diff --git a/roles/unbound/defaults/main.yml b/roles/unbound/defaults/main.yml
index 6ec3ee0..bbfb24d 100644
--- a/roles/unbound/defaults/main.yml
+++ b/roles/unbound/defaults/main.yml
@@ -10,8 +10,8 @@ unbound_custom_lan_domain: "example.lan"
 unbound_port: 53
 unbound_apparmor_profile_path: /etc/apparmor.d/usr.sbin.unbound
 unbound_firewall_allowed_sources:
-  - 192.168.1.0/24 # lan0
-  - 192.168.27.0/27 # wg0
+  - { src: "192.168.1.0/24", comment: "DNS from LAN" }
+  - { src: "192.168.27.0/27", comment: "DNS from VPN" }
 unbound_custom_lan_records:
   "example.lan":
     v4: 192.168.1.2
diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index fba9100..cb97a56 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -38,6 +38,7 @@
         capability sys_resource,
 
         /etc/unbound/** r,
+        /etc/unbound/root.key* rw,
         /var/lib/unbound/** rwk,
         /run/unbound.pid rw,
         /usr/sbin/unbound mr,
@@ -67,7 +68,7 @@
 - name: Update root.hints (if older than 6 months or missing)
   when: >
     (not root_hints.stat.exists) or
-    (ansible_date_time.epoch | int - root_hints.stat.mtime > 15552000)
+    (ansible_facts['date_time']['epoch'] | int - root_hints.stat.mtime > 15552000)
 
   block:
     - name: Download latest root hints from internic
@@ -85,7 +86,7 @@
 - name: Update the ad_servers list if older than 2 weeks or missing
   when: >
     (not ad_servers.stat.exists) or
-    (ansible_date_time.epoch | int - ad_servers.stat.mtime > 1209600)
+    (ansible_facts['date_time']['epoch'] | int - ad_servers.stat.mtime > 1209600)
 
   block:
     - name: Download stevenblack's hosts file
@@ -110,6 +111,14 @@
   args:
     creates: "{{ unbound_anchor_root_key }}"
 
+- name: Ensure root.key has correct ownership and permissions
+  ansible.builtin.file:
+    path: "{{ unbound_anchor_root_key }}"
+    owner: unbound
+    group: unbound
+    mode: "0640"
+    state: file
+
 - name: Install unbound config
   ansible.builtin.template:
     src: "{{ item.src }}"
@@ -151,7 +160,8 @@
     rule: allow
     port: "{{ unbound_port }}"
     proto: any
-    src: "{{ item }}"
+    src: "{{ item.src }}"
+    comment: "{{ item.comment }}"
     direction: in
   loop: "{{ unbound_firewall_allowed_sources | default([]) }}"
   retries: 5
diff --git a/roles/unbound/templates/custom-lan.conf.j2 b/roles/unbound/templates/custom-lan.conf.j2
index 6d94dc3..73e1aa8 100644
--- a/roles/unbound/templates/custom-lan.conf.j2
+++ b/roles/unbound/templates/custom-lan.conf.j2
@@ -1,9 +1,20 @@
 # {{ ansible_managed }}
 view:
     name: "lan"
+    view-first: yes
 {% for host, ips in unbound_custom_lan_records.items() %}
-    local-data: "{{ host }}.        IN A {{ ips.v4 }}"
-    {% if ips.v6 is defined %}
-    local-data: "{{ host }}.        IN AAAA {{ ips.v6 }}"
-    {% endif %}
+    local-data: "{{ host }}. IN A {{ ips.v4 }}"
+{% if ips.v6 is defined %}
+    local-data: "{{ host }}. IN AAAA {{ ips.v6 }}"
+{% endif %}
+{% if ips.aliases is defined %}
+{% for alias in ips.aliases %}
+    local-data: "{{ alias }}. IN A {{ ips.v4 }}"
+{% if ips.v6 is defined %}
+    local-data: "{{ alias }}. IN AAAA {{ ips.v6 }}"
+{% endif %}
 {% endfor %}
+{% endif %}
+{% endfor %}
+
+include: "{{ unbound_ad_servers_config_path }}"
diff --git a/roles/unbound/templates/custom-vpn.conf.j2 b/roles/unbound/templates/custom-vpn.conf.j2
index a4abdab..23f1af0 100644
--- a/roles/unbound/templates/custom-vpn.conf.j2
+++ b/roles/unbound/templates/custom-vpn.conf.j2
@@ -1,9 +1,12 @@
 # {{ ansible_managed }}
 view:
     name: "vpn"
+    view-first: yes
 {% for host, ips in unbound_custom_vpn_records.items() %}
     local-data: "{{ host }}.        IN A {{ ips.v4 }}"
     {% if ips.v6 is defined %}
     local-data: "{{ host }}.        IN AAAA {{ ips.v6 }}"
     {% endif %}
 {% endfor %}
+
+include: "{{ unbound_ad_servers_config_path }}"
diff --git a/roles/unbound/templates/unbound.conf.j2 b/roles/unbound/templates/unbound.conf.j2
index b916590..0bbd617 100644
--- a/roles/unbound/templates/unbound.conf.j2
+++ b/roles/unbound/templates/unbound.conf.j2
@@ -15,6 +15,7 @@ server:
 
     # Define access controls (note that ufw might be also configured)
     access-control: 0.0.0.0/0 refuse
+    access-control: 127.0.0.0/8 allow      # lo interface
     access-control: 192.168.1.0/24 allow   # lan0 interface
     access-control: 192.168.27.0/27 allow  # wg0 interface
     access-control: ::0/0 refuse
@@ -80,7 +81,9 @@ server:
 
     # Perform prefetching of close to expired message cache entries
     # This only applies to domains that have been frequently queried
-    prefetch: yes
+    # NOTE: Disabled because prefetch doesn't work with subnet module (views)
+    # see: https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-prefetch
+    prefetch: no
 
     # One thread should be sufficient, can be increased on beefy machines.
     # In reality for most users running on small networks or on a single machine,
@@ -105,6 +108,5 @@ server:
     # Enable DNSSEC
     auto-trust-anchor-file: "{{ unbound_anchor_root_key }}"
 
-include: "{{ unbound_ad_servers_config_path }}"
 include: "{{ unbound_custom_lan_config_path }}"
 include: "{{ unbound_custom_vpn_config_path }}"