Now I'm wondering: is Unbound acting as recursive DNS resolver, contacting authorative DNS servers directly or is it now using external DNS providers, in fact thus not acting as a recursive server anymore?
Noob question I guess - apologies beforehand.
(btw, it is all working well, so there is no specific issue)
Thanks!
So does that mean it still acts as a recursive DNS server, and contact authorative DNS servers for DNS lookups?
In that case, how could I make sure the list of resolving servers that is used, is the one that is used normally with a 'standard' Unbound installation (i.e. without the mods for TLS)? Could I just take out the forward-zone part?
If you take those out then there's no DoT function, and if you're not using DoT then just follow Redirecting... instead. That's what we can support and offer guidance on.
Configure unbound as a recursive resolver (with no forwarding) and it will get the IPs directly from the nameservers as described in the unbound guide in our docs.
Configure unbound as a forwarding resolver, and it no longer communicates with the authoritative nameservers. It gets the IPs from the recursive resolver you specified.
My opinion - you get better privacy going to the nameservers directly when running unbound as a recursive resolver. No upstream DNS provider has your DNS history. And, with encrypted DNS you hide very little from your ISP, as they see all the requests for IPs in clear text. After you get the IP through encrypted means (all hidden from the ISP), then you immediately send this IP to the ISP. With not much effort they can figure out where you are browsing.