> installing "unbound" from repository put the Unbound 127.0.0.1 address > in /etc/resolv.conf and fixed at least the browser lookups.
Yes, using Unbound instead is a good idea. Actually, that was my default setup previously. However in Ubuntu 18.04 LTS, /etc/resolv.conf is auto- generated and any added DNS entry vanishes sooner or later. At least in my tests. Therefore, my workaround was to change the symbolic link /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf -> ../run/systemd/resolve/resolv.conf which is mentioned in $ man systemd-resolved.service In that non-stub configuration file, after installing Unbound, any previously set server is overwritten with "127.0.0.1". However, changing a symbolic link manually (although documented in a man page) is a workaround for me and not the way it should work. Anyway, I searched a bit more in the man pages, and $ sudo apt install resolvconf seems to do the trick because it changes the symbolic link /etc/resolv.conf -> ../run/resolvconf/resolv.conf automatically and therefore avoids systemd-resolved, too. I have to test that on the long term. Looks promising. However, that means, every executable which needs RRSIG has to declare a dependency on the package resolvconf nowadays. That should be reported to Debian.
