diff --git a/cmdeploy/src/cmdeploy/__init__.py b/cmdeploy/src/cmdeploy/__init__.py
index 766edfd1..2942d017 100644
--- a/cmdeploy/src/cmdeploy/__init__.py
+++ b/cmdeploy/src/cmdeploy/__init__.py
@@ -378,6 +378,20 @@ def deploy_chatmail(mail_domain: str, mail_server: str, dkim_selector: str) -> N
         system=True,
     )
 
+    # Run local DNS resolver `unbound`.
+    # `resolvconf` takes care of setting up /etc/resolv.conf
+    # to use 127.0.0.1 as the resolver.
+    apt.packages(
+        name="Install unbound",
+        packages="unbound",
+    )
+    systemd.service(
+        name="Start and enable unbound",
+        service="unbound.service",
+        running=True,
+        enabled=True,
+    )
+
     # Deploy acmetool to have TLS certificates.
     deploy_acmetool(nginx_hook=True, domains=[mail_server, f"mta-sts.{mail_server}"])