unbound client forward to knot-resolver server without recursion desired (RD) bit get status REFUSED.

A Former User

I'm working on a hobby project of setup my private remote resolver with knot-resolver. In knot-resolver documentation by default refuse queries without RD bit set to prevent snooping and able to unload the module right now as a workaround for unbound forward queries.

My issue is now I have a DNS over tls port available on the remove server for my and I can't stop anyone from snooping the cache.
What setting should set RD bit on out going queries?

Gertjan

@sauce
I've found https://knot-resolver.readthedocs.io/en/stable/modules-refuse_nord.html
How is this related to pfSense ?