DNS

dns/adblocking.md

@@ -9,12 +9,15 @@ permalink: /dns/adblocking
 
 * [UncensoredDNS](https://blog.uncensoreddns.org/dns-servers/) (Denmark + USA)
 * [DNS.WATCH](https://dns.watch/) (Germany)
-* [SecureDNS](https://securedns.eu/) (**only DoH, DoT and DNSCrypt** which are currently not supported by Blokada/Pi-hole*, Netherlands)
+* [SecureDNS](https://securedns.eu/) (Netherlands, **only DoH, [DoT](dot/index.md) and DNSCrypt** which are currently not supported by Blokada/Pi-hole*)
+* [Digitale Gesellschaft DNS](https://www.digitale-gesellschaft.ch/dns) (Switzerland, **only DoH and [DoT](dot/index.md)** which are currently not supported by Blokada/Pi-hole*)
 
 \* = Not supported out of the box, requires [DoH client](pihole-doh.md).
 
 You can also run your own resolver with [Unbound](https://nlnetlabs.nl/projects/unbound/about/), very easy to setup (only port has to be changed when used with Pi-hole).
 
+You may also want to use [DNS-over-TLS with Unbound](dot/unbound-linux.md).
+
 ### Hosts lists
 
 * [Energized](https://energized.pro/#packs)

dns/dot/unbound-linux.md

+---
+title: DNS-over-TLS on Unbound
+permalink: /dns-over-tls/unbound/linux/
+---
+
+Filename `/etc/unbound/unbound.conf`
+
+```
+# Unbound configuration file for Debian.
+#
+# See the unbound.conf(5) man page.
+#
+# See /usr/share/doc/unbound/examples/unbound.conf for a commented
+# reference config file.
+#
+# The following line includes additional configuration files from the
+# /etc/unbound/unbound.conf.d directory.
+include: "/etc/unbound/unbound.conf.d/*.conf"
+
+server:
+  tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+
+forward-zone:
+  name: "."
+  forward-tls-upstream: yes
+
+  forward-addr: 91.239.100.100@853#anycast.censurfridns.dk
+  forward-addr: 146.185.167.43@853#dot.securedns.eu
+```
+
+
+## Further reading
+
+* [Actually secure DNS over TLS in Unbound](https://www.ctrl.blog/entry/unbound-tls-forwarding)
\ No newline at end of file