I am running DoT/DoH with dnsdist, unbound and pihole (dnsmasq).
add-subnet=32,128 -> this is correct
32 and 128 specify the subnet length, 32 = whole IPv4 address, 128 = whole ipv6 address.
With /16 you only get the /16 net (CIDR notation) of the IP address.
###haproxy###
frontend fe-https
....
option forwardfor
...
###dnsdist###
setECSOverride(true)
setECSSourcePrefixV4(32)
setECSSourcePrefixV6(128)
-- DNS over TLS
addTLSLocal("0.0.0.0:853", {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/test.de.key", "/dnsdist_certs/ecdsa/test.de.key"}, {doTCP=true, reusePort=true, provider='openssl', minTLSVersion='tls1.2', ciphers='HIGH:!RSA:!PSK:!LOW:!aNULL:!eNULL:!SHA1:!SHA256:!SHA384'})
addTLSLocal("[::]:853", {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/test.de.key", "/dnsdist_certs/ecdsa/test.de.key"}, {doTCP=true, reusePort=true, provider='openssl', minTLSVersion='tls1.2', ciphers='HIGH:!RSA:!PSK:!LOW:!aNULL:!eNULL:!SHA1:!SHA256:!SHA384'})
-- DNS over HTTP (HTTPS with haproxy)
addDOHLocal("0.0.0.0:80", nil, nil, {"/doh_874653", "/doh_874653_unbound", "/doh_874653_pihole"}, {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true, trustForwardedForHeader=true})
-- Backend rule: DoH
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653") }), PoolAction("pool-unbound"))
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653_unbound") }), PoolAction("pool-unbound"))
addAction(AndRule({ DSTPortRule(80), HTTPPathRule("/doh_874653_pihole" ) }), PoolAction("pool-pihole") )
###dnsmasq (in pfsense)###
proxy-dnssec
cache-size=0
add-mac
add-subnet=32,128
server=x.x.x.x#53 (x.x.x.x = pihole ip)
###pihole###
echo y |pihole checkout ftl new/edns0