diff --git a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
index e693edc..bfd7ae2 100644
--- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
+++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
@@ -19,8 +19,8 @@ dns:
   ratelimit_subnet_len_ipv6: 56
   ratelimit_whitelist: [ ]
   refuse_any: true
-  upstream_dns:
-    - 10.96.0.11
+  #upstream_dns:
+  #  - 10.96.0.11
   upstream_dns_file: ""
   bootstrap_dns:
     - 10.96.0.11
diff --git a/k8s/infra/network/dns/unbound/config/unbound.conf b/k8s/infra/network/dns/unbound/config/unbound.conf
index c3ad9e7..a9b8930 100644
--- a/k8s/infra/network/dns/unbound/config/unbound.conf
+++ b/k8s/infra/network/dns/unbound/config/unbound.conf
@@ -10,7 +10,7 @@ server:
 
     do-ip4: yes
     do-ip6: yes
-    prefer-ip6: yes
+    prefer-ip6: no
     do-tcp: yes
     do-udp: yes
 
@@ -24,7 +24,8 @@ server:
     log-servfail: yes
 
     logfile: /opt/unbound/etc/unbound/unbound.log
-    verbosity: 2
+    log-time-ascii: yes
+    verbosity: 0
 
     infra-cache-slabs: 4
     incoming-num-tcp: 10
@@ -34,7 +35,7 @@ server:
     msg-cache-slabs: 4
 
     num-queries-per-thread: 4096
-    num-threads: 3
+    num-threads: 1
 
     outgoing-range: 8192
 
@@ -47,10 +48,13 @@ server:
     prefetch-key: yes
 
     serve-expired: yes
+    serve-expired-ttl: 172800  # between 86400 (1 day) and 259200 (3 days)
+    serve-expired-client-timeout: 1800  # RFC 8767 recommended value
 
     so-reuseport: yes
+    so-rcvbuf: 1m
 
-    #aggressive-nsec: yes
+    aggressive-nsec: yes
 
     delay-close: 10000
 
@@ -60,7 +64,7 @@ server:
 
     neg-cache-size: 4M
 
-    #qname-minimisation: yes
+    qname-minimisation: yes
 
     access-control: 127.0.0.1/32 allow
     access-control: 192.168.0.0/16 allow
@@ -112,18 +116,18 @@ server:
     max-global-quota: 1000
 
     # https://github.com/NLnetLabs/unbound/issues/362
-    qname-minimisation: no
-    aggressive-nsec: no
+    #qname-minimisation: no
+    #aggressive-nsec: no
 
     infra-keep-probing: yes
-    infra-cache-min-rtt: 1000
-    infra-cache-max-rtt: 2000
-    infra-host-ttl: 10
+    infra-cache-min-rtt: 2000
+    infra-cache-max-rtt: 15000
+    infra-host-ttl: 5
 
-    outbound-msg-retry: 128
-    max-sent-count: 256
+    outbound-msg-retry: 64
+    max-sent-count: 128
 
-    udp-connect: no
+    #udp-connect: no
 
     #ede: yes
 
diff --git a/k8s/infra/network/dns/unbound/svc.yaml b/k8s/infra/network/dns/unbound/svc.yaml
index a70cb3e..1c3f0f3 100644
--- a/k8s/infra/network/dns/unbound/svc.yaml
+++ b/k8s/infra/network/dns/unbound/svc.yaml
@@ -3,8 +3,10 @@ kind: Service
 metadata:
   name: unbound
   namespace: dns
+  annotations:
+    io.cilium/lb-ipam-ips: 192.168.1.252
 spec:
-  type: ClusterIP
+  type: LoadBalancer
   # https://kubernetes.io/docs/concepts/services-networking/cluster-ip-allocation/
   clusterIP: 10.96.0.11
   ports: