From 7331fa9475a7427addc179b91613d4386f0b5b63 Mon Sep 17 00:00:00 2001
From: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com>
Date: Thu, 14 Aug 2025 05:28:41 +1000
Subject: [PATCH] dns/bind: Fixup and feature expansion

a) Fixes zone_test
b) Fixes command truncation in grid-primary-domains
c) General tab help expansion and reformatting
d) General tab option grouping
e) Converts NetworkType to ACLs where BIND uses Address Match Lists
f) Reformats named.conf (spacing and layout)
g) Adds listen-on-v6 { none; } when IPv6 is disabled (likely superflous)
h) Adds other rate-limiting options
i) Adds recursion no; option for authoritative servers
j) Adds allow-query-cache option as this also controls recursion
k) Adds global forward only option to forwarders
l) Adds forward only option to forward zones
m) Edit Forward zone dialog help expansion and reformatting

Signed-off-by: benyamin-codez <115509179+benyamin-codez@users.noreply.github.com>
---
 .../forms/dialogEditBindForwardDomain.xml     |  31 +-
 .../OPNsense/Bind/forms/general.xml           | 338 ++++++++++++++----
 .../mvc/app/models/OPNsense/Bind/Domain.xml   |   4 +
 .../mvc/app/models/OPNsense/Bind/General.xml  | 244 +++++++++----
 .../mvc/app/views/OPNsense/Bind/general.volt  |   7 +-
 .../templates/OPNsense/Bind/named.conf        | 149 ++++++--
 6 files changed, 605 insertions(+), 168 deletions(-)

diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
index 4ca30f87c6..18a114dfb3 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
@@ -9,14 +9,39 @@
         <id>domain.domainname</id>
         <label>Zone Name</label>
         <type>text</type>
-        <help>Set the name for this zone. Both forward and reverse zones may be specified, i.e. example.com or 0.168.192.in-addr.arpa.</help>
+        <help><![CDATA[
+              Set the name for this zone.
+              <br/>Both forward and reverse zones may be specified.
+              <br/>Examples include:
+              <br/>example.com
+              <br/>0.168.192.in-addr.arpa
+              ]]></help>
+    </field>
+    <field>
+        <id>domain.forwardonly</id>
+        <label>Forward Only</label>
+        <type>checkbox</type>
+        <help><![CDATA[
+              Disables recursion if forwarding fails.
+              <br/>The default is to attempt forwarders first and only perform
+              <br/>recursive lookups if forwarding fails. This setting is only
+              <br/>meaningful if the list of forwarders is not empty.
+              <br/>Can be used to override global forwarding behaviour for this
+              <br/>domain by specifying the same servers below.
+              <br/>This directive is explictily set to either forward only; or
+              <br/>forward first; to avoid any furtherance of doubt.
+              ]]></help>
     </field>
     <field>
         <id>domain.forwardserver</id>
-        <label>Primary IP</label>
+        <label>Forwarder IPs</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set the IP address of server to forward requests to.</help>
+        <help><![CDATA[
+              Set any combination of IPv4 and IPv6 addresses for which to
+              <br/>forward queries to for this domain.
+              <br/>Used to override global forwarders for this domain.
+              ]]></help>
     </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 23e9c92026..cf3d33089c 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -5,33 +5,52 @@
         <type>checkbox</type>
         <help>This will activate the BIND daemon.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Interface Settings</label>
+    </field>
     <field>
         <id>general.disablev6</id>
         <label>Disable IPv6</label>
         <type>checkbox</type>
-        <help>This will run BIND in IPv4-only mode.</help>
+        <help>This will cause BIND to run in IPv4-only mode.</help>
     </field>
     <field>
         <id>general.listenv4</id>
-        <label>Listen IPs</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv4)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv4 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv4 addresses the BIND service should listen on.
+              <br/>The default is all IPv4 addresses on the host, i.e. { any; }.
+              ]]></help>
     </field>
     <field>
         <id>general.listenv6</id>
-        <label>Listen IPv6</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv6)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv6 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv6 addresses the BIND service should listen on.
+              <br/>The default is all IPv6 addresses on the host, i.e. { any; } except when IPv6 is disabled which uses { none; }.
+              ]]></help>
     </field>
     <field>
         <id>general.port</id>
-        <label>Listen Port</label>
+        <label>Listen on Port</label>
         <type>text</type>
-        <help>Set the port the service should listen to.</help>
+        <help>Set the port the BIND service should listen on.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Queries</label>
+    </field>
+    <field>
+        <id>general.allowquery</id>
+        <label>Allow Query</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Set the ACLs from which you allow clients to query this server.
+              <br/>The default is { any; }.
+              ]]></help>
     </field>
     <field>
         <id>general.querysource</id>
@@ -47,6 +66,74 @@
         <advanced>true</advanced>
         <help>Specify the IPv6 address used as a source for outbound queries.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Recursion and Forwarding</label>
+    </field>
+    <field>
+        <id>general.enablerecursion</id>
+        <label>Enable Recursive Resolution</label>
+        <type>checkbox</type>
+        <help>This will enable recursive resolution (default). Disable for public authoritative DNS servers.</help>
+    </field>
+    <field>
+        <id>general.recursionallowedacls</id>
+        <label>Recursion ACLs</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable recursive resolution.
+              <br/>For public authoritative DNS servers, recursion should be disabled and this field left empty.
+              <br/>For private recursive DNS servers, this is usually an ACL representing your local LAN.
+              <br/>When recursion is enabled and no ACL is defined here or for allow-query-cache or allow-query, the
+              <br/>builtin { localnets; localhost; } address list is used. Otherwise this field will default to the value
+              <br/>found in allow-query-cache, or failing that, allow-query.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.allowcachequeries</id>
+        <label>Cache Query ACLs</label>
+        <advanced>true</advanced>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable cache access. This effectively controls recursion.
+              <br/>For public authoritative DNS servers, recursion should be disabled, and this field defaults to using {none;}.
+              <br/>For private recursive DNS servers, use this field to override the defaults.
+              <br/>When recursion is enabled and allow-recursion has an ACL set, the default will be the same ACL.
+              <br/>Otherwise if allow-recursion has no ACL set, the default will be the { localnets; localhost; } address list.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.forwardonly</id>
+        <label>Forward Only</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Disables recursion if forwarding fails.
+              <br/>The default is to attempt forwarders first and perform recursive lookups if forwarding fails.
+              <br/>Only meaningful if the list of forwarders is not empty.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.forwarders</id>
+        <label>Forwarders</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set any combination of IPv4 and IPv6 addresses to forward queries to when the answer is unknown.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Zone Transfers</label>
+    </field>
+    <field>
+        <id>general.allowtransfer</id>
+        <label>Allow Transfer</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Set the ACLs of hosts allowed to perform zones transfers.
+              <br/>The default is { any; }.
+              ]]></help>
+    </field>
     <field>
         <id>general.transfersource</id>
         <label>Transfer Source IP</label>
@@ -62,75 +149,73 @@
         <help>Specify the IPv6 address used as a source for zone transfers.</help>
     </field>
     <field>
-        <id>general.forwarders</id>
-        <label>DNS Forwarders</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
+        <type>header</type>
+        <label>DNS Security Extensions (DNSSEC)</label>
+    </field>
+    <field>
+        <id>general.dnssecvalidation</id>
+        <label>DNSSEC Validation</label>
+        <type>dropdown</type>
+        <help><![CDATA[
+              The OPNsense default is "No". The BIND default is "auto" but we clobber this.
+              <br/>Set to "Auto" to use the default trust anchor for the DNS root zone.
+              <br/>The "yes" and "trust-anchors" options are not supported.
+              <br/>Consider legacy AAAA record filtering needs before enabling this feature as
+              <br/>signed responses will not have AAAA records filtered when this is set to "Auto".
+              ]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>AAAA Record Filtering</label>
     </field>
     <field>
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv4 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv6 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>
-        <label>ACL for filter-aaaa</label>
-        <style>tokenize</style>
+        <label>ACLs for filter-aaaa</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Specifies a list of client addresses for which AAAA filtering is to be applied.</help>
+        <help>Set ACLs for which AAAA filtering is to be applied. The default is { any; }.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Logging</label>
     </field>
     <field>
         <id>general.logsize</id>
         <label>Logsize in MB</label>
         <type>text</type>
-        <help>Set the amount how big a logfile can growth. For Query and Blocked logs.</help>
+        <help>Set the maximum logfile size. For Query and Blocked logs.</help>
     </field>
     <field>
         <id>general.general_log_level</id>
         <label>General Log level</label>
         <style>selectpicker</style>
         <type>dropdown</type>
-        <help>Select General Log level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
-    </field>
-    <field>
-        <id>general.maxcachesize</id>
-        <label>Maximum Cache Size</label>
-        <type>text</type>
-        <help>How much memory in percent the cache can use from the system. Default is 80%.</help>
+        <help><![CDATA[
+              Select General Log level. Log levels are listed in the order of increasing verbosity.
+              <br/>Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.
+              ]]></help>
     </field>
     <field>
-        <id>general.recursion</id>
-        <label>Recursion</label>
-        <type>select_multiple</type>
-        <help>Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.</help>
-    </field>
-    <field>
-        <id>general.allowtransfer</id>
-        <label>Allow Transfer</label>
-        <type>select_multiple</type>
-        <help>Define the ACLs where you allow which server can retrieve zones.</help>
-    </field>
-    <field>
-        <id>general.allowquery</id>
-        <label>Allow Query</label>
-        <type>select_multiple</type>
-        <help>Define the ACLs where you allow which client are allowed to query this server.</help>
-    </field>
-    <field>
-        <id>general.dnssecvalidation</id>
-        <label>DNSSEC Validation</label>
-        <type>dropdown</type>
-        <help>Default is "No". Set to "Auto" to use the static trust anchor configuration by the system.</help>
+        <type>header</type>
+        <label>Obfuscation Tunables</label>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>general.hidehostname</id>
@@ -146,6 +231,18 @@
         <advanced>true</advanced>
         <help>This will hide the local BIND version in DNS queries.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Performance Tunables</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.maxcachesize</id>
+        <label>Maximum Cache Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>How much memory in percent the cache can use from the system. The default is 80%.</help>
+    </field>
     <field>
         <id>general.disableprefetch</id>
         <label>Disable Prefetching</label>
@@ -153,32 +250,147 @@
         <advanced>true</advanced>
         <help>This will disable prefetching of domains before they time out.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Rate Limiting</label>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>general.enableratelimiting</id>
         <label>Enable Rate Limiting</label>
         <type>checkbox</type>
         <advanced>true</advanced>
-        <help>This will enable rate-limiting for DNS replies.</help>
+        <help>This will enable rate-limiting for DNS responses.</help>
     </field>
     <field>
-        <id>general.ratelimitcount</id>
-        <label>Rate Limit Replies</label>
+        <id>general.ratelimitrespps</id>
+        <label>Responses Per Second</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Set how many replies per second are allowed.</help>
+        <help><![CDATA[
+              Set how many non-empty responses are allowed per second for valid domain names and record types.
+              <br/>The default is 0 or no limit.
+              ]]></help>
     </field>
     <field>
-        <id>general.ratelimitexcept</id>
-        <label>Rate Limit Exceptions</label>
-        <style>tokenize</style>
+        <id>general.ratelimitwindow</id>
+        <label>Window</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of second during which responses are tracked. The default is 15 seconds.</help>
+    </field>
+    <field>
+        <id>general.ratelimitexempt</id>
+        <label>Exempt Clients</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
         <advanced>true</advanced>
-        <help>Except a list of IPs from rate-limiting like ::1</help>
+        <help>Set ACLs where rate-limiting should not apply.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv4prefixlength</id>
+        <label>IPv4 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 24.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv6prefixlength</id>
+        <label>IPv6 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 56.</help>
+    </field>
+    <field>
+        <id>general.ratelimitnodataps</id>
+        <label>NODATA Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many empty (NODATA) responses are allowed per second for valid domain names.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitnxdomsps</id>
+        <label>NXDOMAIN Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many NXDOMAIN errors are allowed per second for undefined subdomains for valid domain names.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitrefsps</id>
+        <label>Referrals Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many referrals or delegations are allowed per second to a server for a given domain.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimiterrsps</id>
+        <label>Errors Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many errors are allowed per second for valid domain names and record types.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitallps</id>
+        <label>All Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many UDP responses of all types are allowed per second.
+              <br/>If used, this should be set to 4 times the size of other per second limits.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitslip</id>
+        <label>Slip</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set how many responses to "slip", reducing the use of forged source addresses in attacks. The default is 2.</help>
+    </field>
+    <field>
+        <id>general.ratelimitscale</id>
+        <label>QPS Scale</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set the ratio by which to scale back the Responses Per Second value during attacks.
+              <br/>The formula is (qps-scale/total-query-rate)*responses-per-second to produce the new value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitmaxtbl</id>
+        <label>Maximum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the maximum number of table entries used to track requests and rate-limit responses. The default is 20,000.</help>
+    </field>
+    <field>
+        <id>general.ratelimitmintbl</id>
+        <label>Minimum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the minimum number of table entries used to track requests and rate-limit responses. The default is 500.</help>
+    </field>
+    <field>
+        <id>general.ratelimittry</id>
+        <label>Trial Rate Limiting</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Enable to test rate-limiting parameters without actually dropping any requests.</help>
     </field>
     <field>
         <type>header</type>
-        <label>RNDC Key</label>
+        <label>Remote Name Daemon Control (RNDC) Key</label>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 6743b66ae4..13d3c9af44 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -21,6 +21,10 @@
                 <primaryip type="NetworkField">
                     <AsList>Y</AsList>
                 </primaryip>
+                <forwardonly type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </forwardonly>
                 <forwardserver type="NetworkField">
                     <AsList>Y</AsList>
                 </forwardserver>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 238c9dc248..08e6945eb4 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -15,16 +15,40 @@
             <Default>1</Default>
             <Required>Y</Required>
         </enablerpz>
-        <listenv4 type="NetworkField">
-            <Default>0.0.0.0</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
+        <listenv4 type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </listenv4>
-        <listenv6 type="NetworkField">
-            <Default>::</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
+        <listenv6 type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </listenv6>
+        <port type="PortField">
+            <Default>53530</Default>
+            <Required>Y</Required>
+        </port>
+        <allowquery type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+        </allowquery>
         <querysource type="NetworkField">
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
@@ -33,6 +57,49 @@
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </querysourcev6>
+        <enablerecursion type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </enablerecursion>
+        <recursionallowedacls type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </recursionallowedacls>
+        <allowcachequeries type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </allowcachequeries>
+        <forwardonly type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </forwardonly>
+        <forwarders type="NetworkField">
+            <AsList>Y</AsList>
+        </forwarders>
+        <allowtransfer type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+        </allowtransfer>
         <transfersource type="NetworkField">
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
@@ -41,13 +108,14 @@
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </transfersourcev6>
-        <port type="PortField">
-            <Default>53530</Default>
+        <dnssecvalidation type="OptionField">
+            <OptionValues>
+                <no>No</no>
+                <auto>Auto</auto>
+            </OptionValues>
+            <Default>no</Default>
             <Required>Y</Required>
-        </port>
-        <forwarders type="NetworkField">
-            <AsList>Y</AsList>
-        </forwarders>
+        </dnssecvalidation>
         <filteraaaav4 type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -56,8 +124,15 @@
             <Default>0</Default>
             <Required>Y</Required>
         </filteraaaav6>
-        <filteraaaaacl type="NetworkField">
-            <AsList>Y</AsList>
+        <filteraaaaacl type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </filteraaaaacl>
         <logsize type="IntegerField">
             <Default>5</Default>
@@ -79,52 +154,6 @@
             <Required>Y</Required>
             <Default>info</Default>
         </general_log_level>
-        <maxcachesize type="IntegerField">
-            <Default>80</Default>
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>99</MaximumValue>
-            <ValidationMessage>Choose a value between 1 and 99.</ValidationMessage>
-        </maxcachesize>
-        <recursion type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-            <ValidationMessage>Choose an ACL.</ValidationMessage>
-        </recursion>
-        <allowtransfer type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-        </allowtransfer>
-        <allowquery type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-        </allowquery>
-        <dnssecvalidation type="OptionField">
-            <OptionValues>
-                <no>No</no>
-                <auto>Auto</auto>
-            </OptionValues>
-            <Default>no</Default>
-            <Required>Y</Required>
-        </dnssecvalidation>
         <hidehostname type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -133,6 +162,13 @@
             <Default>0</Default>
             <Required>Y</Required>
         </hideversion>
+        <maxcachesize type="IntegerField">
+            <Default>80</Default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>99</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 99.</ValidationMessage>
+        </maxcachesize>
         <disableprefetch type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -141,16 +177,86 @@
             <Default>0</Default>
             <Required>Y</Required>
         </enableratelimiting>
-        <ratelimitcount type="IntegerField">
+        <ratelimitrespps type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1000</MaximumValue>
             <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
-        </ratelimitcount>
-        <ratelimitexcept type="NetworkField">
-            <Default>0.0.0.0,::</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
-        </ratelimitexcept>
+        </ratelimitrespps>
+        <ratelimitwindow type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>3600</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 3600.</ValidationMessage>
+        </ratelimitwindow>
+        <ratelimitexempt type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </ratelimitexempt>
+        <ratelimitipv4prefixlength type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>32</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 32.</ValidationMessage>
+        </ratelimitipv4prefixlength>
+        <ratelimitipv6prefixlength type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>128</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 128.</ValidationMessage>
+        </ratelimitipv6prefixlength>
+        <ratelimitnodataps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitnodataps>
+        <ratelimitnxdomsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitnxdomsps>
+        <ratelimitrefsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitrefsps>
+        <ratelimiterrsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimiterrsps>
+        <ratelimitallps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitallps>
+        <ratelimitslip type="IntegerField">
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>10</MaximumValue>
+            <ValidationMessage>Choose a value between 0 and 10.</ValidationMessage>
+        </ratelimitslip>
+        <ratelimitscale type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitscale>
+        <ratelimitmaxtbl type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>100000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 100,000.</ValidationMessage>
+        </ratelimitmaxtbl>
+        <ratelimitmintbl type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>100000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 100,000.</ValidationMessage>
+        </ratelimitmintbl>
+        <ratelimittry type="BooleanField">
+            <Default>0</Default>
+            <Required>N</Required>
+        </ratelimittry>
         <rndcalgo type="OptionField">
             <Required>Y</Required>
             <Default>hmac-sha256</Default>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 30d3fcc1d3..4f52452f9c 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -99,8 +99,8 @@
                         <th data-column-id="retry" data-type="string" data-visible="true">{{ lang._('Retry') }}</th>
                         <th data-column-id="expire" data-type="string" data-visible="true">{{ lang._('Expire') }}</th>
                         <th data-column-id="negative" data-type="string" data-visible="true">{{ lang._('Negative TTL') }}</th>
+                        <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                     </tr>
                 </thead>
                 <tbody>
@@ -200,6 +200,7 @@
                     <tr>
                         <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                         <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
+                        <th data-column-id="forwardonly" data-type="string" data-formatter="boolean" data-visible="true">{{ lang._('Forward Only') }}</th>
                         <th data-column-id="forwardserver" data-type="string" data-visible="true">{{ lang._('Forwarder IPs') }}</th>
                         <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                         <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
@@ -427,8 +428,8 @@ $(document).ready(function() {
     }).on("loaded.rs.jquery.bootgrid", function(e) {
         // Checkzone button
         $("#grid-primary-domains").find(".command-bind-checkzone").off("click").on("click", function(ev) {
-            if (!$(this).closest("tr").hasClass("text-muted")) {
-                let zonename = $(this).closest('tr').find('td.zonename').text();
+            if (!$(this).closest(".tabulator-row").hasClass("text-muted")) {
+                let zonename = $(this).closest(".tabulator-row").find("[tabulator-field='domainname']").text();
                 zone_test(zonename);
             } else {
                 BootstrapDialog.show({
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 9196b5de3e..83399f9389 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -10,28 +10,47 @@ acl "{{ acl_list.name }}" { {{ acl_list.networks.replace(',', '; ') }}; };
 
 options {
 
-        directory       "/usr/local/etc/namedb/working";
-        pid-file        "/var/run/named/pid";
-        dump-file       "/var/dump/named_dump.db";
-        statistics-file "/var/stats/named.stats";
+        directory          "/usr/local/etc/namedb/working";
+        pid-file           "/var/run/named/pid";
+        dump-file          "/var/dump/named_dump.db";
+        statistics-file    "/var/stats/named.stats";
 
-{% for listenv4 in OPNsense.bind.general.listenv4.split(',') %}
-        listen-on port {{ OPNsense.bind.general.port }} { {% if listenv4 == '0.0.0.0' %}any{% else %}{{ listenv4 }}{% endif %}; };
-{% endfor %}
-{% for listenv6 in OPNsense.bind.general.listenv6.split(',') %}
-        listen-on-v6 port {{ OPNsense.bind.general.port }} { {% if listenv6 == '::' %}any{% else %}{{ listenv6 }}{% endif %}; };
-{% endfor %}
+{%   if helpers.exists('OPNsense.bind.general.listenv4') and OPNsense.bind.general.listenv4 != '' %}
+        listen-on          port {{ OPNsense.bind.general.port }} {
+{%              for acl in OPNsense.bind.general.listenv4.split(',') %}
+{%              set listenv4_acl = helpers.getUUID(acl) %}
+                {{ listenv4_acl.name }};
+{%              endfor %}
+        };
+{% else %}
+        listen-on          port {{ OPNsense.bind.general.port }} { any; }
+{% endif %}
+
+{% if helpers.exists('OPNsense.bind.general.disablev6') and OPNsense.bind.general.disablev6 != '1' %}
+{%   if helpers.exists('OPNsense.bind.general.listenv6') and OPNsense.bind.general.listenv6 != '' %}
+        listen-on-v6       port  {{ OPNsense.bind.general.port }} {
+{%              for acl in OPNsense.bind.general.listenv6.split(',') %}
+{%              set listenv6_acl = helpers.getUUID(acl) %}
+                {{ listenv6_acl.name }};
+{%              endfor %}
+        };
+{%   else %}
+        listen-on-v6       port {{ OPNsense.bind.general.port }} { any; }
+{%   endif %}
+{% else %}
+        listen-on-v6       { none; };
+{% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.querysource') and OPNsense.bind.general.querysource != '' %}
-        query-source {{ OPNsense.bind.general.querysource }};
+        query-source       {{ OPNsense.bind.general.querysource }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.querysourcev6') and OPNsense.bind.general.querysourcev6 != '' %}
-        query-source-v6 {{ OPNsense.bind.general.querysourcev6 }};
+        query-source-v6    {{ OPNsense.bind.general.querysourcev6 }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.transfersource') and OPNsense.bind.general.transfersource != '' %}
-        transfer-source {{ OPNsense.bind.general.transfersource }};
+        transfer-source    {{ OPNsense.bind.general.transfersource }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.transfersourcev6') and OPNsense.bind.general.transfersourcev6 != '' %}
@@ -39,21 +58,36 @@ options {
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
-        forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{%   if helpers.exists('OPNsense.bind.general.forwardonly') and OPNsense.bind.general.forwardonly == '1' %}
+        forward            only
+{%   endif -%}
+        forwarders         { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
-        response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
-{% endif %}
+        response-policy    { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
+{% endif -%}
 
-{% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
+{% if helpers.exists('OPNsense.bind.general.enablerecursion') and OPNsense.bind.general.enablerecursion == '1' %}
         recursion          yes;
+{%   if helpers.exists('OPNsense.bind.general.recursionallowedacls') and OPNsense.bind.general.recursionallowedacls != '' %}
         allow-recursion {
-{%              for acl in OPNsense.bind.general.recursion.split(',') %}
-{%              set recursion_acl = helpers.getUUID(acl) %}
-                {{ recursion_acl.name }};
+{%              for acl in OPNsense.bind.general.recursionallowedacls.split(',') %}
+{%              set recursionallowedacls_acl = helpers.getUUID(acl) %}
+                {{ recursionallowedacls_acl.name }};
+{%              endfor %}
+        };
+{%   endif %}
+{%   if helpers.exists('OPNsense.bind.general.allowcachequeries') and OPNsense.bind.general.allowcachequeries != '' %}
+        allow-query-cache {
+{%              for acl in OPNsense.bind.general.allowcachequeries.split(',') %}
+{%              set allowcachequeries_acl = helpers.getUUID(acl) %}
+                {{ allowcachequeries_acl.name }};
 {%              endfor %}
         };
+{%   endif %}
+{% else %}
+        recursion          no;
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}
@@ -75,26 +109,70 @@ options {
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.maxcachesize') and OPNsense.bind.general.maxcachesize != '' %}
-        max-cache-size    {{ OPNsense.bind.general.maxcachesize }}%;
+        max-cache-size     {{ OPNsense.bind.general.maxcachesize }}%;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.dnssecvalidation') and OPNsense.bind.general.dnssecvalidation != '' %}
-        dnssec-validation    {{ OPNsense.bind.general.dnssecvalidation }};
+        dnssec-validation  {{ OPNsense.bind.general.dnssecvalidation }};
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.hidehostname') and OPNsense.bind.general.hidehostname == '1' %}
-        hostname none;
+        hostname           none;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.hideversion') and OPNsense.bind.general.hideversion == '1' %}
-        version none;
+        version            none;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.disableprefetch') and OPNsense.bind.general.disableprefetch == '1' %}
         prefetch 0;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.enableratelimiting') and OPNsense.bind.general.enableratelimiting == '1' %}
-{%   if helpers.exists('OPNsense.bind.general.ratelimitcount') and OPNsense.bind.general.ratelimitcount != '' %}
+{%   if helpers.exists('OPNsense.bind.general.ratelimitrespps') and OPNsense.bind.general.ratelimitrespps != '' %}
 	rate-limit {
-                responses-per-second {{ OPNsense.bind.general.ratelimitcount }};
-{%     if helpers.exists('OPNsense.bind.general.ratelimitexcept') and OPNsense.bind.general.ratelimitexcept != '' %}
-                exempt-clients { {{ OPNsense.bind.general.ratelimitexcept.replace(',', '; ') }}; };
+                responses-per-second   {{ OPNsense.bind.general.ratelimitrespps }};
+{%     if helpers.exists('OPNsense.bind.general.ratelimitwindow') and OPNsense.bind.general.ratelimitwindow != '' %}
+                window                 {{ OPNsense.bind.general.ratelimitwindow }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitipv4prefixlength') and OPNsense.bind.general.ratelimitipv4prefixlength != '' %}
+                ipv4-prefix-length     {{ OPNsense.bind.general.ratelimitipv4prefixlength }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitipv6prefixlength') and OPNsense.bind.general.ratelimitipv6prefixlength != '' %}
+                ipv6-prefix-length     {{ OPNsense.bind.general.ratelimitipv6prefixlength }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitnodataps') and OPNsense.bind.general.ratelimitnodataps != '' %}
+                nodata-per-second      {{ OPNsense.bind.general.ratelimitnodataps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitnxdomsps') and OPNsense.bind.general.ratelimitnxdomsps != '' %}
+                nxdomains-per-second   {{ OPNsense.bind.general.ratelimitnxdomsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitrefsps') and OPNsense.bind.general.ratelimitrefsps != '' %}
+                referrals-per-second   {{ OPNsense.bind.general.ratelimitrefsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimiterrsps') and OPNsense.bind.general.ratelimiterrsps != '' %}
+                errors-per-second      {{ OPNsense.bind.general.ratelimiterrsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitallps') and OPNsense.bind.general.ratelimitallps != '' %}
+                all-per-second         {{ OPNsense.bind.general.ratelimitallps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitslip') and OPNsense.bind.general.ratelimitslip != '' %}
+                slip                   {{ OPNsense.bind.general.ratelimitslip }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitscale') and OPNsense.bind.general.ratelimitscale != '' %}
+                qps-scale              {{ OPNsense.bind.general.ratelimitscale }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitmaxtbl') and OPNsense.bind.general.ratelimitmaxtbl != '' %}
+                max-table-size         {{ OPNsense.bind.general.ratelimitmaxtbl }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitmintbl') and OPNsense.bind.general.ratelimitmintbl != '' %}
+                min-table-size         {{ OPNsense.bind.general.ratelimitmintbl }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitexempt') and OPNsense.bind.general.ratelimitexempt != '' %}
+                exempt-clients         {
+{%                      for acl in OPNsense.bind.general.ratelimitexempt.split(',') %}
+{%                      set ratelimitexempt_acl = helpers.getUUID(acl) %}
+                        {{ ratelimitexempt_acl.name }};
+{%                      endfor %}
+                };
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimittry') and OPNsense.bind.general.ratelimittry != '' %}
+                log-only               {{ OPNsense.bind.general.ratelimittry }};
 {%     endif %}
         };
 {%   endif %}
@@ -104,8 +182,9 @@ options {
 {% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
 key "rndc-key" {
         algorithm "{{ OPNsense.bind.general.rndcalgo }}";
-        secret "{{ OPNsense.bind.general.rndcsecret }}";
+        secret    "{{ OPNsense.bind.general.rndcsecret }}";
 };
+
 controls {
         inet 127.0.0.1 port 9530
                 allow { 127.0.0.1; } keys { "rndc-key"; };
@@ -154,6 +233,11 @@ zone "rpzbing" { type primary; file "/usr/local/etc/namedb/primary/bing.db"; not
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
 {%       if domain.type == 'forward' %}
+{%         if domain.forwardonly == '1' %}
+        forward only;
+{%         else %}
+        forward first;
+{%         endif %}
         forwarders { {{ domain.forwardserver.replace(',', '; ') }}; };
 {%       elif domain.type == 'secondary' %}
 {%         if domain.transferkey is defined %}
@@ -261,7 +345,12 @@ plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
-        filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };
+                   filter-aaaa       {
+{%                      for acl in OPNsense.bind.general.filteraaaaacl.split(',') %}
+{%                      set filteraaaa_acl = helpers.getUUID(acl) %}
+                        {{ filteraaaa_acl.name }};
+{%                      endfor %}
+                   };
 {% endif %}
            };
 {% endif %}