diff --git a/CHANGES b/CHANGES
index fbf354d42..79c4e7f72 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2842,6 +2842,5 @@
 * backups: do not overflow the schedule timings
 * checklist: new checklist items on update are acknowledged
 * backups: automatically trigger a remount if mount is not active
-* dns: make app containers use system DNS
 * logs: rework the syslog parser
 
diff --git a/src/docker.js b/src/docker.js
index 61ed3b3dc..e69a192ae 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -373,6 +373,10 @@ async function createSubcontainer(app, name, cmd, options) {
     if (isAppContainer) {
         containerOptions.Hostname = app.id;
         containerOptions.HostConfig.NetworkMode = 'cloudron'; // user defined bridge network
+        // use unbound for app DNS resolution. this is a workaround for the requirement that OIDC server name has to resolve to
+        // public IP somehow skipping any /etc/hosts entries
+        containerOptions.HostConfig.Dns = ['172.18.0.1'];
+        containerOptions.HostConfig.DnsSearch = ['.'];
 
         containerOptions.NetworkingConfig = {
             EndpointsConfig: {
diff --git a/src/infra_version.js b/src/infra_version.js
index 20c67ff64..026dd393c 100644
--- a/src/infra_version.js
+++ b/src/infra_version.js
@@ -6,7 +6,7 @@
 
 exports = module.exports = {
     // a version change recreates all containers with latest docker config
-    'version': '49.8.0',
+    'version': '49.7.0',
 
     // a major version bump in the db containers will trigger the restore logic that uses the db dumps
     // docker inspect --format='{{index .RepoDigests 0}}' $IMAGE to get the sha256