unbound: Use Google as external resolver

roles/unbound/templates/unbound.conf.dna-gw01.home.foo.sh.j2

@@ -8,7 +8,7 @@ server:
 
     tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
     tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
-    tls-cert-bundle: {{ tls_certs }}/ca.crt
+    tls-cert-bundle: {{ tls_bundle }}
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow
@@ -26,6 +26,11 @@ remote-control:
     control-enable: yes
     control-interface: /var/run/unbound.sock
 
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 8.8.8.8@853#dns.google
+
 {% for zone in unbound_zones %}
 auth-zone:
     name: "{{ zone }}"

roles/unbound/templates/unbound.conf.dna-gw02.home.foo.sh.j2

@@ -8,7 +8,7 @@ server:
 
     tls-service-key: {{ tls_private }}/dns.home.foo.sh.key
     tls-service-pem: {{ tls_certs }}/dns.home.foo.sh.crt
-    tls-cert-bundle: {{ tls_certs }}/ca.crt
+    tls-cert-bundle: {{ tls_bundle }}
 
     access-control: 127.0.0.0/8 allow
     access-control: ::1 allow
@@ -26,6 +26,11 @@ remote-control:
     control-enable: yes
     control-interface: /var/run/unbound.sock
 
+forward-zone:
+    name: "."
+    forward-tls-upstream: yes
+    forward-addr: 8.8.8.8@853#dns.google
+
 {% for zone in unbound_zones %}
 auth-zone:
     name: "{{ zone }}"