[Unbound] support different DoT providers and/or extended whitelists for different source networks

[elovin]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [X] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

Currently I use both Unbound and DnsCrypt because I use a lot of blocklists and extended blocklists per device with Unbound (including blocking most TLDs using an upstream controldD resolver (DoT)) this is then too restrictive to resolve the IPs of domains in my aliases which I also want to block by IP.

That is why I need to run DnsCrypt as an unrestricted / unfiltered resolver only for Opnsense itself so that it can lookup all the domains in my aliases I want to block by IP.

I also have a few clients on my network which need very different DNS filters and thus I have to configure DoT on these devices directly and then allow these devices to bypass Unbound.

Describe the solution you like

Add support for "extended whitelists", which should just be the equivalent to the "Extended Blocklists" except that it overwrites blocked domains on the general and extended blocklists for the source network.

Another option would be to allow different DoT providers for different unbound clients, that way we could still make use of DoT and apply different filters per source network.

Describe alternatives you considered

The alternative is currently to use both Unbound and DnsCrypt and allowing some clients to bypass the DNS resolver on my network.

Unbound uses another controldD profile than DnsCrypt and DnsCrypt is configured to only resolve queries from the firewall itself while traffic from clients is forwarded to unbound.

Clients which need incompatible filters are allowed to bypass the firewall and to open their own DoT connection.

[elovin]

I do not know what I did wrong with this feature request but since there has been no response within the last 3 months I'm closing it now.