Unbound is not good for us because it's failing to return listings for one of the domains we run the authoritative servers for. Each of those servers returns those listings fine. Google's 8.8.8.8 and 8.8.4.4 do too. But Unbound fails without even providing an excuse.
Found that the problem is "rebind" protection. Yes, we have a public domain we use for some private IPs, for diverse VPN connections. With DNSmasq, that requires adding "rebind-domain-ok=/that.domain/" in the Advanced box, which we now hope is not going away in the future, despite the notice. Is there a similar way to configure Unbound?
Although a notice appears as well saying that the option will be removed in the future, this still works as of the latest release.
Services -> Unbound DNS -> General -> Custom options.
private-domain: "that.domain"