Question regarding DoT

[cits]

Hi,

i've been trying to get my DoT requests from other machines to be redirected to my opnsense and then forwarded from there.
I'm blocking all DoH servers (or at least those i could find and know of) and the only thing in terms of DNS i allow is UDP DNS on 53 (which is forwarded via NAT rule to do DoT lookups - works fine) and i have some DoT servers configured as forwarder. I found out while testing that some systems that have hard-confed DoT servers that they obviously don't resolve anymore because of my restrictive firewall ruleset (Android with Nebula, Blokada and such). So instead of needing to change those configs i would prefer to just have stuff redirected.

As far as i was looking, and i have been looking to the point that i registered since i couldn't find a satisfying answer, i tried a variety of things but nothing solved "my problem". While trying to configure this I also noticed that the way to configure forwarders is a bit redundant, since you can do that under Miscellaneous but also in the Custom options field under the General configuration of unbound. That confused me a bit and i wanted to know if there's any reason behind this?

I guess my question is: can you actually run a DoT resolver or can you just forward requests?
I feel that this shouldn't be to complicated but i don't really know what or where to look for, so i came to ask here.

Sorry in advance if the question has been raised before, i just didn't find the answer i was looking for.

[tiermutter]

Afaik it is not possible to redirect DoH because the desired DNS server is not responding and that will make the client to decline the answer.
I'm just blocking any DoH (and DoT) requests to WAN, for DoH also using some lists of DNS server. I found that some browsers, apps,... will fall back to normal DNS, others will timeout and may need manual adjustment. Not satisfying, but the only way I found for me.