diff --git a/salt/unbound/init.sls b/salt/unbound/init.sls
index 6eb7bd7..d39d102 100644
--- a/salt/unbound/init.sls
+++ b/salt/unbound/init.sls
@@ -6,6 +6,13 @@ unbound:
         - pkg: unbound
         - file: /etc/unbound/unbound.conf.d/listen.conf
 
+dns-root-data:
+  pkg.installed: []
+
 /etc/unbound/unbound.conf.d/listen.conf:
   file.managed:
     - source: salt://unbound/listen.conf
+
+/etc/unbound/unbound.conf.d/root.conf:
+  file.managed:
+    - source: salt://unbound/root.conf
diff --git a/salt/unbound/listen.conf b/salt/unbound/listen.conf
index 73397ff..81c5669 100644
--- a/salt/unbound/listen.conf
+++ b/salt/unbound/listen.conf
@@ -1,3 +1,5 @@
 server:
     interface: 0.0.0.0
     interface: ::
+    access-control: 172.20.72.0/21 allow
+    access-control: 0.0.0.0/0 refuse