diff --git a/etc/unbound/unbound.conf.d/00-insecure-domains.conf b/etc/unbound/unbound.conf.d/00-insecure-domains.conf
new file mode 100644
index 00000000..5a354c5b
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/00-insecure-domains.conf
@@ -0,0 +1,17 @@
+# Domains to be sent through plaintext DNS for getting hijacked by devices
+# that tend to cause headache.
+# Uses Google DNS, because I don't use it for anything else and don't plan
+# to for the foreseeable future, so it is easier to spot from logs.
+# Is it secure? Google likely also knows I have these devices on my network
+# thanks to Android.
+
+server:
+forward-zone:
+    name: "mywifiext.net"
+    forward-tls-upstream: no
+    forward-addr: 8.8.8.8
+
+forward-zone:
+    name: "tplinkrepeater.net"
+    forward-tls-upstream: no
+    forward-addr: 8.8.8.8