diff --git a/bundles/unbound/files/netdata-unbound.conf b/bundles/unbound/files/netdata-unbound.conf
new file mode 100644
index 0000000..128a20c
--- /dev/null
+++ b/bundles/unbound/files/netdata-unbound.conf
@@ -0,0 +1,10 @@
+jobs:
+  - name: local
+    address: 127.0.0.1:8953
+    timeout: 1
+    conf_path: /etc/unbound/unbound.conf
+    cumulative_stats: no
+    use_tls: yes
+    tls_skip_verify: no
+    tls_cert: /etc/unbound/unbound_control.pem
+    tls_key: /etc/unbound/unbound_control.key
diff --git a/bundles/unbound/files/unbound.conf b/bundles/unbound/files/unbound.conf
index 8152448..29b28d6 100644
--- a/bundles/unbound/files/unbound.conf
+++ b/bundles/unbound/files/unbound.conf
@@ -5,7 +5,7 @@ server:
     verbosity: 0
 
 % if node.has_bundle('netdata'):
-    statistics-interval: 5
+    statistics-interval: 1
     extended-statistics: yes
 % else:
     statistics-interval: 300
diff --git a/bundles/unbound/items.py b/bundles/unbound/items.py
index 00a3387..7c72825 100644
--- a/bundles/unbound/items.py
+++ b/bundles/unbound/items.py
@@ -10,7 +10,7 @@ files = {
 
 actions = {
     'unbound_generate_certificates': {
-        'command': 'unbound-control-setup',
+        'command': 'unbound-control-setup && chmod 0644 /etc/unbound/unbound_control.*',
         'unless': 'test -f /etc/unbound/unbound_server.key',
         'needs': {
             'pkg_apt:unbound',
@@ -42,3 +42,11 @@ if node.has_bundle('systemd-networkd'):
     svc_systemd['unbound']['needed_by'] = {
         'file:/etc/resolv.conf',
     }
+
+if node.has_bundle('netdata'):
+    files['/etc/netdata/go.d/unbound.conf'] = {
+        'source': 'netdata-unbound.conf',
+        'triggers': {
+            'svc_systemd:netdata:restart',
+        },
+    }