/null 2>&1 || systemctl list-unit-files | grep -q systemd-resolved.service; then
+        systemctl enable --now systemd-resolved >/dev/null 2>&1 || true
+        # Use stub resolv.conf if present, else the static one
+        if [ -f /run/systemd/resolve/stub-resolv.conf ]; then
+            ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true
+        elif [ -f /run/systemd/resolve/resolv.conf ]; then
+            ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf || true
+        fi
+        # Seed with public DNS on the LAN interface
+        if [ -n "$LAN_INTERFACE" ] && command -v resolvectl >/dev/null 2>&1; then
+            resolvectl dns "$LAN_INTERFACE" 1.1.1.1 1.0.0.1 >/dev/null 2>&1 || true
+            resolvectl domain "$LAN_INTERFACE" "~." >/dev/null 2>&1 || true
+        fi
+    fi
+
+    # If still not working, try resolvconf fallback
+    if ! getent hosts deb.debian.org >/dev/null 2>&1 && command -v resolvconf >/dev/null 2>&1; then
+        mkdir -p /etc/resolvconf/resolv.conf.d
+        {
+            echo "nameserver 1.1.1.1"
+            echo "nameserver 1.0.0.1"
+        } > /etc/resolvconf/resolv.conf.d/head
+        resolvconf --enable-updates >/dev/null 2>&1 || true
+        resolvconf -u >/dev/null 2>&1 || true
+    fi
+
+    # Last-resort: write resolv.conf directly (may be overwritten later)
+    if ! getent hosts deb.debian.org >/dev/null 2>&1; then
+        {
+            echo "nameserver 1.1.1.1"
+            echo "nameserver 9.9.9.9"
+        } > /etc/resolv.conf
+    fi
+
+    # Final check
+    if getent hosts deb.debian.org >/dev/null 2>&1 || getent hosts github.com >/dev/null 2>&1; then
+        log "DNS repaired"
+        return 0
+    fi
+
+    warning "DNS still not working. Please verify your container's DNS setup (systemd-resolved or resolvconf) and rerun the installer."
+    return 1
+}
+
 # Install dependencies
 install_dependencies() {
     log "Installing dependencies..."
@@ -407,6 +464,8 @@ install_dependencies() {
         resolvconf
         net-tools
         jq
+        gnupg
+        ca-certificates
     )
     
     for package in "${packages[@]}"; do
@@ -551,6 +610,9 @@ EOF
 # Install Mullvad
 install_mullvad() {
     log "Installing Mullvad client..."
+
+    # Ensure DNS works before fetching keys
+    ensure_dns_working || true
     
     # Download Mullvad signing key
     curl -fsSL https://mullvad.net/media/mullvad-code-signing.asc | gpg --dearmor -o /usr/share/keyrings/mullvad-keyring.gpg
@@ -1084,6 +1146,7 @@ main() {
     fi
     
     install_dependencies
+    ensure_dns_working || true
     create_directories
     install_vpn_provider  # Install VPN first (needs internet)
     install_killswitch    # Then activate killswitch (blocks internet)