opnsense: Add support for forward-first when configuring forwarders (#8275)

Signed-off-by: Nigel Jones <nigel.l.jones+git@gmail.com>
2026-03-14 00:24:40 +00:00 · 2025-02-04 19:10:03 +00:00 · 2025-02-04 19:10:03 +00:00 · 405ee249fb
commit 405ee249fb
parent 8139d9e1cb
3 changed files with 27 additions and 2 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
@ -47,6 +47,19 @@
            <visible>false</visible>
        </grid_view>
    </field>
+    <field>
+        <id>dot.forward_first</id>
+        <label>Forward first</label>
+        <type>checkbox</type>
+        <help>
+            If a forwarded query is met with a SERVFAIL error, and this option is enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The fallback will only occur after a delay, so consider refining any server timeouts as needed. Please note this setting applies to the domain, so when multiple forwarders are defined for the same domain, all are assumed to use this setting. 
+        </help>
+        <grid_view> 
+            <type>boolean</type> 
+            <formatter>boolean</formatter> 
+            <visible>false</visible> 
+        </grid_view>
+    </field>
    <field>
        <id>dot.verify</id>
        <label>Verify CN</label>
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@ -277,6 +277,10 @@
                    <Default>0</Default>
                    <Required>Y</Required>
                </forward_tcp_upstream>
+                <forward_first type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </forward_first>
                <description type="DescriptionField"/>
            </dot>
        </dots>
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
@ -23,17 +23,21 @@ server:

 # Forward zones
 {%  for domain, forwards in all_forwards|groupby("domain", default=".") %}
-{% set domain_opts = namespace(forward_tcp_upstream=False) %}
+{% set domain_opts = namespace(forward_tcp_upstream=False, forward_first=False) %}
 forward-zone:
  name: "{{ domain }}"
 {%    for forward in forwards %}
  forward-addr: {{ forward.server }}{% if forward.port %}@{{ forward.port }}{% endif %}
 {%    set domain_opts.forward_tcp_upstream = domain_opts.forward_tcp_upstream or forward.forward_tcp_upstream == '1' %}
+{%    set domain_opts.forward_first = domain_opts.forward_first or forward.forward_first == '1' %}

 {%    endfor %}
 {%    if domain_opts.forward_tcp_upstream %}
  forward-tcp-upstream: yes
 {%    endif %}
+{%    if domain_opts.forward_first  %}
+  forward-first: yes
+{%    endif %}
 {%  endfor %}

 {%   if all_dots|length > 0 %}
@ -41,14 +45,18 @@ forward-zone:
 server:
  tls-cert-bundle: /usr/local/etc/ssl/cert.pem
 {%     for domain, dots in all_dots|groupby("domain", default=".") %}
-
+{% set domain_opts = namespace(forward_first=False) %}
 forward-zone:
  name: "{{ domain }}"
  forward-tls-upstream: yes
 {%       for dot in dots %}
  forward-addr: {{ dot.server }}{% if dot.port %}@{{ dot.port }}{% endif %}{% if dot.verify %}#{{ dot.verify }}{% endif %}
+{%    set domain_opts.forward_first = domain_opts.forward_first or dot.forward_first == '1' %}

 {%       endfor %}
+{%    if domain_opts.forward_first  %}
+  forward-first: yes
+{%    endif %}
 {%     endfor %}
 {%   endif %}
 {% endif %}