Unbound: Do not add forwarding domains to private-domains

[Patrick-Remy]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

We are using the Unbound service and are forwarding an Active Directory dns zone to the designated samba dns server. Additionally we want to use the Rebind Protection feature of Unbound in Opnsense, to filter a private subnet out of the returned addresses.

Unfortunately all forwarding rules create an entry for private-domain (see:

core/src/opnsense/service/templates/OPNsense/Unbound/core/private_domains.conf

Line 10 in d09cb92

{% for forward in helpers.toList('OPNsense.unboundplus.dots.dot') %}

)

Describe the solution you like

I would like a checkbox in the /ui/unbound/forward > Edit rule dialog, which can be defaultly enabled (for backwards compatibility), to enable

Describe alternatives you considered

1. I tried to override the private-address option with a custom config file, but seems not to be possible, as unbound is merging entries
2. Current workaround is to disable the unbound forward rules inside the UI, and add a custom config file at /usr/local/etc/unbound.opnsense.d/forward.conf containing only the forward rules. Then the generated private_domains.conf file does not include any private-domain entry.

Additional context

I am not sure what the original reason is/was to always add forwarding domains to private-domains. So maybe the default can be discussed.