From f3efe39f7b7e182bb77a7dd3a371fe4c5c054585 Mon Sep 17 00:00:00 2001
From: Stephan <stephan.de.wit@deciso.com>
Date: Thu, 18 Aug 2022 09:25:25 +0200
Subject: [PATCH] unbound: prevent dns rebinding check and DNSSEC validation on
 explicit forwarded domains

this is to adhere to the same logic as the domain overrides, since users may expect forwarded-to
servers to reply with a private address or in fact be a local controller, not setting this domain as either
private or insecure may break responses if either DNS rebinding checks (default) or DNSSEC are enabled.

ideally this should be seperate checks per entry in the future.
---
 .../Unbound/core/private_domains.conf         | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf b/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
index 4c5fab18f..59b0170a2 100644
--- a/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
+++ b/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf
@@ -1,13 +1,22 @@
-{% if not helpers.empty('OPNsense.unboundplus.domains.domain') %}
+{% if not helpers.empty('OPNsense.unboundplus.domains.domain') or not helpers.empty('OPNsense.unboundplus.dots.dot') %}
 # Set private domains in case authoritative name server returns a Private IP address
+{%   set domains = [] %}
 {%   for domain in helpers.toList('OPNsense.unboundplus.domains.domain') %}
 {%     if domain.enabled == '1' %}
-domain-insecure: "{{ domain.domain }}"
-{%       if domain.domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
-local-zone: {{ domain.domain }} typetransparent
-{%       elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
-private-domain: "{{ domain.domain }}"
-{%       endif %}
+{%       do domains.append(domain.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for forward in helpers.toList('OPNsense.unboundplus.dots.dot') %}
+{%     if forward.enabled == '1' and forward.domain and forward.type == 'forward' %}
+{%       do domains.append(forward.domain) %}
+{%     endif %}
+{%   endfor %}
+{%   for domain in domains|unique %}
+domain-insecure: "{{ domain }}"
+{%     if domain is regex_match('.+\.(in-addr|ip6)\.arpa\.?$') %}
+local-zone: {{ domain }} typetransparent
+{%     elif not helpers.exists('system.webgui.nodnsrebindcheck') %}
+private-domain: "{{ domain }}"
 {%     endif %}
 {%   endfor %}
 {% endif %}