DNS via SSH

[August West]

I am running a local Unbound server on my laptop that is configured to provide 
secure DNS service to just to my laptop using DoT.  To do so, I am using:

forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1 at 853

This is working for me, but I occasionally I have to connect to a network that 
it behind an corporate firewall that acts as a man-in-the-middle on all TLS 
requests.  This causes Unbound to fail to resolve names.

To work around this problem, I have attempted to forward requests to a trusted 
server that is available through an SSH tunnel.  SSH only carries TCP, so 
I added some further settings:

server:
        do-tcp: yes
        do-not-query-localhost: no

forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 127.0.0.1 at 11853

In this case port 11853 is being forwarded to port 853 on the remote server.
That did not work. I played with the verbosity and log options and could not get 
any explanation for what is going wrong. It is possible that there is a problem 
with the certificate being used by the upstream server that is being accessed 
through SSH (it is self signed), so I also tried:

forward-zone:
        name: "."
        forward-tls-upstream: no
        forward-addr: 127.0.0.1 at 11053

In this case port 11053 is being forwarded to port 53 on the remote server.
I tested the connection to the remote server using drill:

    drill -t -p11053 @127.0.0.1 google.com

and that worked fine, so there seems like there is no issue with the upstream 
server, and yet Unbound does not resolve names with this configuration.

I am currently stuck. Can anyone point out any issues with my configurations or 
point me to a tutorial on how to configure Unbound to connect to an upstream 
server using SSH.

Thanks,
-August