diff --git a/plist b/plist
index 116260f61..c11728b8c 100644
--- a/plist
+++ b/plist
@@ -574,6 +574,7 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_0.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_1.php
+/usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
 /usr/local/opnsense/mvc/app/views/OPNsense/CaptivePortal/clients.volt
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
index 4e6e26c97..4a2da8810 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
@@ -30,38 +30,126 @@
 namespace OPNsense\Unbound\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
 
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Unbound\Unbound';
     protected static $internalModelName = 'unbound';
 
-    public function searchDotAction()
-    {
-        return $this->searchBase('dots.dot', array('enabled', 'server', 'port', 'verify'));
+    private string $type = "dot";
+
+    public function toggleSystemForwardAction() {
+        if ($this->request->isPost() && $this->request->hasPost('forwarding')) {
+            $this->sessionClose();
+            Config::getInstance()->lock();
+            $config = Config::getInstance()->object();
+
+            $val = $this->request->getPost('forwarding')['enabled'];
+
+            /* Write to config exactly as legacy would */
+            $config->unbound->forwarding = !empty($val);
+            if ($val != "1") {
+                /* legacy uses isset() */
+                unset($config->unbound->forwarding);
+            }
+
+            /* save and release lock */
+            Config::getInstance()->save();
+        }
+
     }
 
-    public function getDotAction($uuid = null)
+    public function getSystemForwardAction() {
+        $config = Config::getInstance()->object();
+        return array("forwarding" =>
+            array( "enabled" =>
+                empty($config->unbound->forwarding) ? 0 : 1
+            )
+        );
+    }
+
+    public function getNameserversAction() {
+        if ($this->request->isGet()) {
+            $backend = new Backend();
+            $nameservers = json_decode(trim($backend->configdRun("system list nameservers")));
+
+            if ($nameservers !== null) {
+                $result = array();
+                $config = Config::getInstance()->object();
+                if (isset($config->system->dnsallowoverride)) {
+                    foreach ($nameservers->dynamic as $dynamic) {
+                        $result[] = $dynamic;
+                    }
+                }
+                foreach ($nameservers->static as $static) {
+                    $result[] = $static;
+                }
+
+                return $result;
+            }
+        }
+        return array("message" => "Unable to run configd action");
+    }
+
+    /*
+     * Catch all Dot API endpoints and redirect them to Forward for
+     * backwards compatibility and infer the type from the request.
+     * If no type is provided, default to dot.
+     */
+    public function __call($method, $args)
+    {
+        if (substr($method, -6) == 'Action') {
+            $fn = preg_replace('/Dot/', 'Forward', $method);
+            if (method_exists(get_class($this), $fn)) {
+                if (preg_match("/forward/i", $this->request->getHTTPReferer())) {
+                    $this->type = "forward";
+                }
+                return $this->$fn(...$args);
+            }
+        }
+    }
+
+    public function searchForwardAction()
+    {
+        $filter_fn = function ($record) {
+            return $record->type == $this->type;
+        };
+
+        return $this->searchBase(
+            'dots.dot',
+            array('enabled', 'server', 'port', 'verify', 'type', 'domain'),
+            null,
+            $filter_fn
+        );
+    }
+
+    public function getForwardAction($uuid = null)
     {
         return $this->getBase('dot', 'dots.dot', $uuid);
     }
 
-    public function addDotAction()
+    public function addForwardAction()
     {
-        return $this->addBase('dot', 'dots.dot');
+        return $this->addBase('dot', 'dots.dot',
+            [ "type" => $this->type ]
+        );
     }
 
-    public function delDotAction($uuid)
+    public function delForwardAction($uuid)
     {
         return $this->delBase('dots.dot', $uuid);
     }
 
-    public function setDotAction($uuid)
+    public function setForwardAction($uuid)
     {
-        return $this->setBase('dot', 'dots.dot', $uuid);
+        return $this->setBase('dot', 'dots.dot', $uuid,
+            [ "type" => $this->type ]
+        );
     }
 
-    public function toggleDotAction($uuid, $enabled = null)
+    public function toggleForwardAction($uuid, $enabled = null)
     {
         return $this->toggleBase('dots.dot', $uuid, $enabled);
     }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
index 418564372..81d732619 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
@@ -34,6 +34,8 @@ class DotController extends IndexController
 {
     public function indexAction()
     {
+        $this->view->selected_forward = "";
+        $this->view->forwardingForm = $this->getForm('forwarding');
         $this->view->formDialogEdit = $this->getForm('dialogDot');
         $this->view->pick('OPNsense/Unbound/dot');
     }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
new file mode 100755
index 000000000..bdfbf365b
--- /dev/null
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound;
+
+use OPNsense\Base\IndexController;
+
+class ForwardController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->selected_forward = "forward";
+        $this->view->forwardingForm = $this->getForm('forwarding');
+        $this->view->formDialogEdit = $this->getForm('dialogDot');
+        $this->view->pick('OPNsense/Unbound/dot');
+    }
+}
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
index 95f37a894..0dac22c94 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
@@ -5,6 +5,15 @@
         <type>checkbox</type>
         <help>Enable or disable this server.</help>
     </field>
+    <field>
+        <id>dot.domain</id>
+        <label>Domain</label>
+        <type>text</type>
+        <help>
+            If a domain is entered here, queries for this specific domain will be forwarded to the specified server.
+            Leave blank to forward all queries to the specified server (default).
+        </help>
+    </field>
     <field>
         <id>dot.server</id>
         <label>Server IP</label>
@@ -21,6 +30,9 @@
         <id>dot.verify</id>
         <label>Verify CN</label>
         <type>text</type>
-        <help>Verify if CN in certificate matches this value.</help>
+        <help>
+            Verify if CN in certificate matches this value. Please note that if this field is omitted,
+            Unbound will not perform any certificate verification. Therefore, man-in-the-middle attacks are still possible.
+        </help>
     </field>
 </form>
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml
new file mode 100755
index 000000000..c30f41293
--- /dev/null
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml
@@ -0,0 +1,17 @@
+<form>
+    <field>
+        <id>forwarding.enabled</id>
+        <label>Use System Nameservers</label>
+        <type>checkbox</type>
+        <style>forwarding-enabled</style>
+        <help>
+            The configured system nameservers will be used to forward queries to.
+            This will override any entry in the grid below.
+        </help>
+    </field>
+    <field>
+        <id>forwarding.info</id>
+        <type>info</type>
+        <label></label>
+    </field>
+</form>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
index 8161bbda5..6c4af6003 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
@@ -8,7 +8,8 @@
                 <All url="/services_unbound_acls.php*" visibility="hidden"/>
             </ACL>
             <Blocklist order="50" url="/ui/unbound/dnsbl/index"/>
-            <Dot VisibleName="DNS over TLS" order="60" url="/ui/unbound/dot/index"/>
+            <Forward VisibleName="Query Forwarding" order="60" url="/ui/unbound/forward"/>
+            <Dot VisibleName="DNS over TLS" order="70" url="/ui/unbound/dot"/>
             <Statistics order="90" url="/ui/unbound/stats"/>
             <LogFile VisibleName="Log File" order="100" url="/ui/diagnostics/log/core/resolver"/>
         </Unbound>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php b/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
new file mode 100755
index 000000000..3348612a2
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
@@ -0,0 +1,55 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Base\FieldTypes\BooleanField;
+use OPNsense\Base\FieldTypes\NetworkField;
+use OPNsense\Base\FieldTypes\PortField;
+use OPNsense\Core\Config;
+
+class M1_0_2 extends BaseModelMigration
+{
+    /**
+     * Migrate older models into shared model
+     * @param $model
+     */
+    public function run($model)
+    {
+        $config = Config::getInstance()->object();
+
+        $node = $config->OPNsense->unboundplus;
+
+        if (!empty($node->dots) && !empty($node->dots->dot)) {
+            foreach ($model->dots->dot->iterateItems() as $dot) {
+                $dot->type = "dot";
+            }
+        }
+    }
+}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index c8e171bca..74a093e8e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/unboundplus</mount>
     <description>Unbound configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <service_enabled type="LegacyLinkField">
             <Source>unbound.enable</Source>
@@ -56,12 +56,30 @@
                 <Required>N</Required>
             </whitelists>
         </dnsbl>
+        <forwarding>
+            <enabled type="LegacyLinkField">
+                <Source>unbound.forwarding</Source>
+            </enabled>
+        </forwarding>
         <dots>
             <dot type="ArrayField">
                 <enabled type="BooleanField">
                     <Required>Y</Required>
                     <default>1</default>
                 </enabled>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>dot</default>
+                    <OptionValues>
+                        <dot>DNS over TLS</dot>
+                        <forward>Forward</forward>
+                    </OptionValues>
+                </type>
+                <domain type="TextField">
+                    <Required>N</Required>
+                    <mask>/^(?:(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$/i</mask>
+                    <ValidationMessage>A valid domain must be specified.</ValidationMessage>
+                </domain>
                 <server type="NetworkField">
                     <Required>Y</Required>
                 </server>
diff --git a/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt b/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
index ef2fb615c..7129ba867 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
@@ -27,6 +27,49 @@
 <script>
 
     $( document ).ready(function() {
+        $('tr[id="row_forwarding.info"]').addClass('hidden');
+        /* Handle retrieval and saving of the single system forwarding checkbox */
+        let data_get_map = {'frm_ForwardingSettings':"/api/unbound/settings/getSystemForward"};
+        mapDataToFormUI(data_get_map).done(function(data) {
+            /* only called on page load */
+            if (data.frm_ForwardingSettings.forwarding.enabled) {
+                toggle_nameservers(true);
+            }
+        });
+
+        $(".forwarding-enabled").click(function() {
+            saveFormToEndpoint(url="/api/unbound/settings/toggleSystemForward", formid='frm_ForwardingSettings');
+
+            let checked = ($(this).is(':checked'));
+            toggle_nameservers(checked);
+        });
+
+        function toggle_nameservers(checked) {
+            if (checked) {
+                ajaxGet(url="/api/unbound/settings/getNameservers", {}, callback=function(data, status) {
+                    $('tr[id="row_forwarding.info"]').removeClass('hidden');
+                    if (data.length && !data.includes('')) {
+                        $('div[id="control_label_forwarding.info"]').append(
+                            "<span>{{ lang._('The following nameservers are used:') }}</span>"
+                        );
+                        $('span[id="forwarding.info"]').append(
+                            "<div><b>" + data.join(", ") + "</b></div>"
+                        );
+                    } else {
+                        $('div[id="control_label_forwarding.info"]').append(
+                            "<span>{{ lang._('There are no system nameservers configured. Please do so in ') }}<a href=\"/system_general.php\">System: General setup</a></span>"
+                        );
+                    }
+
+                });
+            } else {
+                $('tr[id="row_forwarding.info"]').addClass('hidden');
+                $('div[id="control_label_forwarding.info"]').children().not(':first').remove();
+                $('span[id="forwarding.info"]').children().remove();
+            }
+        }
+
+
         /**
          * inline open dialog, go back to previous page on exit
          */
@@ -61,12 +104,13 @@
             });
 
         }
+
         /*************************************************************************************************************
          * link grid actions
          *************************************************************************************************************/
 
         $("#grid-dot").UIBootgrid(
-                {   'search':'/api/unbound/settings/searchDot',
+                {   'search':'/api/unbound/settings/searchDot/',
                     'get':'/api/unbound/settings/getDot/',
                     'set':'/api/unbound/settings/setDot/',
                     'add':'/api/unbound/settings/addDot/',
@@ -75,6 +119,15 @@
                 }
         );
 
+        $("div.actionBar").parent().prepend($('<td id="heading-wrapper" class="col-sm-2 theading-text">{{ lang._('Custom forwarding') }}</div>'));
+
+        /* Hide/unhide verify field based on type */
+        if ("{{selected_forward}}" == "forward") {
+            $('tr[id="row_dot.verify"]').addClass('hidden');
+        } else {
+            $('tr[id="row_dot.verify"]').removeClass('hidden');
+        }
+
         {% if (selected_uuid|default("") != "") %}
             openDialog('{{selected_uuid}}');
         {% endif %}
@@ -93,19 +146,31 @@
 
 </script>
 
+<style>
+    .theading-text {
+        font-weight: 800;
+        font-style: bold;
+    }
+</style>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#grid-dot">{{ lang._('Servers') }}</a></li>
-</ul>
-<div class="tab-content content-box">
+<div class="tab-content content-box col-xs-12 __mb">
+    {# include base forwarding form #}
+    {{ partial("layout_partials/base_form",['fields':forwardingForm,'id':'frm_ForwardingSettings'])}}
+</div>
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs"></ul>
+<div class="tab-content content-box col-xs-12 __mb">
     <div id="dot" class="tab-pane fade in active">
         <table id="grid-dot" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEdit">
+            <tr>
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="domain" data-type="string">{{ lang._('Domain') }}</th>
                 <th data-column-id="server" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="port" data-type="int">{{ lang._('Port') }}</th>
+                {% if (selected_forward|default("") == "") %}
                 <th data-column-id="verify" data-type="int">{{ lang._('Hostname') }}</th>
+                {% endif %}
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
             </tr>
@@ -121,8 +186,14 @@
                 </td>
             </tr>
             </tfoot>
+            </tr>
         </table>
     </div>
+    <div id="infosection" class="tab-content col-xs-12 __mb">
+        {{ lang._('Please note that entries without a specific domain (and thus all domains) specified in both Custom Forwarding and DNS over TLS
+        are considered duplicates, DNS over TLS will be preferred. If "Use System Nameservers" is checked, Unbound will use the DNS servers entered
+        in System->Settings->General or those obtained via DHCP or PPP on WAN if the "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked.') }}
+    </div>
     <div class="col-md-12">
         <hr/>
         <button class="btn btn-primary" id="reconfigureAct"
diff --git a/src/opnsense/scripts/system/nameservers.php b/src/opnsense/scripts/system/nameservers.php
new file mode 100755
index 000000000..48bb61626
--- /dev/null
+++ b/src/opnsense/scripts/system/nameservers.php
@@ -0,0 +1,52 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once 'config.inc';
+require_once 'system.inc';
+require_once 'util.inc';
+
+use OPNsense\Core\Config;
+
+$config = Config::getInstance()->object();
+
+$result = array();
+
+/* get dynamic nameservers */
+foreach (get_nameservers() as $nameserver) {
+    $result["dynamic"][] = $nameserver;
+}
+
+/* get manually entered nameservers */
+foreach ($config->system->children() as $key => $node) {
+    if ($key == "dnsserver") {
+        $result["static"][] = (string)$node;
+    }
+}
+
+echo json_encode($result) . PHP_EOL;
diff --git a/src/opnsense/service/conf/actions.d/actions_system.conf b/src/opnsense/service/conf/actions.d/actions_system.conf
index 86c1d1d25..dc081ebb3 100644
--- a/src/opnsense/service/conf/actions.d/actions_system.conf
+++ b/src/opnsense/service/conf/actions.d/actions_system.conf
@@ -79,3 +79,9 @@ parameters:
 type:script
 message: ha_reconfigure_backup
 description: HA update and reconfigure backup
+
+[list.nameservers]
+command:/usr/local/opnsense/scripts/system/nameservers.php
+parameters:
+type:script_output
+message:list nameservers
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
index 56e8ef285..7ced40f1f 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
@@ -1,26 +1,53 @@
 {% if not helpers.empty('OPNsense.unboundplus.dots.dot') %}
-{%   set dots = [] %}
+{%   set all_dots = [] %}
+{%   set all_forwards = [] %}
 {%   set local = [] %}
-{%   for dot in helpers.toList('OPNsense.unboundplus.dots.dot') %}
-{%     if dot.enabled == '1' %}
-{%       if dot.server.startswith('127.') or dot.server == '::1' %}
-{%         do local.append('1') %}
+{%   set all = helpers.toList('OPNsense.unboundplus.dots.dot') %}
+{%   for type, dots in all|groupby("type") %}
+{%     for dot in dots %}
+{%       if dot.enabled == '1' %}
+{%         if dot.server.startswith('127.') or dot.server == '::1' %}
+{%           do local.append('1') %}
+{%         endif %}
+{%         if type == 'dot' %}
+{%           do all_dots.append(dot) %}
+{%         else %}
+{%           do all_forwards.append(dot) %}
+{%         endif %}
 {%       endif %}
-{%       do dots.append(dot) %}
-{%     endif %}
+{%     endfor %}
 {%   endfor %}
-{%   if dots|length > 0 %}
+{%   if local|length > 0 %}
+server:
+  do-not-query-localhost: no
+{%   endif %}
+
+{%   if all_forwards|length > 0 %}
+# Forward zones
+{%     for domain, forwards in all_forwards|groupby("domain", default=".") %}
+forward-zone:
+  name: "{{ domain }}"
+{%       for forward in forwards %}
+  forward-addr: {{ forward.server }}{% if forward.port %}@{{ forward.port }}{% endif %}
+
+{%       endfor %}
+{%     endfor %}
+{%   endif %}
+
+{%   if all_dots|length > 0 %}
+# Forward zones over TLS
 server:
   tls-cert-bundle: /etc/ssl/cert.pem
-{%     if local|length > 0 %}
-  do-not-query-localhost: no
-{%     endif %}
+{%     for domain, dots in all_dots|groupby("domain", default=".") %}
+
 forward-zone:
-  name: "."
+  name: "{{ domain }}"
   forward-tls-upstream: yes
-{%     for dot in dots %}
+{%       for dot in dots %}
   forward-addr: {{ dot.server }}{% if dot.port %}@{{ dot.port }}{% endif %}{% if dot.verify %}#{{ dot.verify }}{% endif %}
 
+{%       endfor %}
 {%     endfor %}
 {%   endif %}
 {% endif %}
+
diff --git a/src/www/services_unbound.php b/src/www/services_unbound.php
index a4e44d863..3f6b15075 100644
--- a/src/www/services_unbound.php
+++ b/src/www/services_unbound.php
@@ -43,7 +43,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['enable_wpad'] = isset($a_unboundcfg['enable_wpad']);
     $pconfig['dnssec'] = isset($a_unboundcfg['dnssec']);
     $pconfig['dns64'] = isset($a_unboundcfg['dns64']);
-    $pconfig['forwarding'] = isset($a_unboundcfg['forwarding']);
     $pconfig['reglladdr6'] = empty($a_unboundcfg['noreglladdr6']);
     $pconfig['regdhcp'] = isset($a_unboundcfg['regdhcp']);
     $pconfig['regdhcpstatic'] = isset($a_unboundcfg['regdhcpstatic']);
@@ -117,7 +116,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $a_unboundcfg['dnssec'] = !empty($pconfig['dnssec']);
             $a_unboundcfg['enable'] = !empty($pconfig['enable']);
             $a_unboundcfg['enable_wpad'] = !empty($pconfig['enable_wpad']);
-            $a_unboundcfg['forwarding'] = !empty($pconfig['forwarding']);
             $a_unboundcfg['noreglladdr6'] = empty($pconfig['reglladdr6']);
             $a_unboundcfg['regdhcp'] = !empty($pconfig['regdhcp']);
             $a_unboundcfg['regdhcpstatic'] = !empty($pconfig['regdhcpstatic']);
@@ -317,16 +315,6 @@ include_once("head.inc");
                           </div>
                         </td>
                       </tr>
-                      <tr>
-                        <td><a id="help_for_forwarding" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS Query Forwarding");?></td>
-                        <td>
-                          <input name="forwarding" type="checkbox" value="yes" <?=!empty($pconfig['forwarding']) ? 'checked="checked"' : '';?> />
-                          <?= gettext('Enable Forwarding Mode') ?>
-                          <div class="hidden" data-for="help_for_forwarding">
-                            <?= gettext('The configured system nameservers will be used to forward queries to.') ?>
-                          </div>
-                        </td>
-                      </tr>
                       <tr>
                         <td><a id="help_for_local_zone_type" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Local Zone Type"); ?></td>
                         <td>
@@ -379,14 +367,10 @@ include_once("head.inc");
                       </tr>
                       <tr>
                         <td colspan="2">
-                          <?= sprintf(gettext('If Unbound is enabled, the DHCP'.
+                          <?= gettext('If Unbound is enabled, the DHCP'.
                           ' service (if enabled) will automatically serve the LAN IP'.
                           ' address as a DNS server to DHCP clients so they will use'.
-                          ' Unbound resolver. If forwarding is enabled, Unbound'.
-                          ' will use the DNS servers entered in %sSystem: General setup%s'.
-                          ' or those obtained via DHCP or PPP on WAN if the "Allow'.
-                          ' DNS server list to be overridden by DHCP/PPP on WAN"'.
-                          ' is checked.'),'<a href="system_general.php">','</a>');?>
+                          ' Unbound resolver.');?>
                         </td>
                       </tr>
                     </tbody>