diff --git a/etc/unbound/unbound.conf.d/dns-mullvad.conf b/etc/unbound/unbound.conf.d/dns-mullvad.conf
deleted file mode 100644
index ee46714e..00000000
--- a/etc/unbound/unbound.conf.d/dns-mullvad.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# WARNING! This is unencrypted DNS, you don't want this outside of using
-# Mullvad's VPN.
-
-forward-zone:
-    name: "."
-
-    # Mullvad Wireguard
-    forward-addr: 10.64.0.1
-    # Mullvad OpenVPN "(or any other address matching 10.x.0.1)"
-    forward-addr: 10.8.0.1
-
-    # Mullvad’s own public, non-logging DNS server.
-    forward-addr: 193.138.218.74
diff --git a/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf b/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf
new file mode 100644
index 00000000..360bae8e
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-mullvad-adblock.conf
@@ -0,0 +1,12 @@
+server:
+  # Debian ca-certificates location
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+  # ctrl.blog says this is the Fedora location
+  #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 2a07:e340::3#adblock.doh.mullvad.net
+    forward-addr: 194.242.2.3@853#adblock.doh.mullvad.net
+    forward-addr: 193.19.108.3@853#adblock.doh.mullvad.net
diff --git a/etc/unbound/unbound.conf.d/dot-mullvad.conf b/etc/unbound/unbound.conf.d/dot-mullvad.conf
new file mode 100644
index 00000000..cb256cff
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-mullvad.conf
@@ -0,0 +1,12 @@
+server:
+  # Debian ca-certificates location
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+  # ctrl.blog says this is the Fedora location
+  #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 2a07:e340::2@853#doh.mullvad.net
+    forward-addr: 194.242.2.2@853#doh.mullvad.net
+    forward-addr: 193.19.108.2@853#doh.mullvad.net