diff --git a/ansible/dns.yaml b/ansible/dns.yaml
new file mode 100644
index 0000000..0722381
--- /dev/null
+++ b/ansible/dns.yaml
@@ -0,0 +1,6 @@
+---
+# file: dns.yaml
+- hosts: dns
+  roles:
+    - common
+    - unbound
diff --git a/ansible/inventories/production/hosts.ini b/ansible/inventories/production/hosts.ini
index d8d7db7..760156a 100644
--- a/ansible/inventories/production/hosts.ini
+++ b/ansible/inventories/production/hosts.ini
@@ -1,2 +1,5 @@
 [gitea]
 git.jthan.io
+
+[dns]
+rpi0.home.jthan.io
diff --git a/ansible/roles/unbound/handlers/main.yaml b/ansible/roles/unbound/handlers/main.yaml
new file mode 100644
index 0000000..2e3a8d2
--- /dev/null
+++ b/ansible/roles/unbound/handlers/main.yaml
@@ -0,0 +1,5 @@
+- name: Restart nginx
+  service:
+    name: unbound
+    state: restarted
+
diff --git a/ansible/roles/unbound/tasks/main.yaml b/ansible/roles/unbound/tasks/main.yaml
new file mode 100644
index 0000000..c8295db
--- /dev/null
+++ b/ansible/roles/unbound/tasks/main.yaml
@@ -0,0 +1,28 @@
+- name: Install unbound
+  package:
+    name: "unbound"
+    state: present
+
+- name: Enable unbound service
+  service:
+    name: unbound
+    enabled: yes
+    state: started
+
+- name: Permit traffic in default zone on port 53/udp
+  ansible.posix.firewalld:
+    port: 53/udp
+    source: 192.0.1.0/24
+    permanent: true
+    state: enabled
+    immediate: true
+    offline: true
+
+- name: Permit traffic in default zone on port 53/tcp
+  ansible.posix.firewalld:
+    port: 53/tcp
+    source: 192.0.1.0/24
+    permanent: true
+    state: enabled
+    immediate: true
+    offline: true
diff --git a/ansible/site.yaml b/ansible/site.yaml
index 8c634bd..58cb4ed 100644
--- a/ansible/site.yaml
+++ b/ansible/site.yaml
@@ -2,3 +2,4 @@
 # file: site.yaml
 - import_playbook: webservers.yaml
 - import_playbook: gitea.yaml
+- import_playbook: dns.yaml