From 405ee249fb663dab22d5c7c18fbe2ae6af9a4f6e Mon Sep 17 00:00:00 2001 From: Nigel Jones Date: Tue, 4 Feb 2025 19:10:03 +0000 Subject: [PATCH] opnsense: Add support for forward-first when configuring forwarders (#8275) Signed-off-by: Nigel Jones --- .../OPNsense/Unbound/forms/dialogDot.xml | 13 +++++++++++++ .../mvc/app/models/OPNsense/Unbound/Unbound.xml | 4 ++++ .../templates/OPNsense/Unbound/core/dot.conf | 12 ++++++++++-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml index 688ad6842..2d2f2ccec 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml @@ -47,6 +47,19 @@ false + + dot.forward_first + + checkbox + + If a forwarded query is met with a SERVFAIL error, and this option is enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The fallback will only occur after a delay, so consider refining any server timeouts as needed. Please note this setting applies to the domain, so when multiple forwarders are defined for the same domain, all are assumed to use this setting. + + + boolean + boolean + false + + dot.verify diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml index 78172923e..8de2f963c 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml @@ -277,6 +277,10 @@ 0 Y + + 0 + Y + diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf index 6e77ccaa1..02b879c51 100644 --- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf +++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf @@ -23,17 +23,21 @@ server: # Forward zones {% for domain, forwards in all_forwards|groupby("domain", default=".") %} -{% set domain_opts = namespace(forward_tcp_upstream=False) %} +{% set domain_opts = namespace(forward_tcp_upstream=False, forward_first=False) %} forward-zone: name: "{{ domain }}" {% for forward in forwards %} forward-addr: {{ forward.server }}{% if forward.port %}@{{ forward.port }}{% endif %} {% set domain_opts.forward_tcp_upstream = domain_opts.forward_tcp_upstream or forward.forward_tcp_upstream == '1' %} +{% set domain_opts.forward_first = domain_opts.forward_first or forward.forward_first == '1' %} {% endfor %} {% if domain_opts.forward_tcp_upstream %} forward-tcp-upstream: yes {% endif %} +{% if domain_opts.forward_first %} + forward-first: yes +{% endif %} {% endfor %} {% if all_dots|length > 0 %} @@ -41,14 +45,18 @@ forward-zone: server: tls-cert-bundle: /usr/local/etc/ssl/cert.pem {% for domain, dots in all_dots|groupby("domain", default=".") %} - +{% set domain_opts = namespace(forward_first=False) %} forward-zone: name: "{{ domain }}" forward-tls-upstream: yes {% for dot in dots %} forward-addr: {{ dot.server }}{% if dot.port %}@{{ dot.port }}{% endif %}{% if dot.verify %}#{{ dot.verify }}{% endif %} +{% set domain_opts.forward_first = domain_opts.forward_first or dot.forward_first == '1' %} {% endfor %} +{% if domain_opts.forward_first %} + forward-first: yes +{% endif %} {% endfor %} {% endif %} {% endif %}