For Core119, I'm currently using a patch to /etc/init.d/unbound:

 https://gitlab.com/snippets/1706804

because my (only available) ISP mangles port 53 traffic, effectively
disabling DNS outside of my private firewall.

I wonder if configuring unbound so that forward requests use DNSSEC
over HTTPS or TLS would be a better (and more secure) solution? Also
see:

https://forum.ipfire.org/viewtopic.php?f=27&t=20575#p115342

https://forum.ipfire.org/viewtopic.php?f=50&t=20574

Comments and test configurations are welcome!

Paul