Unbound How can I get DoT Cloudflare by Editing the .conf file?

[muffintastic]

How do I get this to work with Cloudflare DNS in the .conf file?

This is my current setting without it installed:

 

[Martineau]

How do I get this to work with Cloudflare DNS in the .conf file?

This is my current setting without it installed:
View attachment 36155

Using the Advanced menu command DoT

unbound (pid 25177) is running... uptime: 3 days 07:43:28 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Thu Sep 2 14:28:35 DST 2021)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')     l  = Show unbound log entries (lo=Enable FULL Logging [log_level])
z  = Remove unbound/unbound_manager                                 v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
x  = Stop unbound                                                   vb = Backup current (/opt/var/lib/unbound/unbound.conf) Configuration [filename]
                                                                    rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                            oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'
sd = Show dnsmasq Statistics/Cache Size                             s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://10.88.8.1:80/user1.asp)
                                                                    adblock = Install Ad Block [uninstall | update | track]
DisableFirefoxDoH = Disable Firefox DoH [yes | no]                  youtube = Install YouTube Ad Block [uninstall | update]
Stubby = Enable Stubby Integration                                  DoT = Enable DNS-over-TLS
                                                                    firewall = Enable DNS Firewall [disable | ?]
bind = BIND unbound to WAN [debug | disable | debug show]           vpn = BIND unbound to VPN {vpnid [debug]} | [disable | debug show] e.g. vpn 1

scribe = Enable scribe (syslog-ng) unbound logging                  ad = Analyse Diversion White/Block lists ([ file_name [type=adblock] ])
dnsmasq = Disable dnsmasq [disable | interfaces | nointerfaces]     ea = Edit Ad Block Allowlist (eb=Blocklist; eca=Config-AllowSites; ecb=Config-BlockSites; el {Ad Block file})
dumpcache = [bootrest] (or Manually use restorecache after REBOOT)  ca = Cache Size Optimisation [ min | calc ]
                                                                    views = [? | uninstall] | {view_name [? | remove]} | {view_name [[type] domain_name[...] | IP_address[...]] [del]} ]
                                                                    safesearch = Enable Safe Search [disable | status | ? ] e.g. redirect google.com to forcesafesearch.google.com
                                                                    localhost = Add { domain_name {IP_address | del} }

dig = {domain} [time] Show dig info e.g. dig asciiart.com           lookup = {domain} Show the name servers used for domain e.g. lookup asciiart.eu
dnsinfo = {dns} Show DNS Server e.g. dnsinfo                        dnssec = {url} Show DNSSEC Validation Chain e.g. dnssec www.snbforums.com
links = Show list of external URL links


[Enter] Leave Advanced Tools Menu

e  = Exit Script [?]

A:Option ==> DoT

Do you want to ENABLE DoT with unbound?

    Warning: This will DISABLE being able to be your own trusted Recursive DNS Resolver

So, do you STILL want to ENABLE DoT with unbound?

    Reply 'y' or press [Enter]  to skip
y

    Enabling DoT with unbound now as a Forwarder.

22:12:26 Checking 'unbound.conf' etc. for valid Syntax.....
22:12:39 Saving unbound cache to '/opt/share/unbound/configs/cache.txt' msg.cache=872/327 rrset.cache=2665/1519
22:12:39 Requesting unbound (S61unbound) restart.....
Shutting down unbound...              done.
Starting unbound...              done.
22:12:49 Checking status, please wait.....
22:13:27 Restoring unbound cache from '/opt/share/unbound/configs/cache.txt' (2021-09-05 22:12:35) msg.cache=0/327 rrset.cache=32/1519
22:13:35 unbound OK

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=1048572 kB
    [✔] DNS Filter=ON
    [✔] DNS Filter=ROUTER
    [✖] Warning WAN: Use local caching DNS server as system resolver=YES        see http://10.88.8.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✔] Entware NTP server 'S77chronyd' is running
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO

    Options: Auto Reply='y' for User Selectable Options ('3 4 5') Ad Block,Performance Tweaks,Firefox DoH

    [✔] Ad and Tracker Blocking (No. of Adblock domains=231417,Blocked Hosts=10,Allowlist=19,Blocked Country=6)
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Firefox DNS-over-HTTPS (DoH) DISABLE/Blocker
    [✔] DoT ENABLED. These third parties are used:
        1.1.1.1@853#cloudflare-dns.com
        1.0.0.1@853#cloudflare-dns.com
        9.9.9.9@853#dns.quad9.net
        149.112.112.112@853#dns.quad9.net
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] YouTube Ad Blocking (Forcing to use YT IP 62.24.208.79, No. of YouTube Video Ad domains=135)
    [✔] unbound 'views:' ENABLED (1 views)
    [✔] Safe Search ENABLED (209 domains e.g. redirect "www.google.com" to "forcesafesearch.google.com")

will enable the appropriate DoT directives (as shown above) in the .conf file. (you can use the unbound_manager v command to see what statements are uncommented etc.)

NOTE: As per the unbound_manager FAQ,

Unbound - unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

This thread is for the discussion topic : unbound_manager script. As per the GitHub Hints/Tips: Differences between the operational modes Easy mode Advanced Mode 'Easy' mode - you have limited Install options: i.e. Advanced Options Stubby Integration DoT installs are not available...

www.snbforums.com

configuring unbound to use DoT isn't necessary as you can simply use the GUI options as you posted together with dnsmasq, thereby making unbound redundant.

 

[heysoundude]

configuring unbound to use DoT isn't necessary as you can simply use the GUI options as you posted together with dnsmasq, thereby making unbound redundant.

THIS ^.
unbound allows you to be your own DNS, keeping your network users' queries private by going straight to the Auth servers that CF, Google, etc use to build their own versions of unbound (that people think they need to reference.) this makes it just as fast, if not faster on average (eventually, your need to go out to those backbone Auth servers gets low, and queries to your own internal DNS become prevalent and happen in mere nanoseconds rather than pinging out in millisec)...
pretty awesome to consider you're able to do what massive global conglomerates do on the internet at large on your home network, thanks to the work of people like @RMerlin and @Martineau isnt it?