diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl
index d460775c0..be0778993 100644
--- a/data/templates/dns-forwarding/recursor.conf.tmpl
+++ b/data/templates/dns-forwarding/recursor.conf.tmpl
@@ -1,32 +1,41 @@
### Autogenerated by dns_forwarding.py ###
# XXX: pdns recursor doesn't like whitespace near entry separators,
# especially in the semicolon-separated lists of name servers.
# Please be careful if you edit the template.
# Non-configurable defaults
daemon=yes
threads=1
allow-from={{ allow_from | join(',') }}
log-common-errors=yes
non-local-bind=yes
query-local-address={{ source_address | join(',') }}
lua-config-file=recursor.conf.lua
# cache-size
max-cache-entries={{ cache_size }}
# negative TTL for NXDOMAIN
max-negative-ttl={{ negative_ttl }}
# ignore-hosts-file
export-etc-hosts={{ 'no' if ignore_hosts_file is defined else 'yes' }}
# listen-address
local-address={{ listen_address | join(',') }}
# dnssec
dnssec={{ dnssec }}
+{# dns: T3277: #}
+{% if no_serve_rfc1918 is defined %}
+# serve-rfc1918
+serve-rfc1918=no
+{% else %}
+# serve-rfc1918
+serve-rfc1918=yes
+{% endif %}
+
forward-zones-file=recursor.forward-zones.conf
diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in
index 5d6e25a27..5b0c87597 100644
--- a/interface-definitions/dns-forwarding.xml.in
+++ b/interface-definitions/dns-forwarding.xml.in
@@ -1,180 +1,186 @@
<?xml version="1.0"?>
<!-- DNS forwarder configuration -->
<interfaceDefinition>
<node name="service">
<children>
<node name="dns">
<properties>
<help>Domain Name System related services</help>
</properties>
<children>
<node name="forwarding" owner="${vyos_conf_scripts_dir}/dns_forwarding.py">
<properties>
<help>DNS forwarding</help>
<priority>918</priority>
</properties>
<children>
<leafNode name="cache-size">
<properties>
<help>DNS forwarding cache size (default: 10000)</help>
<valueHelp>
<format>u32:0-2147483647</format>
<description>DNS forwarding cache size</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-2147483647"/>
</constraint>
</properties>
<defaultValue>10000</defaultValue>
</leafNode>
<leafNode name="dhcp">
<properties>
<help>Interfaces whose DHCP client nameservers to forward requests to</help>
<completionHelp>
<script>${vyos_completion_dir}/list_interfaces.py</script>
</completionHelp>
<multi/>
</properties>
</leafNode>
<leafNode name="dnssec">
<properties>
<help>DNSSEC mode (default: process-no-validate)</help>
<completionHelp>
<list>off process-no-validate process log-fail validate</list>
</completionHelp>
<valueHelp>
<format>off</format>
<description>No DNSSEC processing whatsoever!</description>
</valueHelp>
<valueHelp>
<format>process-no-validate</format>
<description>Respond with DNSSEC records to clients that ask for it. No validation done at all!</description>
</valueHelp>
<valueHelp>
<format>process</format>
<description>Respond with DNSSEC records to clients that ask for it. Validation for clients that request it.</description>
</valueHelp>
<valueHelp>
<format>log-fail</format>
<description>Similar behaviour to process, but validate RRSIGs on responses and log bogus responses.</description>
</valueHelp>
<valueHelp>
<format>validate</format>
<description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description>
</valueHelp>
<constraint>
<regex>^(off|process-no-validate|process|log-fail|validate)$</regex>
</constraint>
</properties>
<defaultValue>process-no-validate</defaultValue>
</leafNode>
<tagNode name="domain">
<properties>
<help>Domain to forward to a custom DNS server</help>
</properties>
<children>
<leafNode name="server">
<properties>
<help>Domain Name Server (DNS) to forward queries to</help>
<valueHelp>
<format>ipv4</format>
<description>Domain Name Server (DNS) IPv4 address</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>Domain Name Server (DNS) IPv6 address</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv6-address"/>
</constraint>
</properties>
</leafNode>
<leafNode name="addnta">
<properties>
<help>Add NTA (negative trust anchor) for this domain (must be set if the domain does not support DNSSEC)</help>
<valueless/>
</properties>
</leafNode>
<leafNode name="recursion-desired">
<properties>
<help>Set the "recursion desired" bit in requests to the upstream nameserver</help>
<valueless/>
</properties>
</leafNode>
</children>
</tagNode>
<leafNode name="ignore-hosts-file">
<properties>
<help>Do not use local /etc/hosts file in name resolution</help>
<valueless/>
</properties>
</leafNode>
+ <leafNode name="no-serve-rfc1918">
+ <properties>
+ <help>Makes the server authoritatively not aware of RFC1918 addresses</help>
+ <valueless/>
+ </properties>
+ </leafNode>
<leafNode name="allow-from">
<properties>
<help>Networks allowed to query this server</help>
<valueHelp>
<format>ipv4net</format>
<description>IP address and prefix length</description>
</valueHelp>
<valueHelp>
<format>ipv6net</format>
<description>IPv6 address and prefix length</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ip-prefix"/>
</constraint>
</properties>
</leafNode>
#include <include/listen-address.xml.i>
<leafNode name="negative-ttl">
<properties>
<help>Maximum amount of time negative entries are cached (default: 3600)</help>
<valueHelp>
<format>u32:0-7200</format>
<description>Seconds to cache NXDOMAIN entries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-7200"/>
</constraint>
</properties>
<defaultValue>3600</defaultValue>
</leafNode>
#include <include/name-server-ipv4-ipv6.xml.i>
<leafNode name="source-address">
<properties>
<help>Local addresses from which to send DNS queries</help>
<completionHelp>
<script>${vyos_completion_dir}/list_local_ips.sh --both</script>
</completionHelp>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address from which to send traffic</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address from which to send traffic</description>
</valueHelp>
<multi/>
<constraint>
<validator name="ipv4-address"/>
<validator name="ipv6-address"/>
</constraint>
</properties>
<defaultValue>0.0.0.0 ::</defaultValue>
</leafNode>
<leafNode name="system">
<properties>
<help>Use system name servers</help>
<valueless/>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
</children>
</node>
</interfaceDefinition>