opnsense · mbedworth · Apr 11, 2026
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -69,6 +69,12 @@
         <allownew>true</allownew>
         <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
     </field>
+    <field>
+        <id>general.forwardertls</id>
+        <label>DNS over TLS</label>
+        <type>checkbox</type>
+        <help>Use DNS-over-TLS (port 853) when forwarding queries. Requires BIND 9.18+.</help>
+    </field>
     <field>
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>

diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -48,6 +48,10 @@
         <forwarders type="NetworkField">
             <AsList>Y</AsList>
         </forwarders>
+        <forwardertls type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </forwardertls>
         <filteraaaav4 type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>

diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -39,7 +39,11 @@ options {
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
+{% if helpers.exists('OPNsense.bind.general.forwardertls') and OPNsense.bind.general.forwardertls == '1' %}
+        forwarders port 853 tls ephemeral { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{% else %}
         forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{% endif %}
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}