diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index ce1b676d1..e02e6c13d 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,47 +1,50 @@
 {# j2lint: disable=single-statement-per-line #}
 ### Autogenerated by dns_forwarding.py ###
 
 # XXX: pdns recursor doesn't like whitespace near entry separators,
 # especially in the semicolon-separated lists of name servers.
 # Please be careful if you edit the template.
 
 # Non-configurable defaults
 daemon=yes
 threads=1
 allow-from={{ allow_from | join(',') }}
 log-common-errors=yes
 non-local-bind=yes
 query-local-address={{ source_address | join(',') }}
 lua-config-file=recursor.conf.lua
 
 # cache-size
 max-cache-entries={{ cache_size }}
 
 # negative TTL for NXDOMAIN
 max-negative-ttl={{ negative_ttl }}
 
 # timeout
 network-timeout={{ timeout }}
 
 # ignore-hosts-file
 export-etc-hosts={{ 'no' if ignore_hosts_file is vyos_defined else 'yes' }}
 
 # listen-address
 local-address={{ listen_address | join(',') }}
 
+# listen-port
+local-port={{ port }}
+
 # dnssec
 dnssec={{ dnssec }}
 
 {% if dns64_prefix is vyos_defined %}
 # dns64-prefix
 dns64-prefix={{ dns64_prefix }}
 {% endif %}
 
 # serve rfc1918 records
 serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 
 # zones
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
 forward-zones-file=recursor.forward-zones.conf
 
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in
index 3de0dc0eb..409028572 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/dns-forwarding.xml.in
@@ -1,669 +1,673 @@
 <?xml version="1.0"?>
 <!-- DNS forwarder configuration -->
 <interfaceDefinition>
   <node name="service">
     <children>
       <node name="dns">
         <properties>
           <help>Domain Name System related services</help>
         </properties>
         <children>
           <node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
             <properties>
               <help>DNS forwarding</help>
               <priority>918</priority>
             </properties>
             <children>
               <leafNode name="cache-size">
                 <properties>
                   <help>DNS forwarding cache size</help>
                   <valueHelp>
                     <format>u32:0-2147483647</format>
                     <description>DNS forwarding cache size</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 0-2147483647"/>
                   </constraint>
                 </properties>
                 <defaultValue>10000</defaultValue>
               </leafNode>
               <leafNode name="dhcp">
                 <properties>
                   <help>Interfaces whose DHCP client nameservers to forward requests to</help>
                   <completionHelp>
                     <script>${vyos_completion_dir}/list_interfaces.py</script>
                   </completionHelp>
                   <multi/>
                 </properties>
               </leafNode>
               <leafNode name="dns64-prefix">
                 <properties>
                   <help>Help to communicate between IPv6-only client and IPv4-only server</help>
                   <valueHelp>
                     <format>ipv6net</format>
                     <description>IPv6 address and /96 only prefix length</description>
                   </valueHelp>
                   <constraint>
                     <validator name="ipv6-prefix"/>
                   </constraint>
                 </properties>
               </leafNode>
               <leafNode name="dnssec">
                 <properties>
                   <help>DNSSEC mode</help>
                   <completionHelp>
                     <list>off process-no-validate process log-fail validate</list>
                   </completionHelp>
                   <valueHelp>
                     <format>off</format>
                     <description>No DNSSEC processing whatsoever!</description>
                   </valueHelp>
                   <valueHelp>
                     <format>process-no-validate</format>
                     <description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
                   </valueHelp>
                   <valueHelp>
                     <format>process</format>
                     <description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
                   </valueHelp>
                   <valueHelp>
                     <format>log-fail</format>
                     <description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
                   </valueHelp>
                   <valueHelp>
                     <format>validate</format>
                     <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
                   </valueHelp>
                   <constraint>
                     <regex>(off|process-no-validate|process|log-fail|validate)</regex>
                   </constraint>
                 </properties>
                 <defaultValue>process-no-validate</defaultValue>
               </leafNode>
               <tagNode name="domain">
                 <properties>
                   <help>Domain to forward to a custom DNS server</help>
                 </properties>
                 <children>
                   <leafNode name="server">
                     <properties>
                       <help>Domain Name Server (DNS) to forward queries to</help>
                       <valueHelp>
                         <format>ipv4</format>
                         <description>Domain Name Server (DNS) IPv4 address</description>
                       </valueHelp>
                       <valueHelp>
                         <format>ipv6</format>
                         <description>Domain Name Server (DNS) IPv6 address</description>
                       </valueHelp>
                       <multi/>
                       <constraint>
                         <validator name="ipv4-address"/>
                         <validator name="ipv6-address"/>
                       </constraint>
                     </properties>
                   </leafNode>
                   <leafNode name="addnta">
                     <properties>
                       <help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
                       <valueless/>
                     </properties>
                   </leafNode>
                   <leafNode name="recursion-desired">
                     <properties>
                       <help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
                       <valueless/>
                     </properties>
                   </leafNode>
                 </children>
               </tagNode>
               <tagNode name="authoritative-domain">
                 <properties>
                   <help>Domain to host authoritative records for</help>
                   <valueHelp>
                     <format>text</format>
                     <description>An absolute DNS name</description>
                   </valueHelp>
                   <constraint>
                     <regex>[-_a-zA-Z0-9.]{1,63}</regex>
                   </constraint>
                 </properties>
                 <children>
                   <node name="records">
                     <properties>
                       <help>DNS zone records</help>
                     </properties>
                     <children>
                       <tagNode name="a">
                         <properties>
                           <help>"A" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>any</format>
                             <description>Wildcard record (any subdomain)</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="address">
                             <properties>
                               <help>IPv4 address</help>
                               <valueHelp>
                                 <format>ipv4</format>
                                 <description>IPv4 address</description>
                               </valueHelp>
                               <multi/>
                               <constraint>
                                 <validator name="ipv4-address"/>
                               </constraint>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="aaaa">
                         <properties>
                           <help>"AAAA" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>any</format>
                             <description>Wildcard record (any subdomain)</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@|any)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="address">
                             <properties>
                               <help>IPv6 address</help>
                               <valueHelp>
                                 <format>ipv6</format>
                                 <description>IPv6 address</description>
                               </valueHelp>
                               <multi/>
                               <constraint>
                                 <validator name="ipv6-address"/>
                               </constraint>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="cname">
                         <properties>
                           <help>"CNAME" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="target">
                             <properties>
                               <help>Target DNS name</help>
                               <valueHelp>
                                 <format>name.example.com</format>
                                 <description>An absolute DNS name</description>
                               </valueHelp>
                               <constraint>
                                 <regex>[-_a-zA-Z0-9.]{1,63}(?&lt;!\.)</regex>
                               </constraint>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="mx">
                         <properties>
                           <help>"MX" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <tagNode name="server">
                             <properties>
                               <help>Mail server</help>
                               <valueHelp>
                                 <format>name.example.com</format>
                                 <description>An absolute DNS name</description>
                               </valueHelp>
                               <constraint>
                                 <regex>[-_a-zA-Z0-9.]{1,63}(?&lt;!\.)</regex>
                               </constraint>
                             </properties>
                             <children>
                               <leafNode name="priority">
                                 <properties>
                                   <help>Server priority</help>
                                   <valueHelp>
                                     <format>u32:1-999</format>
                                     <description>Server priority (lower numbers are higher priority)</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 1-999"/>
                                   </constraint>
                                 </properties>
                                 <defaultValue>10</defaultValue>
                               </leafNode>
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="ptr">
                         <properties>
                           <help>"PTR" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="target">
                             <properties>
                               <help>Target DNS name</help>
                               <valueHelp>
                                 <format>name.example.com</format>
                                 <description>An absolute DNS name</description>
                               </valueHelp>
                               <constraint>
                                 <regex>[-_a-zA-Z0-9.]{1,63}(?&lt;!\.)</regex>
                               </constraint>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="txt">
                         <properties>
                           <help>"TXT" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="value">
                             <properties>
                               <help>Record contents</help>
                               <valueHelp>
                                 <format>text</format>
                                 <description>Record contents</description>
                               </valueHelp>
                               <multi/>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="spf">
                         <properties>
                           <help>"SPF" record (type=SPF)</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <leafNode name="value">
                             <properties>
                               <help>Record contents</help>
                               <valueHelp>
                                 <format>text</format>
                                 <description>Record contents</description>
                               </valueHelp>
                             </properties>
                           </leafNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="srv">
                         <properties>
                           <help>"SRV" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <tagNode name="entry">
                             <properties>
                               <help>Service entry</help>
                               <valueHelp>
                                 <format>u32:0-65535</format>
                                 <description>Entry number</description>
                               </valueHelp>
                               <constraint>
                                 <validator name="numeric" argument="--range 0-65535"/>
                               </constraint>
                             </properties>
                             <children>
                               <leafNode name="hostname">
                                 <properties>
                                   <help>Server hostname</help>
                                   <valueHelp>
                                     <format>name.example.com</format>
                                     <description>An absolute DNS name</description>
                                   </valueHelp>
                                   <constraint>
                                     <regex>[-_a-zA-Z0-9.]{1,63}(?&lt;!\.)</regex>
                                   </constraint>
                                 </properties>
                               </leafNode>
                               <leafNode name="port">
                                 <properties>
                                   <help>Port number</help>
                                   <valueHelp>
                                     <format>u32:0-65535</format>
                                     <description>TCP/UDP port number</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 0-65536"/>
                                   </constraint>
                                 </properties>
                               </leafNode>
                               <leafNode name="priority">
                                 <properties>
                                   <help>Entry priority</help>
                                   <valueHelp>
                                     <format>u32:0-65535</format>
                                     <description>Entry priority (lower numbers are higher priority)</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 0-65535"/>
                                   </constraint>
                                 </properties>
                                 <defaultValue>10</defaultValue>
                               </leafNode>
                               <leafNode name="weight">
                                 <properties>
                                   <help>Entry weight</help>
                                   <valueHelp>
                                     <format>u32:0-65535</format>
                                     <description>Entry weight</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 0-65535"/>
                                   </constraint>
                                 </properties>
                                 <defaultValue>0</defaultValue>
                               </leafNode>
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                       <tagNode name="naptr">
                         <properties>
                           <help>"NAPTR" record</help>
                           <valueHelp>
                             <format>text</format>
                             <description>A DNS name relative to the root record</description>
                           </valueHelp>
                           <valueHelp>
                             <format>@</format>
                             <description>Root record</description>
                           </valueHelp>
                           <constraint>
                             <regex>([-_a-zA-Z0-9.]{1,63}|@)(?&lt;!\.)</regex>
                           </constraint>
                         </properties>
                         <children>
                           <tagNode name="rule">
                             <properties>
                               <help>NAPTR rule</help>
                               <valueHelp>
                                 <format>u32:0-65535</format>
                                 <description>Rule number</description>
                               </valueHelp>
                               <constraint>
                                 <validator name="numeric" argument="--range 0-65535"/>
                               </constraint>
                             </properties>
                             <children>
                               <leafNode name="order">
                                 <properties>
                                   <help>Rule order</help>
                                   <valueHelp>
                                     <format>u32:0-65535</format>
                                     <description>Rule order (lower order is evaluated first)</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 0-65535"/>
                                   </constraint>
                                 </properties>
                               </leafNode>
                               <leafNode name="preference">
                                 <properties>
                                   <help>Rule preference</help>
                                   <valueHelp>
                                     <format>u32:0-65535</format>
                                     <description>Rule preference</description>
                                   </valueHelp>
                                   <constraint>
                                     <validator name="numeric" argument="--range 0-65535"/>
                                   </constraint>
                                 </properties>
                                 <defaultValue>0</defaultValue>
                               </leafNode>
                               <leafNode name="lookup-srv">
                                 <properties>
                                   <help>"S" flag</help>
                                   <valueless/>
                                 </properties>
                               </leafNode>
                               <leafNode name="lookup-a">
                                 <properties>
                                   <help>"A" flag</help>
                                   <valueless/>
                                 </properties>
                               </leafNode>
                               <leafNode name="resolve-uri">
                                 <properties>
                                   <help>"U" flag</help>
                                   <valueless/>
                                 </properties>
                               </leafNode>
                               <leafNode name="protocol-specific">
                                 <properties>
                                   <help>"P" flag</help>
                                   <valueless/>
                                 </properties>
                               </leafNode>
                               <leafNode name="service">
                                 <properties>
                                   <help>Service type</help>
                                   <constraint>
                                     <regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex>
                                   </constraint>
                                 </properties>
                               </leafNode>
                               <leafNode name="regexp">
                                 <properties>
                                   <help>Regular expression</help>
                                 </properties>
                               </leafNode>
                               <leafNode name="replacement">
                                 <properties>
                                   <help>Replacement DNS name</help>
                                   <valueHelp>
                                     <format>name.example.com</format>
                                     <description>An absolute DNS name</description>
                                   </valueHelp>
                                   <constraint>
                                     <regex>[-_a-zA-Z0-9.]{1,63}(?&lt;!\.)</regex>
                                   </constraint>
                                 </properties>
                               </leafNode>
                             </children>
                           </tagNode>
                           #include <include/dns/time-to-live.xml.i>
                           #include <include/generic-disable-node.xml.i>
                         </children>
                       </tagNode>
                     </children>
                   </node>
                   #include <include/generic-disable-node.xml.i>
                 </children>
               </tagNode>
               <leafNode name="ignore-hosts-file">
                 <properties>
                   <help>Do not use local /etc/hosts file in name resolution</help>
                   <valueless/>
                 </properties>
               </leafNode>
               <leafNode name="no-serve-rfc1918">
                 <properties>
                   <help>Makes the server authoritatively not aware of RFC1918 addresses</help>
 		          <valueless/>
                 </properties>
               </leafNode>
               <leafNode name="allow-from">
                 <properties>
                   <help>Networks allowed to query this server</help>
                   <valueHelp>
                     <format>ipv4net</format>
                     <description>IP address and prefix length</description>
                   </valueHelp>
                   <valueHelp>
                     <format>ipv6net</format>
                     <description>IPv6 address and prefix length</description>
                   </valueHelp>
                   <multi/>
                   <constraint>
                     <validator name="ip-prefix"/>
                   </constraint>
                 </properties>
               </leafNode>
               #include <include/listen-address.xml.i>
+              #include <include/port-number.xml.i>
+              <leafNode name="port">
+                <defaultValue>53</defaultValue>
+              </leafNode>
               <leafNode name="negative-ttl">
                 <properties>
                   <help>Maximum amount of time negative entries are cached</help>
                   <valueHelp>
                     <format>u32:0-7200</format>
                     <description>Seconds to cache NXDOMAIN entries</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 0-7200"/>
                   </constraint>
                 </properties>
                 <defaultValue>3600</defaultValue>
               </leafNode>
               <leafNode name="timeout">
                 <properties>
                   <help>Number of milliseconds to wait for a remote authoritative server to respond</help>
                   <valueHelp>
                     <format>u32:10-60000</format>
                     <description>Network timeout in milliseconds</description>
                   </valueHelp>
                   <constraint>
                     <validator name="numeric" argument="--range 10-60000"/>
                   </constraint>
                 </properties>
                 <defaultValue>1500</defaultValue>
               </leafNode>
               #include <include/name-server-ipv4-ipv6.xml.i>
               <leafNode name="source-address">
                 <properties>
                   <help>Local addresses from which to send DNS queries</help>
                   <completionHelp>
                     <script>${vyos_completion_dir}/list_local_ips.sh --both</script>
                   </completionHelp>
                   <valueHelp>
                     <format>ipv4</format>
                     <description>IPv4 address from which to send traffic</description>
                   </valueHelp>
                   <valueHelp>
                     <format>ipv6</format>
                     <description>IPv6 address from which to send traffic</description>
                   </valueHelp>
                   <multi/>
                   <constraint>
                     <validator name="ipv4-address"/>
                     <validator name="ipv6-address"/>
                   </constraint>
                 </properties>
                 <defaultValue>0.0.0.0 ::</defaultValue>
               </leafNode>
               <leafNode name="system">
                 <properties>
                   <help>Use system name servers</help>
                   <valueless/>
                 </properties>
               </leafNode>
             </children>
           </node>
         </children>
       </node>
     </children>
   </node>
 </interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index 65b676451..8e9b7ef43 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -1,228 +1,249 @@
 #!/usr/bin/env python3
 #
 # Copyright (C) 2019-2022 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import re
 import unittest
 
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
 from vyos.util import read_file
 from vyos.util import process_named_running
 
 CONFIG_FILE = '/run/powerdns/recursor.conf'
 FORWARD_FILE = '/run/powerdns/recursor.forward-zones.conf'
 HOSTSD_FILE = '/run/powerdns/recursor.vyos-hostsd.conf.lua'
 PROCESS_NAME= 'pdns-r/worker'
 
 base_path = ['service', 'dns', 'forwarding']
 
 allow_from = ['192.0.2.0/24', '2001:db8::/32']
 listen_adress = ['127.0.0.1', '::1']
+listen_ports = ['53', '5353']
 
 def get_config_value(key, file=CONFIG_FILE):
     tmp = read_file(file)
     tmp = re.findall(r'\n{}=+(.*)'.format(key), tmp)
     return tmp[0]
 
 class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
     @classmethod
     def setUpClass(cls):
         super(TestServicePowerDNS, cls).setUpClass()
 
         # ensure we can also run this test on a live system - so lets clean
         # out the current configuration :)
         cls.cli_delete(cls, base_path)
 
     def tearDown(self):
         # Check for running process
         self.assertTrue(process_named_running(PROCESS_NAME))
 
         # Delete DNS forwarding configuration
         self.cli_delete(base_path)
         self.cli_commit()
 
         # Check for running process
         self.assertFalse(process_named_running(PROCESS_NAME))
 
     def test_basic_forwarding(self):
         # Check basic DNS forwarding settings
         cache_size = '20'
         negative_ttl = '120'
 
         self.cli_set(base_path + ['cache-size', cache_size])
         self.cli_set(base_path + ['negative-ttl', negative_ttl])
 
         # check validate() - allow from must be defined
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
 
         # check validate() - listen-address must be defined
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         # configure DNSSEC
         self.cli_set(base_path + ['dnssec', 'validate'])
 
         # Do not use local /etc/hosts file in name resolution
         self.cli_set(base_path + ['ignore-hosts-file'])
 
         # commit changes
         self.cli_commit()
 
         # Check configured cache-size
         tmp = get_config_value('max-cache-entries')
         self.assertEqual(tmp, cache_size)
 
         # Networks allowed to query this server
         tmp = get_config_value('allow-from')
         self.assertEqual(tmp, ','.join(allow_from))
 
         # Addresses to listen for DNS queries
         tmp = get_config_value('local-address')
         self.assertEqual(tmp, ','.join(listen_adress))
 
         # Maximum amount of time negative entries are cached
         tmp = get_config_value('max-negative-ttl')
         self.assertEqual(tmp, negative_ttl)
 
         # Do not use local /etc/hosts file in name resolution
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'no')
 
         # RFC1918 addresses are looked up by default
         tmp = get_config_value('serve-rfc1918')
         self.assertEqual(tmp, 'yes')
 
     def test_dnssec(self):
         # DNSSEC option testing
 
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         options = ['off', 'process-no-validate', 'process', 'log-fail', 'validate']
         for option in options:
             self.cli_set(base_path + ['dnssec', option])
 
             # commit changes
             self.cli_commit()
 
             tmp = get_config_value('dnssec')
             self.assertEqual(tmp, option)
 
     def test_external_nameserver(self):
         # Externe Domain Name Servers (DNS) addresses
 
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         nameservers = ['192.0.2.1', '192.0.2.2']
         for nameserver in nameservers:
             self.cli_set(base_path + ['name-server', nameserver])
 
         # commit changes
         self.cli_commit()
 
         tmp = get_config_value(r'\+.', file=FORWARD_FILE)
         self.assertEqual(tmp, ', '.join(nameservers))
 
         # Do not use local /etc/hosts file in name resolution
         # default: yes
         tmp = get_config_value('export-etc-hosts')
         self.assertEqual(tmp, 'yes')
 
     def test_domain_forwarding(self):
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         domains = ['vyos.io', 'vyos.net', 'vyos.com']
         nameservers = ['192.0.2.1', '192.0.2.2']
         for domain in domains:
             for nameserver in nameservers:
                 self.cli_set(base_path + ['domain', domain, 'server', nameserver])
 
             # Test 'recursion-desired' flag for only one domain
             if domain == domains[0]:
                 self.cli_set(base_path + ['domain', domain, 'recursion-desired'])
 
             # Test 'negative trust anchor' flag for the second domain only
             if domain == domains[1]:
                 self.cli_set(base_path + ['domain', domain, 'addnta'])
 
         # commit changes
         self.cli_commit()
 
         # Test configured name-servers
         hosts_conf = read_file(HOSTSD_FILE)
         for domain in domains:
             # Test 'recursion-desired' flag for the first domain only
             if domain == domains[0]: key =f'\+{domain}'
             else: key =f'{domain}'
             tmp = get_config_value(key, file=FORWARD_FILE)
             self.assertEqual(tmp, ', '.join(nameservers))
 
             # Test 'negative trust anchor' flag for the second domain only
             if domain == domains[1]:
                 self.assertIn(f'addNTA("{domain}", "static")', hosts_conf)
 
     def test_no_rfc1918_forwarding(self):
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         self.cli_set(base_path + ['no-serve-rfc1918'])
 
         # commit changes
         self.cli_commit()
 
         # verify configuration
         tmp = get_config_value('serve-rfc1918')
         self.assertEqual(tmp, 'no')
 
     def test_dns64(self):
         dns_prefix = '64:ff9b::/96'
 
         for network in allow_from:
             self.cli_set(base_path + ['allow-from', network])
         for address in listen_adress:
             self.cli_set(base_path + ['listen-address', address])
 
         # Check dns64-prefix - must be prefix /96
         self.cli_set(base_path + ['dns64-prefix', '2001:db8:aabb::/64'])
         with self.assertRaises(ConfigSessionError):
             self.cli_commit()
         self.cli_set(base_path + ['dns64-prefix', dns_prefix])
 
         # commit changes
         self.cli_commit()
 
         # verify dns64-prefix configuration
         tmp = get_config_value('dns64-prefix')
         self.assertEqual(tmp, dns_prefix)
 
+    def test_listening_port(self):
+        # only one port can be listen
+        for port in listen_ports:
+            self.cli_set(base_path + ['port', port])
+            for network in allow_from:
+                self.cli_set(base_path + ['allow-from', network])
+            for address in listen_adress:
+                self.cli_set(base_path + ['listen-address', address])
+
+            # commit changes
+            self.cli_commit()
+
+            # verify local-port configuration
+            tmp = get_config_value('local-port')
+            self.assertEqual(tmp, port)
+
+            # reset to test differnt port
+            self.cli_delete(base_path)
+            self.cli_commit()
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)