diff --git a/docs/guides/dns/unbound.md b/docs/guides/dns/unbound.md
index 5aa354830..328a5b586 100644
--- a/docs/guides/dns/unbound.md
+++ b/docs/guides/dns/unbound.md
@@ -168,11 +168,11 @@ The first query may be quite slow, but subsequent queries, also to other domains
 You can test DNSSEC validation using
 
 ```bash
-dig fail01.dnssec.works @127.0.0.1 -p 5335
-dig dnssec.works @127.0.0.1 -p 5335
+dig bogus.nlnetlabs.nl @127.0.0.1 -p 5335
+dig +ad cloudflare.com @127.0.0.1 -p 5335
 ```
 
-The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address.
+The first command should give a status report of `SERVFAIL` and no IP address. The second should give `NOERROR` plus an IP address in addition to a `ad` in the `flags:` section. The `ad` signifies (Authentic Data), indicating the DNS response has been authenticated and validated using DNSSEC.
 
 ### Configure Pi-hole