diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
index 4c5fab18f..59b0170a2 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
@@ -1,13 +1,22 @@
-{% if not helpers.empty('OPNsense.unboundplus.domains.domain') %}
+{% if not helpers.empty('OPNsense.unboundplus.domains.domain') or not helpers.empty('OPNsense.unboundplus.dots.dot') %}
 # Set private domains in case authoritative name server returns a Private IP address
+{%   set domains = [] %}
 {%   for domain in helpers.toList('OPNsense.unboundplus.domains.domain') %}
 {%     if domain.enabled == '1' %}
-domain-insecure: "{{ domain.domain }}"
-{%       if domain.domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
-local-zone: {{ domain.domain }} typetransparent
-{%       elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
-private-domain: "{{ domain.domain }}"
-{%       endif %}
+{%       do domains.append(domain.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for forward in helpers.toList('OPNsense.unboundplus.dots.dot') %}
+{%     if forward.enabled == '1' and forward.domain and forward.type == 'forward' %}
+{%       do domains.append(forward.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for domain in domains|unique %}
+domain-insecure: "{{ domain }}"
+{%     if domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
+local-zone: {{ domain }} typetransparent
+{%     elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
+private-domain: "{{ domain }}"
 {%     endif %}
 {%   endfor %}
 {% endif %}