Is dnssec working?

Also take note once you get to the pihole configuration at the bottom ignore making the new dnsmasq config file. Instead set the address and port in the pihole gui.

I should be able to help if u hit any roadblocks.
one more tip you can use the default stubby.yml no editing is actually required

crap i lied.....

replace this command at the very end sudo systemctl restart dnsmasq with sudo pihole restartdns probably not necessary to even run honestly

Thanks @drewski
I'll take a look when I get a chance.
I tried following the guide for cloudflared, went all the way through, bit couldn't resolve any queries.

I'm glad to help.
I have been using stubby for months now. Very reliable! Good luck

Yeah makes sense.
Sky must have changed something in recent times.
Annoying.
Thanks for all you help, appreciated.
I'll give stubby a try over the weekend, given cloudflared didn't seem to work.

I have this is my config already.

I've also tried this, but unbound 1.6.0 tells me this is an unknown key using unbound-checkconfig

@Valiceemo

sudo apt update
sudo apt upgrade -y
sudo apt install -y libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
sudo apt install -y build-essential libssl-dev libtool m4 autoconf libyaml-dev
git clone https://github.com/getdnsapi/getdns.git
cd getdns
git checkout master
sed -i 's#git://#https://#g' .gitmodules # fix for git checkout
git submodule update --init
libtoolize -ci
autoreconf -fi
mkdir -v build && cd build
../configure --prefix=/usr/local --without-libidn --without-libidn2 --enable-stub-only --with-ssl --with-stubby
make
sudo make install
sudo /sbin/ldconfig -v
cd ../stubby
sudo useradd stubby
sudo /usr/bin/install -Dm644 stubby.yml.example /etc/stubby.yml
sudo nano /lib/systemd/system/stubby.service
[Unit]
Description=stubby DNS resolver
Wants=network-online.target
After=network-online.target

[Service]
ExecStart=/usr/local/bin/stubby -C /etc/stubby.yml
Restart=on-abort
User=stubby

[Install]
WantedBy=multi-user.target
sudo systemctl daemon-reload
sudo systemctl enable stubby
sudo systemctl start stubby

sudo /sbin/ldconfig -v

^
This should get stubby installed.
The code after sudo nano goes inside the stubby.service you just created.
Follow this guide I just typed. The one I linked doesn't build stubby with SSL from some reason. That's a big problem. Just let me know if you get stuck. Once the above is completed. Run sudo nano /etc/stubby.yml I recommended turning off round robin in there. You may have to enable DNSSEC cannot remember the default. You can change the other configurations to your liking. The last thing you have to do is add the stubby IP and port to the DNS section in http://pi.hole/ this is configured in the above stubby.yml

Lastly I'm on mobile rn sorry if formatting is crap

Be careful with .yml files they do not like whitespace

One more thing you might have trouble with the dependencies. You might have to search for the equivalent libs etc. sudo apt search

Example: I think libuv1 might actually be libuv10

Yes I have the hash in my config:

pi@pi-hole:~ $ cat /etc/unbound/unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.

include: "/etc/unbound/unbound.conf.d/*.conf"

#use ca-certificate
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-ssl-upstream: yes
pi@pi-hole:~ $ unbound-checkconf
/etc/unbound/unbound.conf:15: error: unknown keyword 'tls-cert-bundle'
/etc/unbound/unbound.conf:15: error: stray ':'
/etc/unbound/unbound.conf:15: error: stray '"'
/etc/unbound/unbound.conf:15: error: unknown keyword '/etc/ssl/certs/ca-certificates'
/etc/unbound/unbound.conf:15: error: stray '"'
read /etc/unbound/unbound.conf failed: 5 errors in configuration file

Get the same error with ssl-cert-bundle

Thanks @drewski for the detailed guide!
I'll give this a shot when I get a bit of spare time.

You're welcome!
I'm just trying to piece it together it's been so long.

Yes you're right.
But even with

#use ca-certificate
ssl-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

In /etc/unbound/unbound.conf.d/pi-hole.conf I still get the same error

I am giving the answers.
My unbound pihole.conf contains server: at the top with the SSL cert entry underneath.
I removed ssl-cert-bundle from the main unbound config
The certificate file is located at /etc/ssl/certs/ca-certificate.crt
Hence me declaring it there.

Can confirm the above works if you are interested. I just rebuilt stubby.

Definitely interested.
Just not able to try just yet. Will report back when I've got it going

I can make these changes, worth a try.
But the guys at the unbound git said the forward zones should be in the main unbound config

If i forward my request in TLS and my upstream is using dnssec how could tampering occur? No one can pretend to be my upstream and my upstream cannot spoof the test. So where is the danger?

I'm just making sure i have my head on straight.

Thought I'd give this a bash....failed at the first step.

pi@pi-hole:~ $ sudo apt install libev4 libevent-core-2.0.5 libuv1 libidn11 libyaml dns-root-data libunbound2
Reading package lists... Done
Building dependency tree
Reading state information... Done
Note, selecting 'libevent-core-2.0-5' for regex 'libevent-core-2.0.5'
E: Unable to locate package libyaml

Searching for libyaml brings a few results, but I'm not sure on how to determine the best one to install