bind: add DNS-over-TLS forwarding support and fix missing NS record in zone files

Add a 'DNS over TLS' checkbox to the BIND general settings that enables
forwarding queries to upstream resolvers via DoT (port 853) using BIND
9.18+ tls ephemeral mode. When disabled, plain UDP forwarding is used
as before.

Also fix the domain.db zone template to include a mandatory NS record
after the SOA record. Without the NS record, BIND refuses to load the
zone with 'has no NS records' error, causing all queries for that zone
to fail with SERVFAIL.

Changes:
- General.xml: add forwardertls BooleanField
- general.xml form: add DNS over TLS checkbox after DNS Forwarders
- named.conf template: use 'forwarders port 853 tls ephemeral' when
  forwardertls is enabled
- domain.db template: add NS record using the configured dnsserver

Author: mbedworth

dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml

@@ -69,6 +69,12 @@
         <allownew>true</allownew>
         <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
     </field>
+    <field>
+        <id>general.forwardertls</id>
+        <label>DNS over TLS</label>
+        <type>checkbox</type>
+        <help>Use DNS-over-TLS (port 853) when forwarding queries. Requires BIND 9.18+.</help>
+    </field>
     <field>
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>

dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml

@@ -48,6 +48,10 @@
         <forwarders type="NetworkField">
             <AsList>Y</AsList>
         </forwarders>
+        <forwardertls type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </forwardertls>
         <filteraaaav4 type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>

dns/bind/src/opnsense/service/templates/OPNsense/Bind/domain.db

@@ -5,6 +5,7 @@
 {%         if domaindb.enabled == '1' and domaindb.type == 'primary' %}
 $TTL {{ domaindb.ttl }}
 @       IN      SOA    {{ domaindb.dnsserver }}. {{ domaindb.mailadmin|replace('@', '.') }}. ( {{ domaindb.serial|trim }} {{ domaindb.refresh }} {{ domaindb.retry }} {{ domaindb.expire }} {{ domaindb.negative }} )
+            NS    {{ domaindb.dnsserver }}.
 {%           if helpers.exists('OPNsense.bind.record.records.record') %}
 {%             for record in helpers.sortDictList(OPNsense.bind.record.records.record, 'name', 'type' ) %}
 {%               if record.domain == domaindb['@uuid'] %}

dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf

@@ -39,7 +39,11 @@ options {
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
+{% if helpers.exists('OPNsense.bind.general.forwardertls') and OPNsense.bind.general.forwardertls == '1' %}
+        forwarders port 853 tls ephemeral { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{% else %}
         forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{% endif %}
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}