diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
index 3f724d8f7..ce9ddcd62 100644
--- a/config/unbound/unbound.conf
+++ b/config/unbound/unbound.conf
@@ -61,6 +61,9 @@ server:
 	harden-algo-downgrade: no
 	use-caps-for-id: no
 
+	# Harden against DNS cache poisoning
+	unwanted-reply-threshold: 1000000
+
 	# Listen on all interfaces
 	interface-automatic: yes
 	interface: 0.0.0.0