unbound: prevent dns rebinding check and DNSSEC validation on explicit forwarded domains

this is to adhere to the same logic as the domain overrides, since users may expect forwarded-to
servers to reply with a private address or in fact be a local controller, not setting this domain as either
private or insecure may break responses if either DNS rebinding checks (default) or DNSSEC are enabled.

ideally this should be seperate checks per entry in the future.

src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf

@@ -1,13 +1,22 @@
-{% if not helpers.empty('OPNsense.unboundplus.domains.domain') %}
+{% if not helpers.empty('OPNsense.unboundplus.domains.domain') or not helpers.empty('OPNsense.unboundplus.dots.dot') %}
 # Set private domains in case authoritative name server returns a Private IP address
+{%   set domains = [] %}
 {%   for domain in helpers.toList('OPNsense.unboundplus.domains.domain') %}
 {%     if domain.enabled == '1' %}
-domain-insecure: "{{ domain.domain }}"
-{%       if domain.domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
-local-zone: {{ domain.domain }} typetransparent
-{%       elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
-private-domain: "{{ domain.domain }}"
-{%       endif %}
+{%       do domains.append(domain.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for forward in helpers.toList('OPNsense.unboundplus.dots.dot') %}
+{%     if forward.enabled == '1' and forward.domain and forward.type == 'forward' %}
+{%       do domains.append(forward.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for domain in domains|unique %}
+domain-insecure: "{{ domain }}"
+{%     if domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
+local-zone: {{ domain }} typetransparent
+{%     elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
+private-domain: "{{ domain }}"
 {%     endif %}
 {%   endfor %}
 {% endif %}