diff --git a/unbound/Dockerfile b/unbound/Dockerfile
index bac8938..5151324 100644
--- a/unbound/Dockerfile
+++ b/unbound/Dockerfile
@@ -1,5 +1,8 @@
 FROM debian:latest
 LABEL maintainer="dragonchaser <autobuilds@datenschmutz.space>"
+EXPOSE 5335/udp
 RUN apt-get update \
   && apt-get -y install unbound netcat
-CMD ["unbound-checkconf", "&&", "unbound -d"]
+COPY config.conf /etc/unbound/unbound.conf.d/
+COPY entrypoint.sh /
+ENTRYPOINT /entrypoint.sh
diff --git a/unbound/README.md b/unbound/README.md
index eea7ec6..dcb4839 100644
--- a/unbound/README.md
+++ b/unbound/README.md
@@ -22,5 +22,8 @@ $> docker run \
     -v /path/to/you/local/unboundfolder/conf:/etc/unbound \
     -v /path/to/you/local/unboundfolder/lib:/var/lib/unbound \
     dragonchaser/unbound:latest-arm64 
-```
+``**
 
+***Note:***
+
+The container will expose the dns port on 5335.
diff --git a/unbound/config.conf b/unbound/config.conf
new file mode 100644
index 0000000..17c31b2
--- /dev/null
+++ b/unbound/config.conf
@@ -0,0 +1,48 @@
+server:
+  access-control: 0.0.0.0/0 allow
+  interface: 0.0.0.0
+  port: 5335
+  do-ip6: no
+  do-ip4: yes
+  do-udp: yes
+  do-tcp: yes
+  # Set number of threads to use
+  num-threads: 8
+  # Hide DNS Server info
+  hide-identity: yes
+  hide-version: yes
+  # Limit DNS Fraud and use DNSSEC
+  harden-glue: yes
+  harden-dnssec-stripped: yes
+  harden-referral-path: yes
+  use-caps-for-id: yes
+  harden-algo-downgrade: yes
+  qname-minimisation: yes
+  aggressive-nsec: yes
+  rrset-roundrobin: yes
+  # Minimum lifetime of cache entries in seconds
+  cache-min-ttl: 300
+  # Configure TTL of Cache
+  cache-max-ttl: 14400
+  # Optimizations
+  msg-cache-slabs: 8
+  rrset-cache-slabs: 8
+  infra-cache-slabs: 8
+  key-cache-slabs: 8
+  serve-expired: yes
+  serve-expired-ttl: 3600
+  edns-buffer-size: 1232
+  prefetch: yes
+  prefetch-key: yes
+  unwanted-reply-threshold: 10000000
+  # Set cache size
+  rrset-cache-size: 256m
+  msg-cache-size: 128m
+  # increase buffer size so that no messages are lost in traffic spikes
+  #so-rcvbuf: 1m
+  private-address: 192.168.0.0/16
+  private-address: 169.254.0.0/16
+  private-address: 172.16.0.0/12
+  private-address: 10.0.0.0/8
+  private-address: fd00::/8
+  private-address: fe80::/10
diff --git a/unbound/entrypoint.sh b/unbound/entrypoint.sh
new file mode 100755
index 0000000..d2ff6a4
--- /dev/null
+++ b/unbound/entrypoint.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+unbound-checkconf
+unbound -d