{ pkgs, ... }: {
  networking.firewall.allowedTCPPorts = [
    53
  ];
  networking.firewall.allowedUDPPorts = [
    53
  ];
  services.unbound = {
    enable = true;

    settings = {
      server = {
        access-control = [
          "127.0.0.0/8 allow"
          "0.0.0.0/0 allow"
        ];
        local-zone = "test.2rjus.net nodefault";
        domain-insecure = "test.2rjus.net";
        interface = "0.0.0.0";
        do-not-query-localhost = "no";
        port = "53";
        do-ip4 = "yes";
        do-ip6 = "no";
        do-udp = "yes";
        do-tcp = "yes";
      };
      stub-zone = {
        name = "test.2rjus.net";
        stub-addr = "127.0.0.1@8053";
      };
      forward-zone = {
        name = ".";
        forward-tls-upstream = "yes";
        forward-addr = "1.1.1.1@853#cloudflare-dns.com";
      };
    };
  };
}