I have used the combination of Unbound and dnscrypt-proxy on my PC for a period of time. I was using
dnsmasq seemed unstable (Even if it was deployed on my computer and used by just me!). Replacing dnsmasq with unbound seems to be a good solution.
Here (Chinese Simplified) is a great example by phoenixlzx.
Unbound will do load-balancing on the listed
forward-addrs, instead of requesting the servers one by one, skipping to next server only if the previous one fails. In the instance of me, I want it to request my
dnscrypt-proxy server first, and use other servers as fallback. It's obviously not doing me good.
Finally I moved the fallback configures and wrote it in
/etc/resolv.conf. Not so exciting but it also works.
dnscrypt-proxy apply the first matching rule it comes across. Unbound is more rational and will match the most accurate one.
DNS over TLS (DoT) support of Unbound
Unbound supports DNS over TLS (but not DNS over HTTPS) at forwarding DNS queries. By adding
forward-tls-upstream: yes (or
forward-ssl-upstream: yes) you can ask the server to send DoH request to servers you specify. Then we don't need
dnscrypt-proxy to make secured DNS queries.
See this article for detailed configurations.
My config file (working on a Manjaro Linux):
server: verbosity: 1 do-daemonize: no use-syslog: yes username: unbound directory: "/etc/unbound" root-hints: "root.hints" # Get it here: https://www.internic.net/domain/named.root trust-anchor-file: trusted-key.key # Run `sudo unbound-anchor` for this file module-config: "iterator" # "validator iterator" if you want DNSSEC interface: 127.0.0.54 tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt # Differ per distribution access-control: 127.0.0.1/8 allow forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 184.108.40.206@853#dns.google forward-addr: 220.127.116.11@853#dns.quad9.net forward-addr: 18.104.22.168@853#cloudflare-dns.comconf