diff --git a/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml b/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
index 878c5757..a3b48243 100644
--- a/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
+++ b/infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml
@@ -64,4 +64,67 @@ probes:
   liveness:
     initialDelaySeconds: 30
     periodSeconds: 60
-    command: "drill @127.0.0.1 localhost || exit 1"
\ No newline at end of file
+    command: "drill @127.0.0.1 localhost || exit 1"
+
+# Custom unbound configuration to forward internal Kubernetes zones to CoreDNS
+config:
+  enabled: true
+  content: |
+    server:
+      interface: 0.0.0.0
+      port: 53
+      do-ip4: yes
+      do-ip6: no
+      do-udp: yes
+      do-tcp: yes
+
+      # Access control - allow all private networks
+      access-control: 10.0.0.0/8 allow
+      access-control: 172.16.0.0/12 allow
+      access-control: 192.168.0.0/16 allow
+      access-control: 127.0.0.0/8 allow
+
+      # DNSSEC validation (required for Mailu)
+      auto-trust-anchor-file: "/opt/unbound/etc/unbound/root.key"
+
+      # Performance tuning
+      num-threads: 2
+      msg-cache-size: 32m
+      rrset-cache-size: 64m
+      cache-min-ttl: 60
+      cache-max-ttl: 86400
+
+      # Logging
+      verbosity: 1
+      log-queries: no
+      log-replies: no
+
+      # Private addresses - don't send to upstream
+      private-address: 10.0.0.0/8
+      private-address: 172.16.0.0/12
+      private-address: 192.168.0.0/16
+
+    # Forward Kubernetes internal zones to CoreDNS (10.152.183.10 for MicroK8s)
+    forward-zone:
+      name: "cluster.local."
+      forward-addr: 10.152.183.10
+
+    forward-zone:
+      name: "svc.cluster.local."
+      forward-addr: 10.152.183.10
+
+    forward-zone:
+      name: "bakery-ia.svc.cluster.local."
+      forward-addr: 10.152.183.10
+
+    # Forward in-addr.arpa for reverse DNS lookups within cluster
+    forward-zone:
+      name: "in-addr.arpa."
+      forward-addr: 10.152.183.10
+
+    # Forward all other queries to upstream DNS with DNSSEC
+    forward-zone:
+      name: "."
+      forward-tls-upstream: yes
+      forward-addr: 1.1.1.1@853#cloudflare-dns.com
+      forward-addr: 8.8.8.8@853#dns.google
\ No newline at end of file