I am interested in enhancing the security and anonymity of my Pi-hole setup with Unbound firewall, which is running on Qubes 4.1 (sys-pihole). I would appreciate any recommendations on what I can add or configure to achieve this goal.
Apologies for the confusion. What I meant was that I use Pi-hole as an alternative to my firewall. Do you have any suggestions for additional settings or external applications that I could add to my Pi-hole/Unbound setup to further enhance security and anonymity? I was considering adding DNSCrypt, what are your thoughts on that?
Pi-hole is not a firewall either - it is a DNS filter.
It can't serve as a replacement for a firewall.
The most important diffference is that a firewall sits at some gateway in your network where it is able to analyse all of your network's traffic that is passing through that gateway.
In contrast, a DNS filter like Pi-hole only ever sees the DNS traffic portion, and only from those clients that are willingly using it.
This means that it can sit anywhere in your network, as clients commonly will be configured to use it for DNS requests via various mechanisms like DHCP or RDNSS.
But this also means it's easy to by-pass a DNS filter, e.g. by manually configuring a client's OS for a public DNS server, or by running nslookup some.domain.com 188.8.131.52. In a similar fashion, any piece of software could use an alternate DNS server.
A firewall would be the tool of choice to analyse and forcefully redirect DNS requests to a chosen DNS resolver.
If that's what you're after, you are barking up the wrong tree.
Instead, you should consider consulting the forums for your chosen firewall solution.