At home I have the following setup:
2 pfSense in HA setup with CARP IP on WAN and LAN
in General Setup 2 IP and Hostnames of 2 of my servers running in other countries, both offering DoT
in General Setup - use 127.0.0.1, ingnore remote DNS servers
unbound resolver running in forward mode, Use SSL/TLS checked
behind 2 pihole DNS servers operating as DNS for the LAN
This works pretty nice, having DNS traffic from LAN encrypted to the external DNS servers in the other countries, not making it possible to tcpdump the DNS requests for provider or others here. Sure, on the external ones this runs out unencrypted.
I already had that one time month ago, but this night i had again one of the 2 externals unreachable and as follow up LAN was not able to resolve things. unbound was not switching to the other, still working, external DNS server. Needed to remove forwarding mode to make things working again.
Is there a known problem or can I have a misconfiguration?
Thank you for any hint.