diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 755eac9af..ce51f63a0 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,7 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: yes
 	aggressive-nsec: yes
+	qname-minimisation: yes
 
 	# TLS
 	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound
index 42470da05..68309bbfd 100644
--- a/src/initscripts/system/unbound
+++ b/src/initscripts/system/unbound
@@ -102,6 +102,13 @@ write_forward_conf() {
 	(
 		config_header
 
+		# Enable strict QNAME minimisation
+		if [ "${QNAME_MIN}" = "strict" ]; then
+			echo "server:"
+			echo "	qname-minimisation-strict: yes"
+			echo
+		fi
+
 		# Force using TCP for upstream servers only
 		if [ "${PROTO}" = "TCP" ]; then
 			echo "# Force using TCP for upstream servers only"