diff --git a/config/rootfiles/core/107/filelists/files b/config/rootfiles/core/107/filelists/files
index b03a86ed7..1dc0a350d 100644
--- a/config/rootfiles/core/107/filelists/files
+++ b/config/rootfiles/core/107/filelists/files
@@ -1,5 +1,6 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/unbound
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/traffic.cgi
 var/ipfire/langs
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
index 4e424775e..a7952fc1c 100644
--- a/src/initscripts/init.d/unbound
+++ b/src/initscripts/init.d/unbound
@@ -168,16 +168,34 @@ write_forward_conf() {
 	(
 		config_header
 
+		local insecure_zones
+
 		local enabled zone server remark
 		while IFS="," read -r enabled zone server remark; do
 			# Line must be enabled.
 			[ "${enabled}" = "on" ] || continue
 
+			# Zones that end with .local are commonly used for internal
+			# zones and therefore not signed
+			case "${zone}" in
+				*.local)
+					insecure_zones="${insecure_zones} ${zone}"
+					;;
+			esac
+
 			echo "forward-zone:"
 			echo "	name: ${zone}"
 			echo "	forward-addr: ${server}"
 			echo
 		done < /var/ipfire/dnsforward/config
+
+		if [ -n "${insecure_zones}" ]; then
+			echo "server:"
+
+			for zone in ${insecure_zones}; do
+				echo "	domain-insecure: ${zone}"
+			done
+		fi
 	) > /etc/unbound/forward.conf
 }