Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet re-use TCP/TLS connections or send several of the privacy related options (padding, ECS privacy) etc. The 1.7.1 release of Unbound supports authentication of upstream recursive resolvers using an authentication domain name (i.e. PKIX authentication) if a certificate bundle is configured. The 1.13.1 release can re-use upstream connections. An example minimal config is given below.
- Cloudflare have release two tools to provide DOH clients, see https://developers.cloudflare.com/126.96.36.199/dns-over-https/cloudflared-proxy/
- Frank Denis has a dnscrypt-proxy (client proxy) that supports DoH.Curl , and there is a Windows client GUI called Simple DNSCrypt
- curl also supports DoH https://github.com/curl/doh
- kdig also supports DoH since version 3.0
- There is an Android App called 'Intra' which can be used to send all queries from the device over DOH to either Cloudflare or Google or a user configured resolver
- Cloudflare has an app call 188.8.131.52 - it does DoH by default but will also do DoT but only uses 184.108.40.206