Configure stubby as DNS over HTTPS client and unbound as DNS cache for local network

Use the following configuration and set the DHCP server to hand out 10.3.0.53 and fd00:2d3f:7fc8:3::53 as DNS server.

Note: local network will not resolve with this Unbound config.

/etc/stubby/stubby.yml

listen_addresses:
  - 127.0.0.1@8053
  - 0::1@8053
root@doh:~# cat /etc/unbound/unbound.conf.d/*
server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    qname-minimisation: yes
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
server:
	directory: "/etc/unbound"
	username: unbound
	# make sure unbound can access entropy from inside the chroot.
	# e.g. on linux the use these commands (on BSD, devfs(8) is used):
	#      mount --bind -n /dev/random /etc/unbound/dev/random
	# and  mount --bind -n /dev/log /etc/unbound/dev/log
	# logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
	pidfile: "/etc/unbound/unbound.pid"
	verbosity: 1
	root-hints: root.hints
	do-not-query-localhost:  no
	# listen on all interfaces, answer queries from the local subnet.
	interface: 0.0.0.0
	interface: ::0
	access-control: 10.0.0.0/8 allow
	access-control: fd00:2d3f:7fc8::/48 allow
	interface-automatic: yes
forward-zone:
  name: "."
    forward-addr: 127.0.0.1@8053
    forward-addr: ::1@8053
curl --output /etc/unbound/root.hints https://www.internic.net/domain/named.cache
root@doh:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

 
 

source /etc/network/interfaces.d/*
auto eth0
iface eth0 inet static
	address 10.3.0.53/24
	gateway 10.3.0.1
iface eth0 inet6 static
        address fd00:2d3f:7fc8:3::53/64
        # use SLAAC to get global IPv6 address from the router
        # we may not enable ipv6 forwarding, otherwise SLAAC gets disabled
        autoconf 1
        accept_ra 2