diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml
index 28cd0c3b..376c1ce1 100644
--- a/roles/dns/handlers/main.yml
+++ b/roles/dns/handlers/main.yml
@@ -3,9 +3,16 @@
   systemd:
     daemon_reload: true
 
+- name: restart dnscrypt-proxy.socket
+  systemd:
+    name: dnscrypt-proxy.socket
+    state: restarted
+    daemon_reload: true
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
+
 - name: restart dnscrypt-proxy
   systemd:
     name: dnscrypt-proxy
     state: restarted
     daemon_reload: true
-  when: ansible_distribution == 'Ubuntu'
+  when: ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian'
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 46ec7bac..0937d896 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -26,12 +26,11 @@
 
 - meta: flush_handlers
 
-- name: Ubuntu | Stop and disable dnscrypt-proxy socket before starting service
+- name: Ubuntu | Ensure dnscrypt-proxy socket is enabled
   systemd:
     name: dnscrypt-proxy.socket
-    state: stopped
-    enabled: false
-  failed_when: false
+    enabled: true
+    state: started
   when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
 
 - name: dnscrypt-proxy enabled and started
diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index a3068f22..c1bc239c 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -50,6 +50,37 @@
     owner: root
     group: root
 
+- name: Ubuntu | Ensure socket override directory exists
+  file:
+    path: /etc/systemd/system/dnscrypt-proxy.socket.d/
+    state: directory
+    mode: '0755'
+    owner: root
+    group: root
+
+- name: Ubuntu | Configure dnscrypt-proxy socket to listen on VPN IPs
+  copy:
+    dest: /etc/systemd/system/dnscrypt-proxy.socket.d/10-algo-override.conf
+    content: |
+      [Socket]
+      # Clear default listeners
+      ListenStream=
+      ListenDatagram=
+      # Add VPN service IPs
+      ListenStream={{ local_service_ip }}:53
+      ListenDatagram={{ local_service_ip }}:53
+      {% if ipv6_support %}
+      ListenStream=[{{ local_service_ipv6 }}]:53
+      ListenDatagram=[{{ local_service_ipv6 }}]:53
+      {% endif %}
+      NoDelay=true
+      DeferAcceptSec=1
+    mode: '0644'
+  notify:
+    - daemon-reload
+    - restart dnscrypt-proxy.socket
+    - restart dnscrypt-proxy
+
 - name: Ubuntu | Add custom requirements to successfully start the unit
   copy:
     dest: /etc/systemd/system/dnscrypt-proxy.service.d/99-algo.conf
diff --git a/roles/dns/templates/dnscrypt-proxy.toml.j2 b/roles/dns/templates/dnscrypt-proxy.toml.j2
index 0a07dfcc..161b766c 100644
--- a/roles/dns/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns/templates/dnscrypt-proxy.toml.j2
@@ -37,10 +37,16 @@
 ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6.
 ## Note: When using systemd socket activation, choose an empty set (i.e. [] ).
 
+{% if ansible_distribution == 'Ubuntu' or ansible_distribution == 'Debian' %}
+# Using systemd socket activation on Ubuntu/Debian
+listen_addresses = []
+{% else %}
+# Direct binding on non-systemd systems
 listen_addresses  = [
   '{{ local_service_ip }}:53'{% if ipv6_support %},
   '[{{ local_service_ipv6 }}]:53'{% endif %}
   ]
+{% endif %}
 
 
 ## Maximum number of simultaneous client connections to accept