For best results, you should configure your DNS-over-TLS (DoT) client to use
However, if you don't want to allow your resolver to do a lookup first, you can configure the following IPs, and instruct your resolver to verify that a valid cert is provided with the tls_auth_name dns.bentasker.co.uk.
forward-zone: name: "." forward-tls-upstream: yes forward-addr: 18.104.22.168@853#dns.bentasker.co.uk forward-addr: 22.214.171.124@853#dns.bentasker.co.uk
For more information, see how to configure unbound for upstream DoT
Configure your DNS-over-HTTPS client to place queries via
By default, ECS information will be included in upstream queries. If you do not want this, you should ensure your DoH client is set to request that ECS is not used.
network.trr.uri: https://dns.bentasker.co.uk/dns-query network.trr.disable-ECS: false network.trr.mode: 2