diff --git a/etc/unbound/unbound.conf b/etc/unbound/unbound.conf
new file mode 100644
index 0000000..d160418
--- /dev/null
+++ b/etc/unbound/unbound.conf
@@ -0,0 +1,34 @@
+server:
+  trust-anchor-file: "/etc/unbound/trusted-key.key"
+  root-key-sentinel: yes
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+  hide-http-user-agent: yes
+  hide-identity: yes
+  hide-trustanchor: yes
+  hide-version: yes
+
+  deny-any: yes
+  harden-algo-downgrade: yes
+  harden-large-queries: yes
+  harden-referral-path: yes
+  harden-short-bufsize: yes
+  ignore-cd-flag: yes
+  max-udp-size: 3072
+  module-config: "validator iterator"
+  qname-minimisation-strict: yes
+  unwanted-reply-threshold: 10000000
+  use-caps-for-id: yes
+
+  outgoing-port-permit: 1024-65535
+
+  prefetch: yes
+  prefetch-key: yes
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+  forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
+  forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
+  forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
\ No newline at end of file