from what i had read on the net, this is how unbound work
client <> Pi Hole <> unbound <> Root
i have a few questions and hope this community can help me
Is there any command/ways to check if unbound is communicating to root and not cloudflare/ quod9 / google, etc?
Unbound send clear text to root, how is it different when we use cloudflare/ quod9 / google DNS ( different as in security )? what happen if there is men-in-the-middle attack?
after i had installed unbound, why is pi hole has more forward destination than before i had installed unbound?
ps, i am just a person with zero to limited linux & code knowledge
Not quite: unbound enquires with each authoritative DNS server of the domain to be resolved, starting with the root servers. So no one DNS provider has your complete DNS history. In addition, ideally any authoritative DNS server would see only that part of the requested domain it is responsible for resolving.
You could have a look at unbound's configuration and its log files, or you could use an online DNS probing tool like https://www.dnsleaktest.com/, which would show the public IP of your router as being used for DNS queries.
In the ways already described above.
In addition, unbound employs a best effort to verify authenticity and integrity of DNS records received by means of DNSSEC. Whether DNSSEC can be employed depends on whether an authoritative DNS server supports it.
As detailed in the guide, unbound should be your Pi-hole's sole upstream server.
Please verify that you've correctly applied the settings from the guide.