diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml
index caba4b4..6ffa61f 100644
--- a/services/mailu/helmrelease.yaml
+++ b/services/mailu/helmrelease.yaml
@@ -18,6 +18,8 @@ spec:
     remediation: { retries: 3 }
   upgrade:
     remediation: { retries: 3 }
+    force: true
+    cleanupOnFail: true
   values:
     mailuVersion: "2024.06"
     domain: bstein.dev
@@ -94,11 +96,42 @@ spec:
           value: 127.0.0.1,10.42.0.0/16
         - name: DNS_RESOLVERS
           value: 1.1.1.1,9.9.9.9
+      extraVolumes:
+        - name: unbound-config
+          configMap:
+            name: mailu-unbound
+        - name: unbound-run
+          emptyDir: {}
+      extraVolumeMounts:
+        - name: unbound-config
+          mountPath: /etc/unbound
+        - name: unbound-run
+          mountPath: /var/lib/unbound
+      extraContainers:
+        - name: unbound
+          image: ghcr.io/mailu/unbound:1.19
+          args:
+            - -d
+            - -c
+            - /etc/unbound/unbound.conf
+          ports:
+            - containerPort: 53
+              protocol: UDP
+            - containerPort: 53
+              protocol: TCP
+          volumeMounts:
+            - name: unbound-config
+              mountPath: /etc/unbound
+            - name: unbound-run
+              mountPath: /var/lib/unbound
       dnsPolicy: None
       dnsConfig:
         nameservers:
-          - 1.1.1.1
-          - 9.9.9.9
+          - 127.0.0.1
+        searches:
+          - mailu-mailserver.svc.cluster.local
+          - svc.cluster.local
+          - cluster.local
     clamav:
       logLevel: DEBUG
       nodeSelector:
diff --git a/services/mailu/kustomization.yaml b/services/mailu/kustomization.yaml
index 5ac15d8..992ac25 100644
--- a/services/mailu/kustomization.yaml
+++ b/services/mailu/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - helmrelease.yaml
   - certificate.yaml
   - vip-controller.yaml
+  - unbound-configmap.yaml
diff --git a/services/mailu/unbound-configmap.yaml b/services/mailu/unbound-configmap.yaml
new file mode 100644
index 0000000..9a405dd
--- /dev/null
+++ b/services/mailu/unbound-configmap.yaml
@@ -0,0 +1,46 @@
+# services/mailu/unbound-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: mailu-unbound
+  namespace: mailu-mailserver
+data:
+  unbound.conf: |
+    server:
+      verbosity: 1
+      interface: 0.0.0.0
+      do-ip4: yes
+      do-ip6: no
+      do-udp: yes
+      do-tcp: yes
+      auto-trust-anchor-file: "/var/lib/unbound/root.key"
+      prefetch: yes
+      qname-minimisation: yes
+      harden-dnssec-stripped: yes
+      val-clean-additional: yes
+      cache-min-ttl: 120
+      cache-max-ttl: 86400
+      access-control: 0.0.0.0/0 allow
+
+    forward-zone:
+      name: "mailu-mailserver.svc.cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "svc.cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "cluster.local."
+      forward-addr: 10.43.0.10
+      forward-no-cache: yes
+      forward-first: yes
+
+    forward-zone:
+      name: "."
+      forward-addr: 9.9.9.9
+      forward-addr: 1.1.1.1