diff --git a/etc/unbound/unbound.conf.d/dns-over-tls.conf b/etc/unbound/unbound.conf.d/dns-over-tls.conf
index f1b9d561..ce6727c4 100644
--- a/etc/unbound/unbound.conf.d/dns-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf
@@ -1,3 +1,5 @@
+# I am not confident using so huge list is a good idea, thus dot-*.conf's
+
 # NOTE! Requires Unbound 1.7.3 or newer! Debian 9 has 1.6.0
 # Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html
 #
diff --git a/etc/unbound/unbound.conf.d/dot-quad9.conf b/etc/unbound/unbound.conf.d/dot-quad9.conf
new file mode 100644
index 00000000..8fad238f
--- /dev/null
+++ b/etc/unbound/unbound.conf.d/dot-quad9.conf
@@ -0,0 +1,13 @@
+server:
+  # Debian ca-certificates location
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+  # ctrl.blog says this is the Fedora location
+  #tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 2620:fe::fe@853#dns.quad9.net
+    forward-addr: 9.9.9.9@853#dns.quad9.net
+    forward-addr: 2620:fe::9@853#dns.quad9.net
+    forward-addr: 149.112.112.112@853#dns.quad9.net