I'm not experiencing an issue. I just have a question: I have pihole installed with unbound setup and running perfectly fine. I have a Unifi UDM Pro router that has the ability to enable DNS Shield which provides DoH through a provider such as Quad9.
I can use Quad9's recommended IPv4 configuration of 9.9.9.9 and 149.112.112.112 by selecting these two in Unifi: quad9-doh-ip4-port443-filter-pri and quad9-doh-ip4-port5053-filter-pri.
My question is this, can I keep using my pihole AND keep using unbound as the recursive DNS provider AND also reap the benefits of having DNS Shield enabled for an additional layer of security for DoH? Or does enabling the DNS Shield just turn unbound into simply a DNS fowarder? If the latter, I'll stick with unbound.
If unbound's DNS requests would be intercepted and forcefully redirected to your UDM's configured DoH servers, that would kill public DNS resolution: unbound would disregard any DNS reply, as the replies would not come from authoritative DNS servers.
If that DNS shield feature would just configure how your UDM talks to its upstreams, it won't affect Pi-hole's or unbound's upstream resolution at all. Note that Pi-hole is plain Do53, so you can't use it as your UDM's DoH upstream (but I'd expect your UDM to distribute Pi-hole as local DNS server via DHCP anyway).
I assume the first paragraph to be correct because once I enabled it on the UDM pro, my network went down and it came back up once I disabled it.
I was just thinking about unbound and how securely it does the resolving off lan and if there were ways to harden its DNS resolving with authoritative servers.
There is apparently a way to enable DOH or DOT (academic papers on unbound website) but I thought this was an easier route to try if it could be done simply with a toggle.
Is there any hardening that can be done for unbound off network or does it come out of the box with reasonable settings?
You may want to contemplate what you actually mean by hardening.
If you followed Pi-hole's unbound guide, unbound would run as a recursive resolver, talking to authoritative DNS servers directly, so no single party receives all your DNS traffic.
In addition, and perhaps more importantly, unbound validates DNS replies using DNSSEC, which would guarantee integrity and authenticity of DNS replies, i.e. answers haven't been hampered with, and they are indeed supplied by the respective authoritative DNS server.
Neither DoH nor DoT give you that - what they do is adding encryption to DNS traffic between you and a public DNS server, preventing third parties from eavesdropping on your DNS traffic, but that third party DoH/DoT server still receives all your DNS traffic.
For a typical home network, I'd opt for unbound - if someone would be be eavesdropping, your network would already been compromised, posing a significantly greater breach than listening on DNS.
For a laptop roaming in public wifis like hotels, airports or cafes, I'd probably enable DoH, though my preference would be to route DNS through my home network Pi-hole via a VPN (e.g. Wireguard).
Thank you so much for your response answering my questions. I have one more question. Is there a way to download a full list of current DNS records and have it available for unbound locally in cache?
For once, authoritative DNS servers stamp DNS records with an expiry date, which can be anything from a few seconds up to weeks or even months, and often is a few minutes only.
Chances are that a major portion of persisted DNS entries would have expired when trying to load them from persistent storage.
And to trust DNS records and guard against manipulated cache entries, unbound would have to apply DNSSEC validation anyway, i.e. you wouldn't save any DNS traffic.