From f6810e61ac12399ced2557926b6f835bf62a7f31 Mon Sep 17 00:00:00 2001
From: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com>
Date: Fri, 15 Aug 2025 16:45:03 +1000
Subject: [PATCH] dns/bind: Added options to control recursion
Adds options to control recursion:
1. Adds an option to explicitly enable recursion, when unchecked sets recursion=no
2. Adds an option for allow-query-cache, which effectively controls recursion
3. Updated help and reformatted
Signed-off-by: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com>
---
.../OPNsense/Bind/forms/general.xml | 21 +++++++++++++++++--
.../mvc/app/models/OPNsense/Bind/General.xml | 17 ++++++++++++++-
.../templates/OPNsense/Bind/named.conf | 14 ++++++++++++-
3 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 23e9c9202..f0ac7ead0 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -109,10 +109,27 @@
How much memory in percent the cache can use from the system. Default is 80%.
- general.recursion
+ header
+
+
+ general.enablerecursion
+
+ checkbox
+ This will enable recursive resolution (default). Disable for public authoritative DNS servers.
+
+
+ general.recursion
+
select_multiple
- Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.
+ Select ACLs for which you wish to enable recursive resolution. For public authoritative DNS servers, recursion should be disabled and this field left empty. For private recursive DNS servers, this is usually an ACL representing your local LAN. When recursion is enabled and no ACL is defined here or for "Cache Query ACLs" or "Allow Query", the default will be the local address list. Otherwise this field will default to the value found in "Cache Query ACLs", or failing that, "Allow Query".
+
+
+ general.allowcachequeries
+
+ true
+ select_multiple
+ Select ACLs for which you wish to enable cache access. For private recursive DNS servers, use this field to override the defaults. When "Recursion ACLs" is set, the default will be the same ACL. Otherwise, the default will be the local address list.general.allowtransfer
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 238c9dc24..59e89d86c 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -1,7 +1,7 @@
//OPNsense/bind/generalBIND configuration
- 1.0.12
+ 1.0.130
@@ -86,6 +86,10 @@
99Choose a value between 1 and 99.
+
+ 1
+ Y
+
@@ -97,6 +101,17 @@
YChoose an ACL.
+
+
+
+ OPNsense.Bind.Acl
+ acls.acl
+ name
+
+
+ Y
+ Choose an ACL.
+
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 9196b5de3..d054980ed 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -46,14 +46,26 @@ options {
response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
{% endif %}
-{% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
+{% if helpers.exists('OPNsense.bind.general.enablerecursion') and OPNsense.bind.general.enablerecursion == '1' %}
recursion yes;
+{% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
allow-recursion {
{% for acl in OPNsense.bind.general.recursion.split(',') %}
{% set recursion_acl = helpers.getUUID(acl) %}
{{ recursion_acl.name }};
{% endfor %}
};
+{% endif %}
+{% if helpers.exists('OPNsense.bind.general.allowcachequeries') and OPNsense.bind.general.allowcachequeries != '' %}
+ allow-query-cache {
+{% for acl in OPNsense.bind.general.allowcachequeries.split(',') %}
+{% set allowcachequeries_acl = helpers.getUUID(acl) %}
+ {{ allowcachequeries_acl.name }};
+{% endfor %}
+ };
+{% endif %}
+{% else %}
+ recursion no;
{% endif %}
{% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}