Not sure what you mean by setting unbound as a DoH server. You mean to query unbound through DoH? Wouldn’t you prefer to query you PiHole instead (which will query unbound)?
Anyway, the best way to do this is using Adguard’s dnsproxy: it proxies calls to any DNS server. (self plug: I made a Docker container for dnsproxy)
Unless your ISP does Deep Packet Inspection (DPI), your ISP should not be able to see your DNS queries since you won’t be querying their DNS server anymore, but the authoritative servers. Maybe you can protect yourself from DPI by setting up unbound to query the authoritative servers using DoT or DoH (though I don’t know how).
As for MIM attacks, I don’t have enough knowledge to answer.
Not sure what you mean by setting unbound as a DoH server. You mean to query unbound through DoH? Wouldn’t you prefer to query you PiHole instead (which will query unbound)?
Anyway, the best way to do this is using Adguard’s dnsproxy: it proxies calls to any DNS server. (self plug: I made a Docker container for dnsproxy)
ok is Pihole + unbound protects me from ISP seeing my queries, and MIM attacks?
You’re safe from MITM attacks, yes, but in terms of privacy it won’t help much.
Unless your ISP does Deep Packet Inspection (DPI), your ISP should not be able to see your DNS queries since you won’t be querying their DNS server anymore, but the authoritative servers. Maybe you can protect yourself from DPI by setting up unbound to query the authoritative servers using DoT or DoH (though I don’t know how).
As for MIM attacks, I don’t have enough knowledge to answer.