This mostly depends on personal preferences.
Select a DoT provider that you trust and reconfigure Unbound accordingly.
I think I will chose 1.1.1.1
Is DNSSEC and DNS over TLS set by default?
Do I just have to change the IP address in the unbound config file?
Does DNS over TLS doesnât need a key or something within the config?
Good, major providers are typically more fault-tolerant.
Yep, for Cloudflare.
The server certificate should be verified using the ca-bundle
package and the option tls_index
in the unbound config that you should specify according to the link above.
I think I got it...
What does Encrypted SNI mean? Is this relevant for a privat person?
If I get it right the only thing that is visible is, that I am making TLS requests to 1.1.1.1, right?
ESNI/ECH is a separate feature related to HTTP/HTTPS protocols with its own security implications:
https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications
Its support relies on the web server and client browser, so it's unrelated to OpenWrt.
Okay. Thank you very much!
Everything works now as excepted!
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.