diff --git a/Dockerfile b/Dockerfile
index 6b3c6d42..057c6c0f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -36,6 +36,7 @@ ENV USER= \
     REGION="CA Montreal" \
     DOT=on \
     DOT_PROVIDERS=cloudflare \
+    DOT_PRIVATE_ADDRESS=127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:0:0/96 \
     DOT_VERBOSITY=1 \
     DOT_VERBOSITY_DETAILS=0 \
     DOT_VALIDATION_LOGLEVEL=0 \
diff --git a/README.md b/README.md
index 53950a60..2f7fbea5 100644
--- a/README.md
+++ b/README.md
@@ -129,6 +129,7 @@ docker run --rm --network=container:pia alpine:3.10 wget -qO- https://ipinfo.io
 | `DOT` | `on` | `on` or `off`, to activate DNS over TLS to 1.1.1.1 |
 | `DOT_PROVIDERS` | `cloudflare` | Comma delimited list of DNS over TLS providers from `cloudflare`, `google`, `quad9`, `quadrant`, `cleanbrowsing`, `securedns`, `libredns` |
 | `DOT_CACHING` | `on` | Unbound caching feature, `on` or `off` |
+| `DOT_PRIVATE_ADDRESS` | `127.0.0.1/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,169.254.0.0/16,::1/128,fc00::/7,fe80::/10,::ffff:0:0/96` | Prevent hostnames to resolve to these IP addresses, to prevent DNS rebinding attacks |
 | `DOT_VERBOSITY` | `1` | Unbound verbosity level from `0` to `5` (full debug) |
 | `DOT_VERBOSITY_DETAILS` | `0` | Unbound details verbosity level from `0` to `4` |
 | `DOT_VALIDATION_LOGLEVEL` | `0` | Unbound validation log level from `0` to `2` |
diff --git a/internal/params/dns.go b/internal/params/dns.go
index b2d8aa20..ccde7bc9 100644
--- a/internal/params/dns.go
+++ b/internal/params/dns.go
@@ -107,3 +107,12 @@ func (p *paramsReader) GetDNSOverTLSCaching() (caching bool, err error) {
 	return p.envParams.GetOnOff("DOT_CACHING")
 }
 
+// GetDNSOverTLSPrivateAddresses obtains if Unbound caching should be enable or not
+// from the environment variable DOT_PRIVATE_ADDRESS
+func (p *paramsReader) GetDNSOverTLSPrivateAddresses() (privateAddresses []string) {
+	s, _ := p.envParams.GetEnv("DOT_PRIVATE_ADDRESS")
+	for _, s := range strings.Split(s, ",") {
+		privateAddresses = append(privateAddresses, s)
+	}
+	return privateAddresses
+}
diff --git a/internal/params/params.go b/internal/params/params.go
index 11929c5b..e464e69a 100644
--- a/internal/params/params.go
+++ b/internal/params/params.go
@@ -23,6 +23,7 @@ type ParamsReader interface {
 	GetDNSSurveillanceBlocking() (blocking bool, err error)
 	GetDNSAdsBlocking() (blocking bool, err error)
 	GetDNSUnblockedHostnames() (hostnames []string, err error)
+	GetDNSOverTLSPrivateAddresses() (privateAddresses []string)
 
 	// Firewall getters
 	GetExtraSubnets() (extraSubnets []net.IPNet, err error)
diff --git a/internal/settings/dns.go b/internal/settings/dns.go
index 0de337cf..f0e68db1 100644
--- a/internal/settings/dns.go
+++ b/internal/settings/dns.go
@@ -102,16 +102,6 @@ func GetDNSSettings(params params.ParamsReader) (settings DNS, err error) {
 	if err != nil {
 		return settings, err
 	}
-	settings.PrivateAddresses = []string{ // TODO make env variable
-		"127.0.0.1/8",
-		"10.0.0.0/8",
-		"172.16.0.0/12",
-		"192.168.0.0/16",
-		"169.254.0.0/16",
-		"::1/128",
-		"fc00::/7",
-		"fe80::/10",
-		"::ffff:0:0/96",
-	}
+	settings.PrivateAddresses = params.GetDNSOverTLSPrivateAddresses()
 	return settings, nil
 }