For those who have their Flint 3 Unbound configured as a recursive server and want to try out using a upstream server using DOT/DOH, this is for you. This approach works well with Lucy. Lucy will modify /etc/unbound/unbound but won't touch the file you create here.
** Just ensure you have the following in your /etc/unbound/unbound file:
option extended_conf '1'
If Unbound is configured as a recursive server, the queries are sent unencrypted to the root servers. DOT/DOH uses encryption but relies on a middleman. There's no perfect solution - Choose
# Create this file: /etc/unbound/unbound.conf.d/99-quad9-dot.conf
# overrides: /etc/unbound/unbound
# Overrides Unbound recursion and forwards all queries
# to Quad9 via DNS-over-TLS. Safe with LuCI/Flint 3.
# This file will not be overwritten by the UI.
# /etc/init.d/unbound restart (after changes are made)
server:
# Disable recursion completely
do-recursion: no
# Privacy and security hardening
do-not-query-localhost: no
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
harden-dnssec-stripped: yes
hide-identity: yes
hide-version: yes
qname-minimisation: yes
forward-zone:
name: "."
forward-tls-upstream: yes
forward-first: no
#Forward all queriest to one of the services below:
# Quad9 Secure DNS-over-TLS
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
# Cloudflare DNS
# forward-addr: 1.1.1.1@853#cloudflare-dns.com
# forward-addr: 1.0.0.1@853#cloudflare-dns.com
# Google Public DNS
# forward-addr: 8.8.8.8@853#dns.google
# forward-addr: 8.8.4.4@853#dns.google
# OpenDNS (Cisco)
# forward-addr: 208.67.222.222@853#dns.opendns.com
# forward-addr: 208.67.220.220@853#dns.opendns.com
# Quad9 Unsecured (non-blocking)
# forward-addr: 9.9.9.10@853#dns10.quad9.net
# forward-addr: 149.112.112.10@853#dns10.quad9.net
# CleanBrowsing Family Filter
# forward-addr: 185.228.168.168@853#family-filter-dns.cleanbrowsing.org
# forward-addr: 185.228.169.168@853#family-filter-dns.cleanbrowsing.org
# AdGuard DNS
# forward-addr: 94.140.14.14@853#dns.adguard.com
# forward-addr: 94.140.15.15@853#dns.adguard.com
# OpenDNS (Cisco) - secure DNS-over-TLS
# forward-addr: 208.67.222.222@853#dns.opendns.com
# forward-addr: 208.67.220.220@853#dns.opendns.com
I hope this helps someone.