Skip to content

Commit c10fca9

Browse files
mbedworthmbedworth
committed
bind: add DNS-over-TLS forwarding support
Add a 'DNS over TLS' checkbox to the BIND general settings that enables forwarding queries to upstream resolvers via DoT (port 853) using BIND 9.18+ tls ephemeral mode. When disabled, plain UDP forwarding is used as before. Changes: - General.xml: add forwardertls BooleanField - general.xml form: add DNS over TLS checkbox after DNS Forwarders - named.conf template: use 'forwarders port 853 tls ephemeral' when forwardertls is enabled
1 parent 4d7a938 commit c10fca9

3 files changed

Lines changed: 14 additions & 0 deletions

File tree

dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,12 @@
6969
<allownew>true</allownew>
7070
<help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
7171
</field>
72+
<field>
73+
<id>general.forwardertls</id>
74+
<label>DNS over TLS</label>
75+
<type>checkbox</type>
76+
<help>Use DNS-over-TLS (port 853) when forwarding queries. Requires BIND 9.18+.</help>
77+
</field>
7278
<field>
7379
<id>general.filteraaaav4</id>
7480
<label>Enable filter-aaaa on IPv4 Clients</label>

dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,10 @@
4848
<forwarders type="NetworkField">
4949
<AsList>Y</AsList>
5050
</forwarders>
51+
<forwardertls type="BooleanField">
52+
<Default>0</Default>
53+
<Required>Y</Required>
54+
</forwardertls>
5155
<filteraaaav4 type="BooleanField">
5256
<Default>0</Default>
5357
<Required>Y</Required>

dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,11 @@ options {
3939
{% endif -%}
4040

4141
{% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
42+
{% if helpers.exists('OPNsense.bind.general.forwardertls') and OPNsense.bind.general.forwardertls == '1' %}
43+
forwarders port 853 tls ephemeral { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
44+
{% else %}
4245
forwarders { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
46+
{% endif %}
4347
{% endif -%}
4448

4549
{% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}

0 commit comments

Comments
 (0)