upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-04-20 21:58:57 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

bind: add DNS-over-TLS forwarding support

Browse source 
Add a 'DNS over TLS' checkbox to the BIND general settings that enables
forwarding queries to upstream resolvers via DoT (port 853) using BIND
9.18+ tls ephemeral mode. When disabled, plain UDP forwarding is used
as before.

Changes:
- General.xml: add forwardertls BooleanField
- general.xml form: add DNS over TLS checkbox after DNS Forwarders
- named.conf template: use 'forwarders port 853 tls ephemeral' when
  forwardertls is enabled
This commit is contained in:
mbedworth 2026-04-11 15:46:30 -04:00
parent 4d7a938c13
commit c10fca9ff2
3 changed files with 14 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
View file

@ -69,6 +69,12 @@
<allownew>true</allownew>
<help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
</field>
<field>
<id>general.forwardertls</id>
<label>DNS over TLS</label>
<type>checkbox</type>
<help>Use DNS-over-TLS (port 853) when forwarding queries. Requires BIND 9.18+.</help>
</field>
<field>
<id>general.filteraaaav4</id>
<label>Enable filter-aaaa on IPv4 Clients</label>

4
dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
View file

@ -48,6 +48,10 @@
<forwarders type="NetworkField">
<AsList>Y</AsList>
</forwarders>
<forwardertls type="BooleanField">
<Default>0</Default>
<Required>Y</Required>
</forwardertls>
<filteraaaav4 type="BooleanField">
<Default>0</Default>
<Required>Y</Required>

4
dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
View file

@ -39,7 +39,11 @@ options {
{% endif -%}
{% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
{% if helpers.exists('OPNsense.bind.general.forwardertls') and OPNsense.bind.general.forwardertls == '1' %}
forwarders port 853 tls ephemeral { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
{% else %}
forwarders { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
{% endif %}
{% endif -%}
{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}