diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDomainOverride.xml b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDomainOverride.xml
index b86ff52d3..3bf3198ed 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDomainOverride.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Unbound/forms/dialogDomainOverride.xml
@@ -24,6 +24,17 @@
             append an '@' with the port number.
         </help>
     </field>
+    <field>
+        <id>domain.forward_tcp_upstream</id>
+        <label>Forward TCP upstream</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>
+            Upstream queries use TCP only for transport regardless of global flag tcp-upstream.
+            Please note this setting applies to the domain, so when multiple forwarders are defined for the same domaine,
+            all are assumed to use tcp only.
+        </help>
+    </field>
     <field>
         <id>domain.description</id>
         <label>Description</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
index 33e867232..0103f34da 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/unboundplus</mount>
     <description>Unbound configuration</description>
-    <version>1.0.5</version>
+    <version>1.0.6</version>
     <items>
         <general>
             <enabled type="BooleanField">
@@ -445,6 +445,10 @@
                     <Required>Y</Required>
                     <ValidationMessage>A valid IP must be specified.</ValidationMessage>
                 </server>
+                <forward_tcp_upstream type="BooleanField">
+                    <default>0</default>
+                    <Required>Y</Required>
+                </forward_tcp_upstream>
                 <description type="TextField">
                     <Required>N</Required>
                     <mask>/^(.){1,255}$/u</mask>
diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/domainoverrides.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/domainoverrides.conf
index 088b231be..9c6e904d1 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/domainoverrides.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/domainoverrides.conf
@@ -1,17 +1,23 @@
 {% if not helpers.empty('OPNsense.unboundplus.domains.domain') %}
-{% set forwardlocal = namespace(found=false) %}
-{% set prev_domain = namespace(name='') %}
+{% set forwardlocal = namespace(found=False) %}
+{% set domain_opts = namespace(forward_tcp_upstream=False) %}
 {%   for domain in helpers.toList('OPNsense.unboundplus.domains.domain', 'domain') %}
 {%     if domain.enabled == '1' %}
-{%         if prev_domain.name != domain.domain %}
+{%         if not loop.previtem or loop.previtem.domain != domain.domain %}
+{%             set domain_opts.forward_tcp_upstream = False %}
 forward-zone:
   name: "{{ domain.domain }}"
-{%           set prev_domain.name = domain.domain %}
 {%           if domain.server.startswith('127.') or domain.server == '::1' %}
-{%             set forwardlocal.found = true %}
+{%             set forwardlocal.found = True %}
 {%           endif %}
+{%           set domain_opts.forward_tcp_upstream = domain_opts.forward_tcp_upstream or domain.forward_tcp_upstream == '1' %}
 {%         endif %}
   forward-addr: {{ domain.server }}
+{%       if not loop.nextitem or loop.nextitem.domain != domain.domain %}
+{%           if domain_opts.forward_tcp_upstream %}
+  forward-tcp-upstream: yes
+{%           endif %}
+{%       endif %}
 {%     endif %}
 {%   endfor %}
 {%   if forwardlocal.found %}