diff --git a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
index 7d3aa272..e693edcf 100644
--- a/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
+++ b/k8s/infra/network/dns/adguard/config/AdGuardHome.yaml
@@ -14,22 +14,20 @@ dns:
     - 0.0.0.0
   port: 53
   anonymize_client_ip: false
-  ratelimit: 20
+  ratelimit: 500
   ratelimit_subnet_len_ipv4: 24
   ratelimit_subnet_len_ipv6: 56
   ratelimit_whitelist: [ ]
   refuse_any: true
   upstream_dns:
     - 10.96.0.11
-    - udp://unbound.dns.svc.cluster.local:53
-    - tcp://unbound.dns.svc.cluster.local:53
   upstream_dns_file: ""
   bootstrap_dns:
-    - 10.96.0.10
+    - 10.96.0.11
   fallback_dns:
     - 1.1.1.1
     - 9.9.9.9
-  upstream_mode: fastest_addr
+  upstream_mode: parallel
   fastest_timeout: 1s
   allowed_clients: [ ]
   disallowed_clients: [ ]
@@ -105,6 +103,7 @@ filters:
 whitelist_filters: [ ]
 user_rules:
   - '@@||sdk.iad-01.braze.com^$important' # Payments?
+  - '@@||www.merchant-center-analytics.goog^$important'
 dhcp:
   enabled: false
   interface_name: ""
diff --git a/k8s/infra/network/dns/unbound/config/unbound.conf b/k8s/infra/network/dns/unbound/config/unbound.conf
index 29d9a0ae..f0fb2f37 100644
--- a/k8s/infra/network/dns/unbound/config/unbound.conf
+++ b/k8s/infra/network/dns/unbound/config/unbound.conf
@@ -18,12 +18,12 @@ server:
     rrset-roundrobin: yes
     username: "_unbound"
 
-    log-local-actions: no
-    log-queries: no
-    log-replies: no
+    log-local-actions: yes
+    log-queries: yes
+    log-replies: yes
     log-servfail: yes
 
-    #logfile: /opt/unbound/etc/unbound/unbound.log
+    logfile: /opt/unbound/etc/unbound/unbound.log
     verbosity: 2
 
     infra-cache-slabs: 4
@@ -50,7 +50,7 @@ server:
 
     so-reuseport: yes
 
-    aggressive-nsec: yes
+    #aggressive-nsec: yes
 
     delay-close: 10000
 
@@ -60,7 +60,7 @@ server:
 
     neg-cache-size: 4M
 
-    qname-minimisation: yes
+    #qname-minimisation: yes
 
     access-control: 127.0.0.1/32 allow
     access-control: 192.168.0.0/16 allow
@@ -98,7 +98,7 @@ server:
     private-address: fe80::/10
     private-address: ::ffff:0:0/96
 
-    ratelimit: 1000
+    ratelimit: 0
 
     tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
 
@@ -108,6 +108,17 @@ server:
 
     val-clean-additional: yes
 
+    # https://github.com/NLnetLabs/unbound/issues/362
+    qname-minimisation: no
+    aggressive-nsec: no
+
+    infra-keep-probing: yes
+    infra-cache-max-rtt: 2000
+    infra-host-ttl: 0
+
+    outbound-msg-retry: 32
+    max-sent-count: 128
+
     include: /opt/unbound/etc/unbound/a-records.conf
     include: /opt/unbound/etc/unbound/srv-records.conf
 
diff --git a/k8s/infra/network/dns/unbound/deployment.yaml b/k8s/infra/network/dns/unbound/deployment.yaml
index 6f9309c4..3704e988 100644
--- a/k8s/infra/network/dns/unbound/deployment.yaml
+++ b/k8s/infra/network/dns/unbound/deployment.yaml
@@ -1,5 +1,5 @@
 apiVersion: apps/v1
-kind: DaemonSet
+kind: Deployment
 metadata:
   name: unbound
   namespace: dns