DNS Over TLS SNI missing

[Aura67]

Hello, my DNS Over TLS via Quad9 is not causing any problems, but I have now noticed that when I say unbound use: tls-use-sni: yes, the Cloudflare website shows me that Unbound does not use SNI, what am I doing wrong with the setting? Otherwise Unbound carries out TLS handshakes. Here is a picture of it.

my config:

'''''''' server: ''''''''

If no logfile is specified, syslog is used

# logfile: "/etc/unbound/unbound.log"
verbosity: 0

interface: 127.0.0.1
port: 5335
do-ip4: yes
do-udp: yes
do-tcp: yes

# May be set to yes if you have IPv6 connectivity
do-ip6: no

# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Use this only when you downloaded the list of primary root servers!
# If you use the default dns-root-data package, unbound will find it automatically
#root-hints: "/etc/unbound/root.hints"

# Certificates used to authenticate connections made upstream.
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

# If not "", lists files with 80 bytes of random contents that are
# used to perform TLS session resumption for clients using the Un-bound server.
tls-session-ticket-keys: “”

# Set the list of ciphers to allow when serving TLS. Use "" for default ciphers
tls-ciphers: “”

# Set the list of ciphersuites to allow when serving TLS. This is for newer TLS 1.3 connections. Use "" for default ciphersuites.
tls-ciphersuites: “”

# Enable  or disable sending the SNI extension on TLS connections.
# Default is yes.  Changing the value requires a reload.
tls-use-sni: yes

# QNAME minimisation in strict mode. Do not fall-back to sending full
# QNAME to potentially broken nameservers. A lot of domains will not be
# resolvable when this option in enabled.
# This option only has effect when qname-minimisation is enabled.
qname-minimisation-strict: no

# Harden against queries that fall under dnssec-signed nxdomain names.
harden-below-nxdomain: yes

# Trust glue only if it is within the server's authority
harden-glue: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes

# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
# and other denials, using information from previous NXDOMAINs answers.
aggressive-nsec: yes

# trust anchor signaling sends a RFC8145 key tag query after priming.
trust-anchor-signaling: yes

# use SO_REUSEPORT to distribute queries over threads.
# at extreme load it could be better to turn it off to distribute even.
so-reuseport: yes

# Number of ports to open. This number of file descriptors can be opened per thread. Must be at
# least 1. Default depends on compile options. Larger numbers need extra resources from the
# operating system. For performance a very large value is best, use libevent to make this possible.
outgoing-range: 450

# Permit Unbound to open this port or range of ports for use to send queries.A larger number of
# permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports
# are not needed by other daemons. By default only ports above 1024 that have not been
# assigned by IANA are used. Give a port number or a range of the form “low-high”, without spaces.
outgoing-port-permit:32768

# The number of queries that every thread will service simultaneously. If more queries arrive that
# need servicing, and no queries can be jostled out (see jostle-timeout:), then the queries are
# dropped. This forces the client to resend after a timeout; allowing the server time to work on
# the existing queries. Default depends on compile options.
num-queries-per-thread: 4096

# Number of outgoing TCP buffers to allocate per thread. If set to 0, or if do-tcp: no, no TCP
# queries to authoritative servers are done. For larger installations increasing this value is a good idea.
outgoing-num-tcp: 1000

# Number of incoming TCP buffers to allocate per thread. If set to 0, or if do-tcp: no, no TCP
# queries from clients are accepted. For larger installations increasing this value is a good idea.
incoming-num-tcp: 1000

# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
# 0 is system default.  Use 4m to catch query spikes for busy servers.
so-rcvbuf: 1m

# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
# 0 is system default.  Use 4m to handle spikes on very busy servers.
so-sndbuf: 1m

# the amount of memory to use for the negative cache.
# plain value in bytes or you can append k, m or G. default is "1Mb".
neg-cache-size: 4m

# Number of bytes size of the message cache. A plain number is in bytes, append ‘k’, ‘m’ or ‘g’ for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).
msg-cache-size: 50m

# Number of bytes size of the RRset cache. A plain number is in bytes, append ‘k’, ‘m’ or ‘g’ for kilobytes, megabytes or gigabytes (1024*1024 bytes in a megabyte).
rrset-cache-size: 100m

# Number of slabs in the message cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess.
msg-cache-slabs: 2

# Number of slabs in the key cache. Slabs reduce lock contention by threads. Must be set to a power of 2. Setting (close) to the number of cpus is a reasonable guess.
key-cache-slabs: 2

# Number of slabs in the infrastructure cache. Slabs reduce lock contention by threads. Must be set to a power of 2.
infra-cache-slabs: 2

# Number of slabs in the RRset cache. Slabs reduce lock contention by threads. Must be set to a power of 2.
rrset-cache-slabs: 2

# Timeout used when the server is very busy. Set to a value that usually results in one roundtrip to the authority servers.
jostle-timeout: 200

# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no

# Reduce EDNS reassembly buffer size.
# IP fragmentation is unreliable on the Internet today, and can cause
# transmission failures when large DNS messages are sent via UDP. Even
# when fragmentation does work, it may not be secure; it is theoretically
# possible to spoof parts of a fragmented DNS message, without easy
# detection at the receiving end. Recently, there was an excellent study
# >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
# by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
# in collaboration with NLnet Labs explored DNS using real world data from the
# the RIPE Atlas probes and the researchers suggested different values for
# IPv4 and IPv6 and in different scenarios. They advise that servers should
# be configured to limit DNS messages sent over UDP to a size that will not
# trigger fragmentation on typical network links. DNS servers can switch
# from UDP to TCP when a DNS response is too big to fit in this limited
# buffer size. This value has also been suggested in DNS Flag Day 2020.
edns-buffer-size: 1232

# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
num-threads: 1

# Ensure privacy of local IP ranges
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10

forward-zone:
name: "."
forward-tls-upstream: yes
forward-first: no
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 9.9.9.11@853#dns11.quad9.net
forward-addr: 149.112.112.11@853#dns11.quad9.net

[Aura67]

OK, Google Chrome passes the secure sni test, it must be some setting on my internet browser, it's not an unbound issue, but thanks for the help if you get an answer.