> Having setup DoT and got it all working, I was under the impression > that all DNS queries would now use TLS over TCP.
Where? Between your client and your unbound recursor (where you have control and can enable DNS-over-TLS-over-TCP), or outwards from your unbound recursor to the rest of the net? For the latter to work, each and every publishing name server out there would have to have deployed DNS-over-TLS-over-TCP. To put it mildly, "we're not there yet", and I'm doubtful we ever will be. Even if you dropped "TLS", and only wanted to do TCP, I think that would also work poorly, since still too many publishing name servers either don't do DNS-over-TCP or there are firewalls on the path which prohibit it from working. Regards, - HÃ¥vard
