DNS-Over-HTTPS Fallback with Unbound
For situations where your ISP or network filters port 53 UDP traffic, configure Unbound to use DNS-over-HTTPS (DoH) for its upstream lookups while still presenting a standard DNS interface to Pi-hole:
sudo apt install stubby
Configure stubby as a DoH proxy on port 8053
sudo tee /etc/stubby/stubby.yml > /dev/null << 'EOF'
resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
- GETDNS_TRANSPORT_HTTPS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
listen_addresses:
- 127.0.0.1@8053
round_robin_upstreams: 1
upstream_recursive_servers:
- address_data: 1.1.1.1
tls_port: 853
tls_auth_name: "cloudflare-dns.com"
- address_data: 9.9.9.9
tls_port: 853
tls_auth_name: "dns.quad9.net"
EOF
sudo systemctl enable --now stubby
Then configure Unbound to forward to stubby instead of root servers when DoH is needed:
Add to /etc/unbound/unbound.conf.d/pi-hole.conf
forward-zone:
name: "."
forward-addr: 127.0.0.1@8053 # stubby's DoH proxy
forward-no-cache: no
Using a forwarder (stubby) means Unbound no longer does full recursive resolution. Disable this and use the root hints configuration whenever your network allows direct recursive DNS.
Related Articles
- Privacy-Focused DNS Resolver Comparison 2026
- Encrypted DNS over HTTPS on Linux
- Home Network Privacy Pihole Dns Filtering Guide 2026
- Configure Private DNS on Android for System-Wide Tracker
- Privacy-Focused DNS Providers Comparison 2026
- AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one