{
  config,
  pkgs,
  ...
}: {
  services.unbound = {
    enable = true;
    settings = {
      server = {
        # Listen only locally
        interface = ["127.0.0.1"];
        port = 5335;
        access-control = ["127.0.0.1 allow"];

        # Recommended hardening
        harden-glue = true;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;

        # Performance
        prefetch = true;
        edns-buffer-size = 1232;

        # Privacy
        hide-identity = true;
        hide-version = true;
      };

      forward-zone = [
        {
          name = ".";
          forward-addr = ["dns.mycloudhaus.xyz@853"];
          forward-tls-upstream = true; # Enable DoT
        }
      ];
    };
  };
}