Encrypt your DNS with TLS aka DoT

You'll need to SSH into the firewalla and create a new file.

• If you don't want the ipv6 stuff don't include it.
• I've provided the configuration of common DNS providers as an example.
• You should use one of the DNS providers, not a mix.
• For your initial configuration, try cloudflare, test and with success, then modify with the DNS provider of your choice.

sudo vi ~/.firewalla/config/unbound_local/unbound_custom.conf

server:
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
    forward-addr: 2001:4860:4860::8888@853#dns.google
    forward-addr: 2001:4860:4860::8844@853#dns.google

    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net

Once you have created your file, open your firewalla app and go to your DNS services.
Disable DNS over HTTPS, and enable Unbound.
Apply to All Devices or whatever suits your needs.

Test DoT with - https://1.1.1.1/help
You should see: Using DNS over TLS (DoT)    Yes

DNSSEC is performed by the upstream DNS provider you choose.
Test with http://www.dnssec-failed.org/ , site should not open, success!

If you make a change to your configuration file, just toggle the Unbound switch in the firewalla app.

Don't like it?
ssh back in and ...
sudo rm ~/.firewalla/config/unbound_local/unbound_custom.conf

Enjoy!