Sorry for the confusion -- I set up the third system from scratch for testing purposes after it seemed, that "Type=idle" in stubby.service could be of help (it wasnt). This is the output of the third system (stubby and cloudflared installed, cloudflared deactivated) after reboot, pihole-FTL not started manually:
date
Fr 22. Feb 20:16:15 CET 2019
systemctl status pihole-FTL -l
● pihole-FTL.service - LSB: pihole-FTL daemon
Loaded: loaded (/etc/init.d/pihole-FTL; static; vendor preset: enabled)
Active: inactive (dead)
Docs: man:systemd-sysv-generator(8)
journalctl -u pihole-FTL
-- Logs begin at Fri 2019-02-22 20:15:30 CET, end at Fri 2019-02-22 20:16:17 CET. --
-- No entries --
DNSSEC: Not enabled in stubby, but enabled in pihole.
And what if you disable DNSSEC on Pi-hole as well ?
I've read postings here of dnsmasq versions having problems with DNSSEC I believe.
Try the search as I dont have DNSSEC!
Well, I dont really need DNSSEC, so I will switch it of and report back.
But, DNSSEC validation not only means to check if dns-reply is not modified.
It will also authenticate the sender of the dns-reply against the trust anchor.
And besides that, the dns-reply could still be tampered on its way from the authoritative dns-server to the upstream resolver. Only the part from the upstream resolver to stubby goes throught the tunnel.
Anyway, I will try switching DNSSEC off, thank you for the hint
dns resolution works, web-interface works, and dnssec works, too.
I will try this setting on my first pihole system named "main", which we did not discuss so far. And I will also further investigate on the system "testing", that most of our conversation was about today (pihole, stubby and cloudflared). This will be probably on monday.