diff --git a/docker-compose.yaml b/docker-compose.yaml
index b1ff12c..53efee0 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,4 +1,3 @@
-
 # If there is already a traefik container running on your host, you can comment out the first include line.
 # But make sure that...
 # - container `sl-app` can join traefiks network, defined in traefic static config `providers.docker.network`
@@ -10,7 +9,7 @@ include:
   - postfix-compose.yaml
 
 networks:
-  default:
+  internal:
     driver: bridge
     ipam:
       driver: default
diff --git a/postfix-compose.yaml b/postfix-compose.yaml
index fe5531d..1e31b0b 100644
--- a/postfix-compose.yaml
+++ b/postfix-compose.yaml
@@ -4,12 +4,35 @@ services:
   ## POSTFIX
   ## =================
 
+  dns:
+    image: crazymax/unbound:latest
+    container_name: dns
+    user: "0:0"
+    cap_add:
+      - NET_BIND_SERVICE
+    networks:
+      internal:
+        ipv4_address: 10.0.0.53
+    volumes:
+      - ./unbound/conf.d/:/config/:ro
+    restart: unless-stopped
+    entrypoint:
+      - /bin/sh
+      - -ec
+      - |
+        unbound-anchor -a /var/run/unbound/root.key || true
+        exec su -s /bin/sh unbound -c "sh /entrypoint.sh"
+
   postfix:
     image: private/postfix:latest
     build:
       context: ./postfix/
       dockerfile: Dockerfile
     container_name: postfix
+    dns:
+      - '10.0.0.53'
+    networks:
+      - internal
     env_file: .env
     ports:
       - '25:25'
@@ -18,6 +41,7 @@ services:
       - certs:/certs:ro
     restart: unless-stopped
     depends_on:
+      - dns
       - email
       - traefik-certificate-exporter
     labels:
diff --git a/postfix/templates/30-icf-dane.tpl b/postfix/templates/30-icf-dane.tpl
new file mode 100644
index 0000000..a540d5a
--- /dev/null
+++ b/postfix/templates/30-icf-dane.tpl
@@ -0,0 +1,3 @@
+
+smtp_dns_support_level = dnssec
+smtp_tls_security_level = dane
diff --git a/simple-login-compose.yaml b/simple-login-compose.yaml
index f62c85c..70a3702 100644
--- a/simple-login-compose.yaml
+++ b/simple-login-compose.yaml
@@ -5,6 +5,8 @@ x-sl-defaults: &sl-defaults
     - ./pgp:/sl/pgp
     - ./upload:/code/static/upload
     - ./dkim.key:/dkim.key
+  networks:
+    - internal
 
 services:
 
@@ -20,6 +22,8 @@ services:
       interval: 10s
       retries: 3
       start_period: 1s
+    networks:
+      - internal
     volumes:
       - ./db:/var/lib/postgresql/data
     restart: unless-stopped
@@ -45,7 +49,7 @@ services:
     container_name: sl-app
     networks:
       - traefik
-      - default
+      - internal
     restart: unless-stopped
     depends_on:
       init:
diff --git a/unbound/conf.d/00-unbound.conf b/unbound/conf.d/00-unbound.conf
new file mode 100644
index 0000000..2283164
--- /dev/null
+++ b/unbound/conf.d/00-unbound.conf
@@ -0,0 +1,14 @@
+  # Module configuration - disable subnetcache (not needed for local resolver)
+  module-config: "validator iterator"
+
+  # Listen to for queries from clients and answer from this network interface
+  # and port.
+  interface: 0.0.0.0
+  interface: ::1
+  port: 53
+
+  # Report this identity rather than the hostname of the server.
+  identity: "DNS"
+
+  # root.hints enable unbound to perform recursive resolution
+  root-hints: "/usr/share/dns-root-hints/named.root"
diff --git a/unbound/conf.d/10-logging.conf b/unbound/conf.d/10-logging.conf
new file mode 100644
index 0000000..c7599b8
--- /dev/null
+++ b/unbound/conf.d/10-logging.conf
@@ -0,0 +1,2 @@
+  log-queries: yes
+  verbosity: 2