diff --git a/hosts/delta/acme.nix b/hosts/delta/acme.nix
index aeb2663..7d60150 100644
--- a/hosts/delta/acme.nix
+++ b/hosts/delta/acme.nix
@@ -1,7 +1,11 @@
 {...}: {
   security.acme.certs."caspervk.net" = {
     domain = "*.caspervk.net";
-    reloadServices = [];  # unbound.service
+    reloadServices = [
+      "unbound.service"
+    ];
   };
-  users.groups.acme.members = [];  # unbound
+  users.groups.acme.members = [
+    "unbound"
+  ];
 }
diff --git a/hosts/delta/default.nix b/hosts/delta/default.nix
index 6d48621..2b784fe 100644
--- a/hosts/delta/default.nix
+++ b/hosts/delta/default.nix
@@ -6,6 +6,7 @@
     ./acme.nix
     ./hardware.nix
     ./network.nix
+    ./unbound.nix
   ];
 
   networking.hostName = "delta";
diff --git a/hosts/delta/unbound.nix b/hosts/delta/unbound.nix
new file mode 100644
index 0000000..e9e1760
--- /dev/null
+++ b/hosts/delta/unbound.nix
@@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  # Unbound is a validating, recursive, caching DNS resolver. It is designed to
+  # be fast and lean and incorporates modern features based on open standards.
+  # https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
+  # > nix shell nixpkgs#knot-dns
+  # > kdig -d @dns.caspervk.net example.com
+  # > kdig -d +https @dns.caspervk.net example.com
+  # > kdig -d +tls @dns.caspervk.net example.com
+  # TODO: adblock
+  services.resolved.enable = lib.mkForce false;
+  services.unbound = {
+    enable = true;
+    # Don't mess with resolvconf
+    # resolveLocalQueries = false;
+    settings = {
+      server = {
+        # Listen to DNS/DoH/DoT on all interfaces. Default is to listen to DNS
+        # on localhost only.
+        interface = [
+          "0.0.0.0@53"
+          "0.0.0.0@443"
+          "0.0.0.0@853"
+          "::0@53"
+          "::0@443"
+          "::0@853"
+        ];
+        # Allow access from all netblocks. Default is to allow localhost only.
+        access-control = [
+          "0.0.0.0/0 allow"
+          "::0/0 allow"
+        ];
+        # Provide DNS-over-TLS or DNS-over-HTTPS service
+        tls-service-key = "${config.security.acme.certs."caspervk.net".directory}/key.pem";
+        tls-service-pem = "${config.security.acme.certs."caspervk.net".directory}/fullchain.pem";
+        # TODO: Enable global ratelimiting of queries accepted per IP address
+        # ip-ratelimit = 50;
+        # Testing domain
+        local-zone = [
+          "\"test.dns.caspervk.net.\" redirect"
+        ];
+        local-data = [
+          "\"test.dns.caspervk.net. A 192.0.2.0\""
+        ];
+      };
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [443 853];
+    allowedUDPPorts = [53];
+  };
+}