unbound 

pacman -S unbound
  • install expat for DNSSEC verification
pacman -S expat

name_servers="::1 127.0.0.1"
resolv_conf_options="trust-ad"

private_interfaces="*"
unbound_conf=/etc/unbound/resolvconf.conf
  • edit unbound config /etc/unbound/unbound.conf 
# include: "/etc/unbound/resolvconf.conf"

server:
    prefetch: yes
    hide-identity: yes
    hide-version: yes
    tls-system-cert: yes

    forward-zone:
        name: "."
        forward-addr: 194.242.2.2@853#doh.mullvad.net
        forward-addr: 193.19.108.2@853#doh.mullvad.net
        # forward-addr: 1.1.1.1@853#cloudflare-dns.com
        # forward-addr: 1.0.0.1@853#cloudflare-dns.com
        forward-tls-upstream: yes
  • if using vpn, resolvconf generated include should probably not be used, literally the definition of a DNS leak
  • also seems to be broken, can't resolve servers because of mullvad firewall
  • if using mullvad, should use local gateway, can't use TLS because domain name isn't known (10.64.0.1 corresponds to currently connected mullvad server, different hostname depending on which server you're currently connected to). This is annoying because then then the fallbacks can't use TLS. Could hypothetically fix by specifying a particular host. This is doubly annoying because the mullvad doh.mullvad.net DNS servers only use TLS, so they can't be used as fallbacks. 
    forward-zone:
        name: "."
        # https://mullvad.net/en/help/socks5-proxy/
        forward-addr: 10.64.0.1
        forward-addr: 1.1.1.1
        forward-addr: 1.0.0.1

detailed notes

To enable DNSSEC for unbound, follow the instructions here.

Basically, to generate the root.key file at /usr/local/etc/unbound just run 

sudo unbound-anchor

and to generate the root.hints file (which is not strictly necessary, as unbound comes with a default file, but if your package manager doesn't update as often, you can update it yourself) run 

curl --output /usr/local/etc/unbound/root.hints https://www.internic.net/domain/named.cache