diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml
index d63642f..b792137 100644
--- a/molecule/default/converge.yml
+++ b/molecule/default/converge.yml
@@ -5,3 +5,37 @@
     - name: Include bind9 role
       ansible.builtin.include_role:
         name: ../../../ansible-bind9-role
+  vars:
+    bind9_host_config:
+      - name: named.conf.options
+        options:
+          directory: "{{ bind9_working_directory }}"
+          recursion: true
+          allow_query:
+            - any
+          allow_recursion:
+            - 10.0.0.0/8
+            - 192.168.0.0/16
+            - 172.16.0.0/12
+            - localhost
+            - localnets
+          forwarders:
+            - address: 91.239.100.100
+              tls: censurfridns-anycast
+            - address: 89.233.43.71
+              tls: censurfridns-unicast
+          forward: first
+          dnssec_validation: auto
+      - name: named.conf.local
+        tls:
+          - name: censurfridns-anycast
+            remote_hostname: anycast.uncensoreddns.org
+          - name: censurfridns-unicast
+            remote_hostname: unicast.uncensoreddns.org
+        zones:
+          - name: example.internal
+            type: forward
+            forward: only
+            forwarders:
+              - 10.0.0.53
+              - 10.0.0.54
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
new file mode 100644
index 0000000..da4dae3
--- /dev/null
+++ b/molecule/default/verify.yml
@@ -0,0 +1,76 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: Check that BIND9 is installed
+      ansible.builtin.package:
+        name: bind9
+        state: present
+      check_mode: true
+      register: __bind9_package_check
+      failed_when: __bind9_package_check is changed
+
+    - name: Check that BIND9 service is running
+      ansible.builtin.service:
+        name: named
+        state: started
+        enabled: true
+      check_mode: true
+      register: __bind9_service_check
+      failed_when: __bind9_service_check is changed
+
+    - name: Check that named.conf.options exists
+      ansible.builtin.stat:
+        path: /etc/bind/named.conf.options
+      register: __options_file
+      failed_when: not __options_file.stat.exists
+
+    - name: Check that named.conf.local exists
+      ansible.builtin.stat:
+        path: /etc/bind/named.conf.local
+      register: __local_file
+      failed_when: not __local_file.stat.exists
+
+    - name: Read named.conf.options content
+      ansible.builtin.slurp:
+        path: /etc/bind/named.conf.options
+      register: __options_content
+
+    - name: Verify forwarders are configured in options
+      ansible.builtin.assert:
+        that:
+          - "'forwarders' in __options_decoded"
+          - "'8.8.8.8' in __options_decoded"
+          - "'forward first' in __options_decoded"
+        fail_msg: Forwarders not properly configured in named.conf.options
+      vars:
+        __options_decoded: "{{ __options_content.content | b64decode }}"
+
+    - name: Read named.conf.local content
+      ansible.builtin.slurp:
+        path: /etc/bind/named.conf.local
+      register: __local_content
+
+    - name: Verify forward zone is configured
+      ansible.builtin.assert:
+        that:
+          - "'zone \"example.internal\"' in __local_decoded"
+          - "'type forward' in __local_decoded"
+          - "'forward only' in __local_decoded"
+        fail_msg: Forward zone not properly configured in named.conf.local
+      vars:
+        __local_decoded: "{{ __local_content.content | b64decode }}"
+
+    - name: Test DNS resolution using localhost
+      ansible.builtin.command:
+        cmd: dig @localhost google.com +short
+      register: __dns_query
+      changed_when: false
+      failed_when: __dns_query.rc != 0
+
+    - name: Verify DNS query returned results
+      ansible.builtin.assert:
+        that:
+          - __dns_query.stdout_lines | length > 0
+        fail_msg: DNS forwarding is not working