Some questions regarding the Advanced DNS settings in Pi-hole while using Unbound.
I know that the “Use DNSSEC” setting should be off because Unbound handles DNSSEC already. (correct me if i am wrong)
What about the other two settings ( “Never forward non-FQDN A and AAAA queries” and “Never forward reverse lookups for private IP ranges”), do they affect the Unbound setup at all?
Also one final question, should i disable the Pi-hole caching (aka DNS cache size)? It is currently set to 10000. Should i set it to 0 because Unbound does cache already too, or it doesn’t hurt?
Pi-hole's DNSSEC option will show the individual recursive lookups and the DNSSEC outcomes in the Query Log. It's not doing DNSSEC, it's merely utilising the DNSSEC capabilities of the DNS server. As you say, Unbound is configured to handle DNSSEC.
Enabling in Pi-hole will increase the log file sizes because the additional info and DNSSEC queries are now being captured too. In practice I've had no issues with the logs and it's useful to have enabled.
Those settings ensure that individual hostnames, such as "router" or "appletv", and queries related to addresses such as 192.168.x.x, are not sent to the configured upstream server or servers to resolve. They wouldn't be able to resolve them anyway, and, if using an external provider, could reveal private name info to them.
Pi-hole also caches info, you can see cached respones in the Query Log. Leave it enabled. Mine's on that same default, no issues.