From 6832fd75a0b41e376e80f287f8ad3cfe599ea3d1 Mon Sep 17 00:00:00 2001
From: Stephan de Wit <33954429+swhite2@users.noreply.github.com>
Date: Tue, 22 Mar 2022 13:38:26 +0100
Subject: [PATCH] unbound: implement custom forwarders over current dot setup
 (#5606)

This PR pulls query forwarding over the current dot setup, so visually nothing changes.

All API calls are redirected to new Forward functions, which slightly modifies what is returned based on whether "Query Forwarding" or "DNS over TLS" is selected from the menu. This way backwards compatibility is preserved.

As an addition, a user is now able to specify a specific domain for a forward zone as well. Meaning that queries for this specific domain will skip a catch-all (".") domain (if specified), and instead use the server specified for this domain.

Entering a forward zone with a catch-all domain (".") in both Query Forwading and DNS over TLS is considered a duplicate by Unbound, so a static warning for this has been attached in the grid - however, it might be possible for a user to be warned dynamically over this.
---
 plist                                         |   1 +
 .../Unbound/Api/SettingsController.php        | 108 ++++++++++++++++--
 .../OPNsense/Unbound/DotController.php        |   2 +
 .../OPNsense/Unbound/ForwardController.php    |  42 +++++++
 .../OPNsense/Unbound/forms/dialogDot.xml      |  14 ++-
 .../OPNsense/Unbound/forms/forwarding.xml     |  17 +++
 .../app/models/OPNsense/Unbound/Menu/Menu.xml |   3 +-
 .../OPNsense/Unbound/Migrations/M1_0_2.php    |  55 +++++++++
 .../app/models/OPNsense/Unbound/Unbound.xml   |  20 +++-
 .../mvc/app/views/OPNsense/Unbound/dot.volt   |  81 ++++++++++++-
 src/opnsense/scripts/system/nameservers.php   |  52 +++++++++
 .../conf/actions.d/actions_system.conf        |   6 +
 .../templates/OPNsense/Unbound/core/dot.conf  |  53 ++++++---
 src/www/services_unbound.php                  |  20 +---
 14 files changed, 425 insertions(+), 49 deletions(-)
 create mode 100755 src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
 create mode 100755 src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml
 create mode 100755 src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
 create mode 100755 src/opnsense/scripts/system/nameservers.php

diff --git a/plist b/plist
index 116260f61..c11728b8c 100644
--- a/plist
+++ b/plist
@@ -574,6 +574,7 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_0.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_1.php
+/usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
 /usr/local/opnsense/mvc/app/views/OPNsense/CaptivePortal/clients.volt
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
index 4e6e26c97..4a2da8810 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/SettingsController.php
@@ -30,38 +30,126 @@
 namespace OPNsense\Unbound\Api;
 
 use OPNsense\Base\ApiMutableModelControllerBase;
+use OPNsense\Core\Backend;
+use OPNsense\Core\Config;
 
 class SettingsController extends ApiMutableModelControllerBase
 {
     protected static $internalModelClass = '\OPNsense\Unbound\Unbound';
     protected static $internalModelName = 'unbound';
 
-    public function searchDotAction()
-    {
-        return $this->searchBase('dots.dot', array('enabled', 'server', 'port', 'verify'));
+    private string $type = "dot";
+
+    public function toggleSystemForwardAction() {
+        if ($this->request->isPost() && $this->request->hasPost('forwarding')) {
+            $this->sessionClose();
+            Config::getInstance()->lock();
+            $config = Config::getInstance()->object();
+
+            $val = $this->request->getPost('forwarding')['enabled'];
+
+            /* Write to config exactly as legacy would */
+            $config->unbound->forwarding = !empty($val);
+            if ($val != "1") {
+                /* legacy uses isset() */
+                unset($config->unbound->forwarding);
+            }
+
+            /* save and release lock */
+            Config::getInstance()->save();
+        }
+
     }
 
-    public function getDotAction($uuid = null)
+    public function getSystemForwardAction() {
+        $config = Config::getInstance()->object();
+        return array("forwarding" =>
+            array( "enabled" =>
+                empty($config->unbound->forwarding) ? 0 : 1
+            )
+        );
+    }
+
+    public function getNameserversAction() {
+        if ($this->request->isGet()) {
+            $backend = new Backend();
+            $nameservers = json_decode(trim($backend->configdRun("system list nameservers")));
+
+            if ($nameservers !== null) {
+                $result = array();
+                $config = Config::getInstance()->object();
+                if (isset($config->system->dnsallowoverride)) {
+                    foreach ($nameservers->dynamic as $dynamic) {
+                        $result[] = $dynamic;
+                    }
+                }
+                foreach ($nameservers->static as $static) {
+                    $result[] = $static;
+                }
+
+                return $result;
+            }
+        }
+        return array("message" => "Unable to run configd action");
+    }
+
+    /*
+     * Catch all Dot API endpoints and redirect them to Forward for
+     * backwards compatibility and infer the type from the request.
+     * If no type is provided, default to dot.
+     */
+    public function __call($method, $args)
+    {
+        if (substr($method, -6) == 'Action') {
+            $fn = preg_replace('/Dot/', 'Forward', $method);
+            if (method_exists(get_class($this), $fn)) {
+                if (preg_match("/forward/i", $this->request->getHTTPReferer())) {
+                    $this->type = "forward";
+                }
+                return $this->$fn(...$args);
+            }
+        }
+    }
+
+    public function searchForwardAction()
+    {
+        $filter_fn = function ($record) {
+            return $record->type == $this->type;
+        };
+
+        return $this->searchBase(
+            'dots.dot',
+            array('enabled', 'server', 'port', 'verify', 'type', 'domain'),
+            null,
+            $filter_fn
+        );
+    }
+
+    public function getForwardAction($uuid = null)
     {
         return $this->getBase('dot', 'dots.dot', $uuid);
     }
 
-    public function addDotAction()
+    public function addForwardAction()
     {
-        return $this->addBase('dot', 'dots.dot');
+        return $this->addBase('dot', 'dots.dot',
+            [ "type" => $this->type ]
+        );
     }
 
-    public function delDotAction($uuid)
+    public function delForwardAction($uuid)
     {
         return $this->delBase('dots.dot', $uuid);
     }
 
-    public function setDotAction($uuid)
+    public function setForwardAction($uuid)
     {
-        return $this->setBase('dot', 'dots.dot', $uuid);
+        return $this->setBase('dot', 'dots.dot', $uuid,
+            [ "type" => $this->type ]
+        );
     }
 
-    public function toggleDotAction($uuid, $enabled = null)
+    public function toggleForwardAction($uuid, $enabled = null)
     {
         return $this->toggleBase('dots.dot', $uuid, $enabled);
     }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
index 418564372..81d732619 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/DotController.php
@@ -34,6 +34,8 @@ class DotController extends IndexController
 {
     public function indexAction()
     {
+        $this->view->selected_forward = "";
+        $this->view->forwardingForm = $this->getForm('forwarding');
         $this->view->formDialogEdit = $this->getForm('dialogDot');
         $this->view->pick('OPNsense/Unbound/dot');
     }
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
new file mode 100755
index 000000000..bdfbf365b
--- /dev/null
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/ForwardController.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound;
+
+use OPNsense\Base\IndexController;
+
+class ForwardController extends IndexController
+{
+    public function indexAction()
+    {
+        $this->view->selected_forward = "forward";
+        $this->view->forwardingForm = $this->getForm('forwarding');
+        $this->view->formDialogEdit = $this->getForm('dialogDot');
+        $this->view->pick('OPNsense/Unbound/dot');
+    }
+}
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
index 95f37a894..0dac22c94 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDot.xml
@@ -5,6 +5,15 @@
         <type>checkbox</type>
         <help>Enable or disable this server.</help>
     </field>
+    <field>
+        <id>dot.domain</id>
+        <label>Domain</label>
+        <type>text</type>
+        <help>
+            If a domain is entered here, queries for this specific domain will be forwarded to the specified server.
+            Leave blank to forward all queries to the specified server (default).
+        </help>
+    </field>
     <field>
         <id>dot.server</id>
         <label>Server IP</label>
@@ -21,6 +30,9 @@
         <id>dot.verify</id>
         <label>Verify CN</label>
         <type>text</type>
-        <help>Verify if CN in certificate matches this value.</help>
+        <help>
+            Verify if CN in certificate matches this value. Please note that if this field is omitted,
+            Unbound will not perform any certificate verification. Therefore, man-in-the-middle attacks are still possible.
+        </help>
     </field>
 </form>
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml
new file mode 100755
index 000000000..c30f41293
--- /dev/null
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/forwarding.xml
@@ -0,0 +1,17 @@
+<form>
+    <field>
+        <id>forwarding.enabled</id>
+        <label>Use System Nameservers</label>
+        <type>checkbox</type>
+        <style>forwarding-enabled</style>
+        <help>
+            The configured system nameservers will be used to forward queries to.
+            This will override any entry in the grid below.
+        </help>
+    </field>
+    <field>
+        <id>forwarding.info</id>
+        <type>info</type>
+        <label></label>
+    </field>
+</form>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
index 8161bbda5..6c4af6003 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Menu/Menu.xml
@@ -8,7 +8,8 @@
                 <All url="/services_unbound_acls.php*" visibility="hidden"/>
             </ACL>
             <Blocklist order="50" url="/ui/unbound/dnsbl/index"/>
-            <Dot VisibleName="DNS over TLS" order="60" url="/ui/unbound/dot/index"/>
+            <Forward VisibleName="Query Forwarding" order="60" url="/ui/unbound/forward"/>
+            <Dot VisibleName="DNS over TLS" order="70" url="/ui/unbound/dot"/>
             <Statistics order="90" url="/ui/unbound/stats"/>
             <LogFile VisibleName="Log File" order="100" url="/ui/diagnostics/log/core/resolver"/>
         </Unbound>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php b/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
new file mode 100755
index 000000000..3348612a2
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Migrations/M1_0_2.php
@@ -0,0 +1,55 @@
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\Unbound\Migrations;
+
+use OPNsense\Base\BaseModelMigration;
+use OPNsense\Base\FieldTypes\BooleanField;
+use OPNsense\Base\FieldTypes\NetworkField;
+use OPNsense\Base\FieldTypes\PortField;
+use OPNsense\Core\Config;
+
+class M1_0_2 extends BaseModelMigration
+{
+    /**
+     * Migrate older models into shared model
+     * @param $model
+     */
+    public function run($model)
+    {
+        $config = Config::getInstance()->object();
+
+        $node = $config->OPNsense->unboundplus;
+
+        if (!empty($node->dots) && !empty($node->dots->dot)) {
+            foreach ($model->dots->dot->iterateItems() as $dot) {
+                $dot->type = "dot";
+            }
+        }
+    }
+}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index c8e171bca..74a093e8e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/unboundplus</mount>
     <description>Unbound configuration</description>
-    <version>1.0.1</version>
+    <version>1.0.2</version>
     <items>
         <service_enabled type="LegacyLinkField">
             <Source>unbound.enable</Source>
@@ -56,12 +56,30 @@
                 <Required>N</Required>
             </whitelists>
         </dnsbl>
+        <forwarding>
+            <enabled type="LegacyLinkField">
+                <Source>unbound.forwarding</Source>
+            </enabled>
+        </forwarding>
         <dots>
             <dot type="ArrayField">
                 <enabled type="BooleanField">
                     <Required>Y</Required>
                     <default>1</default>
                 </enabled>
+                <type type="OptionField">
+                    <Required>Y</Required>
+                    <default>dot</default>
+                    <OptionValues>
+                        <dot>DNS over TLS</dot>
+                        <forward>Forward</forward>
+                    </OptionValues>
+                </type>
+                <domain type="TextField">
+                    <Required>N</Required>
+                    <mask>/^(?:(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])\.)*(?:[a-z0-9]|[a-z0-9][a-z0-9\-]*[a-z0-9])$/i</mask>
+                    <ValidationMessage>A valid domain must be specified.</ValidationMessage>
+                </domain>
                 <server type="NetworkField">
                     <Required>Y</Required>
                 </server>
diff --git a/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt b/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
index ef2fb615c..7129ba867 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Unbound/dot.volt
@@ -27,6 +27,49 @@
 <script>
 
     $( document ).ready(function() {
+        $('tr[id="row_forwarding.info"]').addClass('hidden');
+        /* Handle retrieval and saving of the single system forwarding checkbox */
+        let data_get_map = {'frm_ForwardingSettings':"/api/unbound/settings/getSystemForward"};
+        mapDataToFormUI(data_get_map).done(function(data) {
+            /* only called on page load */
+            if (data.frm_ForwardingSettings.forwarding.enabled) {
+                toggle_nameservers(true);
+            }
+        });
+
+        $(".forwarding-enabled").click(function() {
+            saveFormToEndpoint(url="/api/unbound/settings/toggleSystemForward", formid='frm_ForwardingSettings');
+
+            let checked = ($(this).is(':checked'));
+            toggle_nameservers(checked);
+        });
+
+        function toggle_nameservers(checked) {
+            if (checked) {
+                ajaxGet(url="/api/unbound/settings/getNameservers", {}, callback=function(data, status) {
+                    $('tr[id="row_forwarding.info"]').removeClass('hidden');
+                    if (data.length && !data.includes('')) {
+                        $('div[id="control_label_forwarding.info"]').append(
+                            "<span>{{ lang._('The following nameservers are used:') }}</span>"
+                        );
+                        $('span[id="forwarding.info"]').append(
+                            "<div><b>" + data.join(", ") + "</b></div>"
+                        );
+                    } else {
+                        $('div[id="control_label_forwarding.info"]').append(
+                            "<span>{{ lang._('There are no system nameservers configured. Please do so in ') }}<a href=\"/system_general.php\">System: General setup</a></span>"
+                        );
+                    }
+
+                });
+            } else {
+                $('tr[id="row_forwarding.info"]').addClass('hidden');
+                $('div[id="control_label_forwarding.info"]').children().not(':first').remove();
+                $('span[id="forwarding.info"]').children().remove();
+            }
+        }
+
+
         /**
          * inline open dialog, go back to previous page on exit
          */
@@ -61,12 +104,13 @@
             });
 
         }
+
         /*************************************************************************************************************
          * link grid actions
          *************************************************************************************************************/
 
         $("#grid-dot").UIBootgrid(
-                {   'search':'/api/unbound/settings/searchDot',
+                {   'search':'/api/unbound/settings/searchDot/',
                     'get':'/api/unbound/settings/getDot/',
                     'set':'/api/unbound/settings/setDot/',
                     'add':'/api/unbound/settings/addDot/',
@@ -75,6 +119,15 @@
                 }
         );
 
+        $("div.actionBar").parent().prepend($('<td id="heading-wrapper" class="col-sm-2 theading-text">{{ lang._('Custom forwarding') }}</div>'));
+
+        /* Hide/unhide verify field based on type */
+        if ("{{selected_forward}}" == "forward") {
+            $('tr[id="row_dot.verify"]').addClass('hidden');
+        } else {
+            $('tr[id="row_dot.verify"]').removeClass('hidden');
+        }
+
         {% if (selected_uuid|default("") != "") %}
             openDialog('{{selected_uuid}}');
         {% endif %}
@@ -93,19 +146,31 @@
 
 </script>
 
+<style>
+    .theading-text {
+        font-weight: 800;
+        font-style: bold;
+    }
+</style>
 
-<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs">
-    <li class="active"><a data-toggle="tab" href="#grid-dot">{{ lang._('Servers') }}</a></li>
-</ul>
-<div class="tab-content content-box">
+<div class="tab-content content-box col-xs-12 __mb">
+    {# include base forwarding form #}
+    {{ partial("layout_partials/base_form",['fields':forwardingForm,'id':'frm_ForwardingSettings'])}}
+</div>
+<ul class="nav nav-tabs" data-tabs="tabs" id="maintabs"></ul>
+<div class="tab-content content-box col-xs-12 __mb">
     <div id="dot" class="tab-pane fade in active">
         <table id="grid-dot" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="DialogEdit">
+            <tr>
             <thead>
             <tr>
                 <th data-column-id="enabled" data-width="6em" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
+                <th data-column-id="domain" data-type="string">{{ lang._('Domain') }}</th>
                 <th data-column-id="server" data-type="string">{{ lang._('Address') }}</th>
                 <th data-column-id="port" data-type="int">{{ lang._('Port') }}</th>
+                {% if (selected_forward|default("") == "") %}
                 <th data-column-id="verify" data-type="int">{{ lang._('Hostname') }}</th>
+                {% endif %}
                 <th data-column-id="commands" data-width="7em" data-formatter="commands" data-sortable="false">{{ lang._('Edit') }} | {{ lang._('Delete') }}</th>
                 <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
             </tr>
@@ -121,8 +186,14 @@
                 </td>
             </tr>
             </tfoot>
+            </tr>
         </table>
     </div>
+    <div id="infosection" class="tab-content col-xs-12 __mb">
+        {{ lang._('Please note that entries without a specific domain (and thus all domains) specified in both Custom Forwarding and DNS over TLS
+        are considered duplicates, DNS over TLS will be preferred. If "Use System Nameservers" is checked, Unbound will use the DNS servers entered
+        in System->Settings->General or those obtained via DHCP or PPP on WAN if the "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked.') }}
+    </div>
     <div class="col-md-12">
         <hr/>
         <button class="btn btn-primary" id="reconfigureAct"
diff --git a/src/opnsense/scripts/system/nameservers.php b/src/opnsense/scripts/system/nameservers.php
new file mode 100755
index 000000000..48bb61626
--- /dev/null
+++ b/src/opnsense/scripts/system/nameservers.php
@@ -0,0 +1,52 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ * Copyright (C) 2022 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once 'config.inc';
+require_once 'system.inc';
+require_once 'util.inc';
+
+use OPNsense\Core\Config;
+
+$config = Config::getInstance()->object();
+
+$result = array();
+
+/* get dynamic nameservers */
+foreach (get_nameservers() as $nameserver) {
+    $result["dynamic"][] = $nameserver;
+}
+
+/* get manually entered nameservers */
+foreach ($config->system->children() as $key => $node) {
+    if ($key == "dnsserver") {
+        $result["static"][] = (string)$node;
+    }
+}
+
+echo json_encode($result) . PHP_EOL;
diff --git a/src/opnsense/service/conf/actions.d/actions_system.conf b/src/opnsense/service/conf/actions.d/actions_system.conf
index 86c1d1d25..dc081ebb3 100644
--- a/src/opnsense/service/conf/actions.d/actions_system.conf
+++ b/src/opnsense/service/conf/actions.d/actions_system.conf
@@ -79,3 +79,9 @@ parameters:
 type:script
 message: ha_reconfigure_backup
 description: HA update and reconfigure backup
+
+[list.nameservers]
+command:/usr/local/opnsense/scripts/system/nameservers.php
+parameters:
+type:script_output
+message:list nameservers
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
index 56e8ef285..7ced40f1f 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/dot.conf
@@ -1,26 +1,53 @@
 {% if not helpers.empty('OPNsense.unboundplus.dots.dot') %}
-{%   set dots = [] %}
+{%   set all_dots = [] %}
+{%   set all_forwards = [] %}
 {%   set local = [] %}
-{%   for dot in helpers.toList('OPNsense.unboundplus.dots.dot') %}
-{%     if dot.enabled == '1' %}
-{%       if dot.server.startswith('127.') or dot.server == '::1' %}
-{%         do local.append('1') %}
+{%   set all = helpers.toList('OPNsense.unboundplus.dots.dot') %}
+{%   for type, dots in all|groupby("type") %}
+{%     for dot in dots %}
+{%       if dot.enabled == '1' %}
+{%         if dot.server.startswith('127.') or dot.server == '::1' %}
+{%           do local.append('1') %}
+{%         endif %}
+{%         if type == 'dot' %}
+{%           do all_dots.append(dot) %}
+{%         else %}
+{%           do all_forwards.append(dot) %}
+{%         endif %}
 {%       endif %}
-{%       do dots.append(dot) %}
-{%     endif %}
+{%     endfor %}
 {%   endfor %}
-{%   if dots|length > 0 %}
+{%   if local|length > 0 %}
+server:
+  do-not-query-localhost: no
+{%   endif %}
+
+{%   if all_forwards|length > 0 %}
+# Forward zones
+{%     for domain, forwards in all_forwards|groupby("domain", default=".") %}
+forward-zone:
+  name: "{{ domain }}"
+{%       for forward in forwards %}
+  forward-addr: {{ forward.server }}{% if forward.port %}@{{ forward.port }}{% endif %}
+
+{%       endfor %}
+{%     endfor %}
+{%   endif %}
+
+{%   if all_dots|length > 0 %}
+# Forward zones over TLS
 server:
   tls-cert-bundle: /etc/ssl/cert.pem
-{%     if local|length > 0 %}
-  do-not-query-localhost: no
-{%     endif %}
+{%     for domain, dots in all_dots|groupby("domain", default=".") %}
+
 forward-zone:
-  name: "."
+  name: "{{ domain }}"
   forward-tls-upstream: yes
-{%     for dot in dots %}
+{%       for dot in dots %}
   forward-addr: {{ dot.server }}{% if dot.port %}@{{ dot.port }}{% endif %}{% if dot.verify %}#{{ dot.verify }}{% endif %}
 
+{%       endfor %}
 {%     endfor %}
 {%   endif %}
 {% endif %}
+
diff --git a/src/www/services_unbound.php b/src/www/services_unbound.php
index a4e44d863..3f6b15075 100644
--- a/src/www/services_unbound.php
+++ b/src/www/services_unbound.php
@@ -43,7 +43,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     $pconfig['enable_wpad'] = isset($a_unboundcfg['enable_wpad']);
     $pconfig['dnssec'] = isset($a_unboundcfg['dnssec']);
     $pconfig['dns64'] = isset($a_unboundcfg['dns64']);
-    $pconfig['forwarding'] = isset($a_unboundcfg['forwarding']);
     $pconfig['reglladdr6'] = empty($a_unboundcfg['noreglladdr6']);
     $pconfig['regdhcp'] = isset($a_unboundcfg['regdhcp']);
     $pconfig['regdhcpstatic'] = isset($a_unboundcfg['regdhcpstatic']);
@@ -117,7 +116,6 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $a_unboundcfg['dnssec'] = !empty($pconfig['dnssec']);
             $a_unboundcfg['enable'] = !empty($pconfig['enable']);
             $a_unboundcfg['enable_wpad'] = !empty($pconfig['enable_wpad']);
-            $a_unboundcfg['forwarding'] = !empty($pconfig['forwarding']);
             $a_unboundcfg['noreglladdr6'] = empty($pconfig['reglladdr6']);
             $a_unboundcfg['regdhcp'] = !empty($pconfig['regdhcp']);
             $a_unboundcfg['regdhcpstatic'] = !empty($pconfig['regdhcpstatic']);
@@ -317,16 +315,6 @@ include_once("head.inc");
                           </div>
                         </td>
                       </tr>
-                      <tr>
-                        <td><a id="help_for_forwarding" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("DNS Query Forwarding");?></td>
-                        <td>
-                          <input name="forwarding" type="checkbox" value="yes" <?=!empty($pconfig['forwarding']) ? 'checked="checked"' : '';?> />
-                          <?= gettext('Enable Forwarding Mode') ?>
-                          <div class="hidden" data-for="help_for_forwarding">
-                            <?= gettext('The configured system nameservers will be used to forward queries to.') ?>
-                          </div>
-                        </td>
-                      </tr>
                       <tr>
                         <td><a id="help_for_local_zone_type" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Local Zone Type"); ?></td>
                         <td>
@@ -379,14 +367,10 @@ include_once("head.inc");
                       </tr>
                       <tr>
                         <td colspan="2">
-                          <?= sprintf(gettext('If Unbound is enabled, the DHCP'.
+                          <?= gettext('If Unbound is enabled, the DHCP'.
                           ' service (if enabled) will automatically serve the LAN IP'.
                           ' address as a DNS server to DHCP clients so they will use'.
-                          ' Unbound resolver. If forwarding is enabled, Unbound'.
-                          ' will use the DNS servers entered in %sSystem: General setup%s'.
-                          ' or those obtained via DHCP or PPP on WAN if the "Allow'.
-                          ' DNS server list to be overridden by DHCP/PPP on WAN"'.
-                          ' is checked.'),'<a href="system_general.php">','</a>');?>
+                          ' Unbound resolver.');?>
                         </td>
                       </tr>
                     </tbody>