diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
index 688ad6842..2d2f2ccec 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
@@ -47,6 +47,19 @@
             <visible>false</visible>
         </grid_view>
     </field>
+    <field>
+        <id>dot.forward_first</id>
+        <label>Forward first</label>
+        <type>checkbox</type>
+        <help>
+            If a forwarded query is met with a SERVFAIL error, and this option is enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The fallback will only occur after a delay, so consider refining any server timeouts as needed. Please note this setting applies to the domain, so when multiple forwarders are defined for the same domain, all are assumed to use this setting. 
+        </help>
+        <grid_view> 
+            <type>boolean</type> 
+            <formatter>boolean</formatter> 
+            <visible>false</visible> 
+        </grid_view>
+    </field>
     <field>
         <id>dot.verify</id>
         <label>Verify CN</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 78172923e..8de2f963c 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -277,6 +277,10 @@
                     <Default>0</Default>
                     <Required>Y</Required>
                 </forward_tcp_upstream>
+                <forward_first type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </forward_first>
                 <description type="DescriptionField"/>
             </dot>
         </dots>
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
index 6e77ccaa1..02b879c51 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
@@ -23,17 +23,21 @@ server:
 
 # Forward zones
 {%  for domain, forwards in all_forwards|groupby("domain", default=".") %}
-{% set domain_opts = namespace(forward_tcp_upstream=False) %}
+{% set domain_opts = namespace(forward_tcp_upstream=False, forward_first=False) %}
 forward-zone:
   name: "{{ domain }}"
 {%    for forward in forwards %}
   forward-addr: {{ forward.server }}{% if forward.port %}@{{ forward.port }}{% endif %}
 {%    set domain_opts.forward_tcp_upstream = domain_opts.forward_tcp_upstream or forward.forward_tcp_upstream == '1' %}
+{%    set domain_opts.forward_first = domain_opts.forward_first or forward.forward_first == '1' %}
 
 {%    endfor %}
 {%    if domain_opts.forward_tcp_upstream %}
   forward-tcp-upstream: yes
 {%    endif %}
+{%    if domain_opts.forward_first  %}
+  forward-first: yes
+{%    endif %}
 {%  endfor %}
 
 {%   if all_dots|length > 0 %}
@@ -41,14 +45,18 @@ forward-zone:
 server:
   tls-cert-bundle: /usr/local/etc/ssl/cert.pem
 {%     for domain, dots in all_dots|groupby("domain", default=".") %}
-
+{% set domain_opts = namespace(forward_first=False) %}
 forward-zone:
   name: "{{ domain }}"
   forward-tls-upstream: yes
 {%       for dot in dots %}
   forward-addr: {{ dot.server }}{% if dot.port %}@{{ dot.port }}{% endif %}{% if dot.verify %}#{{ dot.verify }}{% endif %}
+{%    set domain_opts.forward_first = domain_opts.forward_first or dot.forward_first == '1' %}
 
 {%       endfor %}
+{%    if domain_opts.forward_first  %}
+  forward-first: yes
+{%    endif %}
 {%     endfor %}
 {%   endif %}
 {% endif %}