diff --git a/scripts/init-ubuntu.sh b/scripts/init-ubuntu.sh
index 583b98672..beded5119 100755
--- a/scripts/init-ubuntu.sh
+++ b/scripts/init-ubuntu.sh
@@ -97,6 +97,7 @@ apt-get -y install --no-install-recommends \
     tzdata \
     unattended-upgrades \
     unbound \
+    unbound-anchor \
     unzip \
     whois \
     xfsprogs
@@ -190,10 +191,6 @@ systemctl disable systemd-resolved || true
 # on vultr, ufw is enabled by default. we have our own firewall
 ufw disable || true
 
-# we need unbound to work as this is required for installer.sh to do any DNS requests. control-enable is for https://github.com/NLnetLabs/unbound/issues/806
-echo -e "server:\n\tinterface: 127.0.0.1\n\nremote-control:\n\tcontrol-enable: no\n" > /etc/unbound/unbound.conf.d/cloudron-network.conf
-systemctl restart unbound
-
 # Ubuntu 22 has private home directories by default (https://discourse.ubuntu.com/t/private-home-directories-for-ubuntu-21-04-onwards/)
 sed -e 's/^HOME_MODE\([[:space:]]\+\).*$/HOME_MODE\10755/' -i /etc/login.defs
 
diff --git a/scripts/installer.sh b/scripts/installer.sh
index 8b6c8de8c..a33aeefd6 100755
--- a/scripts/installer.sh
+++ b/scripts/installer.sh
@@ -76,6 +76,11 @@ if [[ "${ubuntu_version}" == "18.04" ]]; then
     exit 2
 fi
 
+# switch over to systemd
+systemctl disable unbound || true
+systemctl stop unbound || true
+systemctl enable --now systemd-resolved
+
 # https://docs.docker.com/engine/installation/linux/ubuntulinux/
 readonly docker_version="23.0.6"
 readonly containerd_version="1.6.21-1"
diff --git a/setup/start.sh b/setup/start.sh
index 4df6692e2..581800995 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -111,7 +111,8 @@ usermod -a -G adm ${USER}
 log "Setting up unbound"
 cp -f "${script_dir}/start/unbound.conf" /etc/unbound/unbound.conf.d/cloudron-network.conf
 # update the root anchor after a out-of-disk-space situation (see #269)
-unbound-anchor -a /var/lib/unbound/root.key
+# it returns 1 even on fail, it's not clear - https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound-anchor.html#exit-code
+unbound-anchor -v -a /var/lib/unbound/root.key || log "unbound-anchor failed, but it probably worked"
 
 log "Adding systemd services"
 cp -r "${script_dir}/start/systemd/." /etc/systemd/system/
diff --git a/setup/start/unbound.conf b/setup/start/unbound.conf
index 67fbe2b64..27d5ce158 100644
--- a/setup/start/unbound.conf
+++ b/setup/start/unbound.conf
@@ -3,7 +3,7 @@
 
 server:
         port: 53
-        interface: 127.0.0.1
+        interface: 127.0.0.150
         interface: 172.18.0.1
         ip-freebind: yes
         do-ip6: yes
diff --git a/src/dig.js b/src/dig.js
index dae8aa7dc..bcdaf2ab0 100644
--- a/src/dig.js
+++ b/src/dig.js
@@ -18,8 +18,7 @@ async function resolve(hostname, rrtype, options) {
 
     const resolver = new dns.promises.Resolver({ timeout: options.timeout || 10000 });
 
-    // Only use unbound on a Cloudron
-    if (constants.CLOUDRON) resolver.setServers([ options.server || '127.0.0.1' ]); // unbound runs on 127.0.0.1
+    if (constants.CLOUDRON) resolver.setServers([ options.server || '127.0.0.150' ]); // unbound runs here
 
     const result = await resolver.resolve(hostname, rrtype);
 
diff --git a/src/dns/wildcard.js b/src/dns/wildcard.js
index 4be5be0af..f62bf2aa1 100644
--- a/src/dns/wildcard.js
+++ b/src/dns/wildcard.js
@@ -81,7 +81,7 @@ async function verifyDomainConfig(domainObject) {
 
     const ipv4 = await network.getIPv4();
     if (ipv4) {
-        const [ipv4Error, ipv4Result] = await safe(dig.resolve(fqdn, 'A', { server: '127.0.0.1', timeout: 5000 }));
+        const [ipv4Error, ipv4Result] = await safe(dig.resolve(fqdn, 'A', { timeout: 5000 }));
         if (ipv4Error && (ipv4Error.code === 'ENOTFOUND' || ipv4Error.code === 'ENODATA')) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv4 of ${fqdn}. Please check if you have set up *.${domainObject.domain} to point to this server's IP`);
         if (ipv4Error) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv4 of ${fqdn}: ${ipv4Error.message}`);
         if (!ipv4Result) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv4 of ${fqdn}`);
@@ -91,7 +91,7 @@ async function verifyDomainConfig(domainObject) {
 
     const ipv6 = await network.getIPv6(); // both should be RFC 5952 format
     if (ipv6) {
-        const [ipv6Error, ipv6Result] = await safe(dig.resolve(fqdn, 'AAAA', { server: '127.0.0.1', timeout: 5000 }));
+        const [ipv6Error, ipv6Result] = await safe(dig.resolve(fqdn, 'AAAA', { timeout: 5000 }));
         if (ipv6Error && (ipv6Error.code === 'ENOTFOUND' || ipv6Error.code === 'ENODATA')) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv6 of ${fqdn}`);
         if (ipv6Error) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv6 of ${fqdn}: ${ipv6Error.message}`);
         if (!ipv6Result) throw new BoxError(BoxError.BAD_FIELD, `Unable to resolve IPv6 of ${fqdn}`);
diff --git a/src/services.js b/src/services.js
index b69e5dbfd..9eb22a64c 100644
--- a/src/services.js
+++ b/src/services.js
@@ -1986,7 +1986,7 @@ async function statusUnbound() {
     const [error] = await safe(shell.exec('statusUnbound', 'systemctl is-active unbound', {}));
     if (error) return { status: exports.SERVICE_STATUS_STOPPED };
 
-    const [digError, digResult] = await safe(dig.resolve('ipv4.api.cloudron.io', 'A', { server: '127.0.0.1', timeout: 10000 }));
+    const [digError, digResult] = await safe(dig.resolve('ipv4.api.cloudron.io', 'A', { timeout: 10000 }));
     if (!digError && Array.isArray(digResult) && digResult.length !== 0) return { status: exports.SERVICE_STATUS_ACTIVE };
 
     debug('statusUnbound: unbound is up, but failed to resolve ipv4.api.cloudron.io . %o %j', digError, digResult);