unbound: add documentation for custom forwarding and DoT

source/manual/how-tos/dnscrypt-proxy.rst

@@ -14,17 +14,17 @@ After a page reload you will get a new menu entry under **Services** for DNSCryp
 When you start the daemon, it looks for a list of public DNS server from here:
 https://dnscrypt.info/public-servers
 
-Depending on all settings below the list will shortened to your choice, like only IPv4, or logging disabled.
+Depending on all settings below the list can be shortened to your choice, like only IPv4, or logging disabled.
 The fastest two servers will be used for DNS queries. If you use Unbound as your main resolver and want to
-send your queries to Unbound first and forward to DNSCrypt-Proxy, just set this in your Unbound Advanced
-settings:
-
-.. code-block:: sh
-
-    do-not-query-localhost: no
-    forward-zone:
-    name: "."
-    forward-addr: 127.0.0.1@5353
+send your queries to Unbound first and forward to DNSCrypt-Proxy, just set this in your Unbound Custom Forwarding
+entries:
+
+====================================  ===============================================================================
+Enabled                               Checked
+Domain                                <empty>
+Server IP                             127.0.0.1
+Port                                  5353
+====================================  ===============================================================================
 
 ----------------
 General Settings

source/manual/unbound.rst

@@ -242,6 +242,72 @@ YoYo List                             https://pgl.yoyo.org/adservers/
 
     Usually once a day is a good enough interval for these type of tasks.
 
+
+-------------------------
+Custom Forwarding
+-------------------------
+
+Enabling Query Forwarding in Unbound-->General lets Unbound use the configured system nameservers to
+forward queries to. Since this does not allow for fine-grained control, the Custom Forwarding section allows for
+entering arbitrary nameservers to forward queries to. It is assumed that the nameservers entered here are capable
+of handling further recursion for any query. In this section you are able to specify nameservers to forward to 
+for specific domains queried by clients, catch all domains and specify nondefault ports.
+
+=====================================================================================================================
+
+.. note::
+
+    Keep in mind that if Query Forwarding in Unbound-->General is enabled, the system nameservers will be preferred
+    over any **catch-all entry** in both Custom Forwarding and DNS-over-TLS, this means that entries with a specific domain
+    will still be forwarded to the specified nameserver.
+
+
+====================================  ===============================================================================
+Enabled                               Enable query forwarding for this domain.
+Domain                                Domain of the host. All queries for this domain will be forwarded to the 
+                                      nameserver specified in "Server IP". Leave empty to catch all queries and
+                                      forward them to the nameserver.
+Server IP                             Address of the DNS server to be used for recursive resolution.
+Port                                  Specify the port used by the DNS server. Default is port 53. Useful when
+                                      configuring e.g. :doc:`/manual/how-tos/dnscrypt-proxy`
+====================================  ===============================================================================
+
+-------------------------
+DNS over TLS
+-------------------------
+
+DNS over TLS uses the same logic as Custom Forwarding, except it uses TLS for transport. 
+
+=====================================================================================================================
+
+.. note:: 
+
+    Please be aware of interactions between Custom Forwarding and DNS over TLS. Since the same principle as Custom 
+    Forwarding applies, a **catch-all entry** specified in both sections will be considered a duplicate zone. 
+    In our case DNS over TLS will be preferred.
+
+
+====================================  ===============================================================================
+Enabled                               Enable DNS over TLS for this domain.
+Domain                                Domain of the host. All queries for this domain will be forwarded to the 
+                                      nameserver specified in "Server IP". Leave empty to catch all queries and
+                                      forward them to the nameserver.
+Server IP                             Address of the DNS server to be used for recursive resolution.
+Port                                  Specify the port used by the DNS server. Always enter port 853 here unless 
+                                      there is a good reason not to, such as when using an SSH tunnel.
+Verify CN                             The name to use for certificate verification, e.g. "445b9e.dns.nextdns.io"
+                                      Used by Unbound to check the TLS authentication certificates.
+                                      It is strongly discouraged to omit this field since man-in-the-middle attacks
+                                      will still be possible.
+====================================  ===============================================================================
+
+.. tip:: 
+
+    To ensure a validated environment, it is a good idea to block all outbound DNS traffic on port 53 using a 
+    firewall rule when using DNS over TLS. Should clients query other nameservers directly themselves, a NAT 
+    redirect rule to 127.0.0.1:53 (the local Unbound service) can be used to force these requests over TLS.
+    
+
 -------------------------
 Statistics
 -------------------------