How to enable unbound port 853 (TLS) on a fresh install of ipfire

Running a fresh install of IPFire 2.27 (x86_64) - Core Update 160

I would like to configure my ipfire box so that it provides a DNS over TLS service to the network clients in the green network.
“Protocol for DNS queries” is of course set to TLS in the Domain Name System admin page but that does not seem to enable the local TLS service on port 853.
What am I missing? Am I supposed to just add port 853 entries to /etc/unbound/unbound.conf myself? (nobody has an example in that case?)

Current unbound.conf (not changed after installation):

# Unbound configuration file for IPFire
# The full documentation is available at:

        # Common Server Options
        chroot: ""
        directory: "/etc/unbound"
        username: "nobody"
        do-ip6: no

        # System Tuning
        include: "/etc/unbound/tuning.conf"

        # Logging Options
        use-syslog: yes
        log-time-ascii: yes

        # Unbound Statistics
        statistics-interval: 86400
        extended-statistics: yes

        # Prefetching
        prefetch: yes
        prefetch-key: yes

        # Privacy Options
        hide-identity: yes
        hide-version: yes

        # DNSSEC
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        val-log-level: 1
        log-servfail: yes

        # Hardening Options
        harden-large-queries: yes
        harden-referral-path: yes
        aggressive-nsec: yes

        # TLS
        tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

        # Harden against DNS cache poisoning
        unwanted-reply-threshold: 1000000

        # Listen on all interfaces
        interface-automatic: yes

        # Allow access from everywhere
        access-control: allow

        # Timeout behaviour
        infra-keep-probing: yes

        # Bootstrap root servers
        root-hints: "/etc/unbound/root.hints"

        # Include DHCP leases
        include: "/etc/unbound/dhcp-leases.conf"

        # Include hosts
        include: "/etc/unbound/hosts.conf"

        # Include any forward zones
        include: "/etc/unbound/forward.conf"

        control-enable: yes
        control-use-cert: no

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"

Before you can provide tls in your lan your IPFire must register a public fqdn entry and a validated tls keypair for this domain.

Without this no client will accept the tls connection to your unbound. This is also the reason why we have only implemented tls for unbounds upstream server. But if you use this your internet dns traffic will use tls even if you have legacy clients in yor lan. Best is to block port 53 from green and blue to red to force the clients to use the unbound proxy.