thanks all! Got it, I think!
Needed the "domain-insecure" bits, then reverse DNS was failing so I
also needed to change the local-zone as Patrik mentioned.
Complete unbound.conf now:
Konsole output
server:
interface: 127.0.0.1
interface: 192.168.1.50
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
access-control: 192.168.1.0/24 allow_snoop
local-zone: "1.168.192.in-addr.arpa." transparent
do-not-query-localhost: no
domain-insecure: "datanet.home"
domain-insecure: "1.168.192.in-addr.arpa"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
stub-zone:
name: "datanet.home"
stub-addr: 192.168.1.50@53530
stub-zone:
name: "1.168.192.in-addr.arpa"
stub-addr: 192.168.1.50@53530
