diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
index 4ca30f87c6..18a114dfb3 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/dialogEditBindForwardDomain.xml
@@ -9,14 +9,39 @@
         <id>domain.domainname</id>
         <label>Zone Name</label>
         <type>text</type>
-        <help>Set the name for this zone. Both forward and reverse zones may be specified, i.e. example.com or 0.168.192.in-addr.arpa.</help>
+        <help><![CDATA[
+              Set the name for this zone.
+              <br/>Both forward and reverse zones may be specified.
+              <br/>Examples include:
+              <br/>example.com
+              <br/>0.168.192.in-addr.arpa
+              ]]></help>
+    </field>
+    <field>
+        <id>domain.forwardonly</id>
+        <label>Forward Only</label>
+        <type>checkbox</type>
+        <help><![CDATA[
+              Disables recursion if forwarding fails.
+              <br/>The default is to attempt forwarders first and only perform
+              <br/>recursive lookups if forwarding fails. This setting is only
+              <br/>meaningful if the list of forwarders is not empty.
+              <br/>Can be used to override global forwarding behaviour for this
+              <br/>domain by specifying the same servers below.
+              <br/>This directive is explictily set to either forward only; or
+              <br/>forward first; to avoid any furtherance of doubt.
+              ]]></help>
     </field>
     <field>
         <id>domain.forwardserver</id>
-        <label>Primary IP</label>
+        <label>Forwarder IPs</label>
         <style>tokenize</style>
         <type>select_multiple</type>
         <allownew>true</allownew>
-        <help>Set the IP address of server to forward requests to.</help>
+        <help><![CDATA[
+              Set any combination of IPv4 and IPv6 addresses for which to
+              <br/>forward queries to for this domain.
+              <br/>Used to override global forwarders for this domain.
+              ]]></help>
     </field>
 </form>
diff --git a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
index 23e9c92026..cf3d33089c 100644
--- a/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
+++ b/dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/forms/general.xml
@@ -5,33 +5,52 @@
         <type>checkbox</type>
         <help>This will activate the BIND daemon.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Interface Settings</label>
+    </field>
     <field>
         <id>general.disablev6</id>
         <label>Disable IPv6</label>
         <type>checkbox</type>
-        <help>This will run BIND in IPv4-only mode.</help>
+        <help>This will cause BIND to run in IPv4-only mode.</help>
     </field>
     <field>
         <id>general.listenv4</id>
-        <label>Listen IPs</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv4)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv4 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv4 addresses the BIND service should listen on.
+              <br/>The default is all IPv4 addresses on the host, i.e. { any; }.
+              ]]></help>
     </field>
     <field>
         <id>general.listenv6</id>
-        <label>Listen IPv6</label>
-        <style>tokenize</style>
+        <label>Listener IP Addresses (IPv6)</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set the IPv6 addresses the service should listen to.</help>
+        <help><![CDATA[
+              Set ACLs defining IPv6 addresses the BIND service should listen on.
+              <br/>The default is all IPv6 addresses on the host, i.e. { any; } except when IPv6 is disabled which uses { none; }.
+              ]]></help>
     </field>
     <field>
         <id>general.port</id>
-        <label>Listen Port</label>
+        <label>Listen on Port</label>
         <type>text</type>
-        <help>Set the port the service should listen to.</help>
+        <help>Set the port the BIND service should listen on.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Queries</label>
+    </field>
+    <field>
+        <id>general.allowquery</id>
+        <label>Allow Query</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Set the ACLs from which you allow clients to query this server.
+              <br/>The default is { any; }.
+              ]]></help>
     </field>
     <field>
         <id>general.querysource</id>
@@ -47,6 +66,74 @@
         <advanced>true</advanced>
         <help>Specify the IPv6 address used as a source for outbound queries.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Recursion and Forwarding</label>
+    </field>
+    <field>
+        <id>general.enablerecursion</id>
+        <label>Enable Recursive Resolution</label>
+        <type>checkbox</type>
+        <help>This will enable recursive resolution (default). Disable for public authoritative DNS servers.</help>
+    </field>
+    <field>
+        <id>general.recursionallowedacls</id>
+        <label>Recursion ACLs</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable recursive resolution.
+              <br/>For public authoritative DNS servers, recursion should be disabled and this field left empty.
+              <br/>For private recursive DNS servers, this is usually an ACL representing your local LAN.
+              <br/>When recursion is enabled and no ACL is defined here or for allow-query-cache or allow-query, the
+              <br/>builtin { localnets; localhost; } address list is used. Otherwise this field will default to the value
+              <br/>found in allow-query-cache, or failing that, allow-query.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.allowcachequeries</id>
+        <label>Cache Query ACLs</label>
+        <advanced>true</advanced>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Select ACLs for which you wish to enable cache access. This effectively controls recursion.
+              <br/>For public authoritative DNS servers, recursion should be disabled, and this field defaults to using {none;}.
+              <br/>For private recursive DNS servers, use this field to override the defaults.
+              <br/>When recursion is enabled and allow-recursion has an ACL set, the default will be the same ACL.
+              <br/>Otherwise if allow-recursion has no ACL set, the default will be the { localnets; localhost; } address list.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.forwardonly</id>
+        <label>Forward Only</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Disables recursion if forwarding fails.
+              <br/>The default is to attempt forwarders first and perform recursive lookups if forwarding fails.
+              <br/>Only meaningful if the list of forwarders is not empty.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.forwarders</id>
+        <label>Forwarders</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help>Set any combination of IPv4 and IPv6 addresses to forward queries to when the answer is unknown.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Zone Transfers</label>
+    </field>
+    <field>
+        <id>general.allowtransfer</id>
+        <label>Allow Transfer</label>
+        <type>select_multiple</type>
+        <help><![CDATA[
+              Set the ACLs of hosts allowed to perform zones transfers.
+              <br/>The default is { any; }.
+              ]]></help>
+    </field>
     <field>
         <id>general.transfersource</id>
         <label>Transfer Source IP</label>
@@ -62,75 +149,73 @@
         <help>Specify the IPv6 address used as a source for zone transfers.</help>
     </field>
     <field>
-        <id>general.forwarders</id>
-        <label>DNS Forwarders</label>
-        <style>tokenize</style>
-        <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Set one or more hosts to send your DNS queries if the request is unknown.</help>
+        <type>header</type>
+        <label>DNS Security Extensions (DNSSEC)</label>
+    </field>
+    <field>
+        <id>general.dnssecvalidation</id>
+        <label>DNSSEC Validation</label>
+        <type>dropdown</type>
+        <help><![CDATA[
+              The OPNsense default is "No". The BIND default is "auto" but we clobber this.
+              <br/>Set to "Auto" to use the default trust anchor for the DNS root zone.
+              <br/>The "yes" and "trust-anchors" options are not supported.
+              <br/>Consider legacy AAAA record filtering needs before enabling this feature as
+              <br/>signed responses will not have AAAA records filtered when this is set to "Auto".
+              ]]></help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>AAAA Record Filtering</label>
     </field>
     <field>
         <id>general.filteraaaav4</id>
         <label>Enable filter-aaaa on IPv4 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv4 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv4 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaav6</id>
         <label>Enable filter-aaaa on IPv6 Clients</label>
         <type>checkbox</type>
-        <help>This will filter AAAA records on IPv6 Clients. Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.</help>
+        <help><![CDATA[
+              This will filter AAAA records on IPv6 Clients.
+              <br/>Set "DNSSEC Validation" to "No" and AAAA records will be omitted even if they are signed.
+              ]]></help>
     </field>
     <field>
         <id>general.filteraaaaacl</id>
-        <label>ACL for filter-aaaa</label>
-        <style>tokenize</style>
+        <label>ACLs for filter-aaaa</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
-        <help>Specifies a list of client addresses for which AAAA filtering is to be applied.</help>
+        <help>Set ACLs for which AAAA filtering is to be applied. The default is { any; }.</help>
+    </field>
+    <field>
+        <type>header</type>
+        <label>Logging</label>
     </field>
     <field>
         <id>general.logsize</id>
         <label>Logsize in MB</label>
         <type>text</type>
-        <help>Set the amount how big a logfile can growth. For Query and Blocked logs.</help>
+        <help>Set the maximum logfile size. For Query and Blocked logs.</help>
     </field>
     <field>
         <id>general.general_log_level</id>
         <label>General Log level</label>
         <style>selectpicker</style>
         <type>dropdown</type>
-        <help>Select General Log level. Log levels are listed in the order of increasing verbosity. Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.</help>
-    </field>
-    <field>
-        <id>general.maxcachesize</id>
-        <label>Maximum Cache Size</label>
-        <type>text</type>
-        <help>How much memory in percent the cache can use from the system. Default is 80%.</help>
+        <help><![CDATA[
+              Select General Log level. Log levels are listed in the order of increasing verbosity.
+              <br/>Setting a certain log level will cause all messages of the specified and more severe log levels to be logged.
+              ]]></help>
     </field>
     <field>
-        <id>general.recursion</id>
-        <label>Recursion</label>
-        <type>select_multiple</type>
-        <help>Define an ACL where you allow which clients can resolve via this service. Usually use your local LAN.</help>
-    </field>
-    <field>
-        <id>general.allowtransfer</id>
-        <label>Allow Transfer</label>
-        <type>select_multiple</type>
-        <help>Define the ACLs where you allow which server can retrieve zones.</help>
-    </field>
-    <field>
-        <id>general.allowquery</id>
-        <label>Allow Query</label>
-        <type>select_multiple</type>
-        <help>Define the ACLs where you allow which client are allowed to query this server.</help>
-    </field>
-    <field>
-        <id>general.dnssecvalidation</id>
-        <label>DNSSEC Validation</label>
-        <type>dropdown</type>
-        <help>Default is "No". Set to "Auto" to use the static trust anchor configuration by the system.</help>
+        <type>header</type>
+        <label>Obfuscation Tunables</label>
+        <advanced>true</advanced>
     </field>
     <field>
         <id>general.hidehostname</id>
@@ -146,6 +231,18 @@
         <advanced>true</advanced>
         <help>This will hide the local BIND version in DNS queries.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Performance Tunables</label>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>general.maxcachesize</id>
+        <label>Maximum Cache Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>How much memory in percent the cache can use from the system. The default is 80%.</help>
+    </field>
     <field>
         <id>general.disableprefetch</id>
         <label>Disable Prefetching</label>
@@ -153,32 +250,147 @@
         <advanced>true</advanced>
         <help>This will disable prefetching of domains before they time out.</help>
     </field>
+    <field>
+        <type>header</type>
+        <label>Rate Limiting</label>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>general.enableratelimiting</id>
         <label>Enable Rate Limiting</label>
         <type>checkbox</type>
         <advanced>true</advanced>
-        <help>This will enable rate-limiting for DNS replies.</help>
+        <help>This will enable rate-limiting for DNS responses.</help>
     </field>
     <field>
-        <id>general.ratelimitcount</id>
-        <label>Rate Limit Replies</label>
+        <id>general.ratelimitrespps</id>
+        <label>Responses Per Second</label>
         <type>text</type>
         <advanced>true</advanced>
-        <help>Set how many replies per second are allowed.</help>
+        <help><![CDATA[
+              Set how many non-empty responses are allowed per second for valid domain names and record types.
+              <br/>The default is 0 or no limit.
+              ]]></help>
     </field>
     <field>
-        <id>general.ratelimitexcept</id>
-        <label>Rate Limit Exceptions</label>
-        <style>tokenize</style>
+        <id>general.ratelimitwindow</id>
+        <label>Window</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of second during which responses are tracked. The default is 15 seconds.</help>
+    </field>
+    <field>
+        <id>general.ratelimitexempt</id>
+        <label>Exempt Clients</label>
         <type>select_multiple</type>
-        <allownew>true</allownew>
         <advanced>true</advanced>
-        <help>Except a list of IPs from rate-limiting like ::1</help>
+        <help>Set ACLs where rate-limiting should not apply.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv4prefixlength</id>
+        <label>IPv4 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 24.</help>
+    </field>
+    <field>
+        <id>general.ratelimitipv6prefixlength</id>
+        <label>IPv6 Prefix Length</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the number of bits of the address block. Used to distinquish clients into a rate-limited group. The default is 56.</help>
+    </field>
+    <field>
+        <id>general.ratelimitnodataps</id>
+        <label>NODATA Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many empty (NODATA) responses are allowed per second for valid domain names.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitnxdomsps</id>
+        <label>NXDOMAIN Responses Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many NXDOMAIN errors are allowed per second for undefined subdomains for valid domain names.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitrefsps</id>
+        <label>Referrals Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many referrals or delegations are allowed per second to a server for a given domain.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimiterrsps</id>
+        <label>Errors Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many errors are allowed per second for valid domain names and record types.
+              <br/>The default is equal to the Responses Per Second value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitallps</id>
+        <label>All Per Second</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set how many UDP responses of all types are allowed per second.
+              <br/>If used, this should be set to 4 times the size of other per second limits.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitslip</id>
+        <label>Slip</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set how many responses to "slip", reducing the use of forged source addresses in attacks. The default is 2.</help>
+    </field>
+    <field>
+        <id>general.ratelimitscale</id>
+        <label>QPS Scale</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help><![CDATA[
+              Set the ratio by which to scale back the Responses Per Second value during attacks.
+              <br/>The formula is (qps-scale/total-query-rate)*responses-per-second to produce the new value.
+              ]]></help>
+    </field>
+    <field>
+        <id>general.ratelimitmaxtbl</id>
+        <label>Maximum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the maximum number of table entries used to track requests and rate-limit responses. The default is 20,000.</help>
+    </field>
+    <field>
+        <id>general.ratelimitmintbl</id>
+        <label>Minimum Table Size</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Set the minimum number of table entries used to track requests and rate-limit responses. The default is 500.</help>
+    </field>
+    <field>
+        <id>general.ratelimittry</id>
+        <label>Trial Rate Limiting</label>
+        <type>checkbox</type>
+        <advanced>true</advanced>
+        <help>Enable to test rate-limiting parameters without actually dropping any requests.</help>
     </field>
     <field>
         <type>header</type>
-        <label>RNDC Key</label>
+        <label>Remote Name Daemon Control (RNDC) Key</label>
         <advanced>true</advanced>
     </field>
     <field>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
index 6743b66ae4..13d3c9af44 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml
@@ -21,6 +21,10 @@
                 <primaryip type="NetworkField">
                     <AsList>Y</AsList>
                 </primaryip>
+                <forwardonly type="BooleanField">
+                    <Default>0</Default>
+                    <Required>Y</Required>
+                </forwardonly>
                 <forwardserver type="NetworkField">
                     <AsList>Y</AsList>
                 </forwardserver>
diff --git a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
index 238c9dc248..08e6945eb4 100644
--- a/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
+++ b/dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/General.xml
@@ -15,16 +15,40 @@
             <Default>1</Default>
             <Required>Y</Required>
         </enablerpz>
-        <listenv4 type="NetworkField">
-            <Default>0.0.0.0</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
+        <listenv4 type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </listenv4>
-        <listenv6 type="NetworkField">
-            <Default>::</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
+        <listenv6 type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </listenv6>
+        <port type="PortField">
+            <Default>53530</Default>
+            <Required>Y</Required>
+        </port>
+        <allowquery type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+        </allowquery>
         <querysource type="NetworkField">
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
@@ -33,6 +57,49 @@
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </querysourcev6>
+        <enablerecursion type="BooleanField">
+            <Default>1</Default>
+            <Required>Y</Required>
+        </enablerecursion>
+        <recursionallowedacls type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </recursionallowedacls>
+        <allowcachequeries type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </allowcachequeries>
+        <forwardonly type="BooleanField">
+            <Default>0</Default>
+            <Required>Y</Required>
+        </forwardonly>
+        <forwarders type="NetworkField">
+            <AsList>Y</AsList>
+        </forwarders>
+        <allowtransfer type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+        </allowtransfer>
         <transfersource type="NetworkField">
             <AddressFamily>ipv4</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
@@ -41,13 +108,14 @@
             <AddressFamily>ipv6</AddressFamily>
             <NetMaskAllowed>N</NetMaskAllowed>
         </transfersourcev6>
-        <port type="PortField">
-            <Default>53530</Default>
+        <dnssecvalidation type="OptionField">
+            <OptionValues>
+                <no>No</no>
+                <auto>Auto</auto>
+            </OptionValues>
+            <Default>no</Default>
             <Required>Y</Required>
-        </port>
-        <forwarders type="NetworkField">
-            <AsList>Y</AsList>
-        </forwarders>
+        </dnssecvalidation>
         <filteraaaav4 type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -56,8 +124,15 @@
             <Default>0</Default>
             <Required>Y</Required>
         </filteraaaav6>
-        <filteraaaaacl type="NetworkField">
-            <AsList>Y</AsList>
+        <filteraaaaacl type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
         </filteraaaaacl>
         <logsize type="IntegerField">
             <Default>5</Default>
@@ -79,52 +154,6 @@
             <Required>Y</Required>
             <Default>info</Default>
         </general_log_level>
-        <maxcachesize type="IntegerField">
-            <Default>80</Default>
-            <Required>Y</Required>
-            <MinimumValue>1</MinimumValue>
-            <MaximumValue>99</MaximumValue>
-            <ValidationMessage>Choose a value between 1 and 99.</ValidationMessage>
-        </maxcachesize>
-        <recursion type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-            <ValidationMessage>Choose an ACL.</ValidationMessage>
-        </recursion>
-        <allowtransfer type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-        </allowtransfer>
-        <allowquery type="ModelRelationField">
-            <Model>
-                <template>
-                    <source>OPNsense.Bind.Acl</source>
-                    <items>acls.acl</items>
-                    <display>name</display>
-                </template>
-            </Model>
-            <Multiple>Y</Multiple>
-        </allowquery>
-        <dnssecvalidation type="OptionField">
-            <OptionValues>
-                <no>No</no>
-                <auto>Auto</auto>
-            </OptionValues>
-            <Default>no</Default>
-            <Required>Y</Required>
-        </dnssecvalidation>
         <hidehostname type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -133,6 +162,13 @@
             <Default>0</Default>
             <Required>Y</Required>
         </hideversion>
+        <maxcachesize type="IntegerField">
+            <Default>80</Default>
+            <Required>Y</Required>
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>99</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 99.</ValidationMessage>
+        </maxcachesize>
         <disableprefetch type="BooleanField">
             <Default>0</Default>
             <Required>Y</Required>
@@ -141,16 +177,86 @@
             <Default>0</Default>
             <Required>Y</Required>
         </enableratelimiting>
-        <ratelimitcount type="IntegerField">
+        <ratelimitrespps type="IntegerField">
             <MinimumValue>1</MinimumValue>
             <MaximumValue>1000</MaximumValue>
             <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
-        </ratelimitcount>
-        <ratelimitexcept type="NetworkField">
-            <Default>0.0.0.0,::</Default>
-            <Required>Y</Required>
-            <AsList>Y</AsList>
-        </ratelimitexcept>
+        </ratelimitrespps>
+        <ratelimitwindow type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>3600</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 3600.</ValidationMessage>
+        </ratelimitwindow>
+        <ratelimitexempt type="ModelRelationField">
+            <Model>
+                <template>
+                    <source>OPNsense.Bind.Acl</source>
+                    <items>acls.acl</items>
+                    <display>name</display>
+                </template>
+            </Model>
+            <Multiple>Y</Multiple>
+            <ValidationMessage>Choose an ACL.</ValidationMessage>
+        </ratelimitexempt>
+        <ratelimitipv4prefixlength type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>32</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 32.</ValidationMessage>
+        </ratelimitipv4prefixlength>
+        <ratelimitipv6prefixlength type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>128</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 128.</ValidationMessage>
+        </ratelimitipv6prefixlength>
+        <ratelimitnodataps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitnodataps>
+        <ratelimitnxdomsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitnxdomsps>
+        <ratelimitrefsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitrefsps>
+        <ratelimiterrsps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimiterrsps>
+        <ratelimitallps type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitallps>
+        <ratelimitslip type="IntegerField">
+            <MinimumValue>0</MinimumValue>
+            <MaximumValue>10</MaximumValue>
+            <ValidationMessage>Choose a value between 0 and 10.</ValidationMessage>
+        </ratelimitslip>
+        <ratelimitscale type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>1000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 1000.</ValidationMessage>
+        </ratelimitscale>
+        <ratelimitmaxtbl type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>100000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 100,000.</ValidationMessage>
+        </ratelimitmaxtbl>
+        <ratelimitmintbl type="IntegerField">
+            <MinimumValue>1</MinimumValue>
+            <MaximumValue>100000</MaximumValue>
+            <ValidationMessage>Choose a value between 1 and 100,000.</ValidationMessage>
+        </ratelimitmintbl>
+        <ratelimittry type="BooleanField">
+            <Default>0</Default>
+            <Required>N</Required>
+        </ratelimittry>
         <rndcalgo type="OptionField">
             <Required>Y</Required>
             <Default>hmac-sha256</Default>
diff --git a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
index 30d3fcc1d3..4f52452f9c 100644
--- a/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
+++ b/dns/bind/src/opnsense/mvc/app/views/OPNsense/Bind/general.volt
@@ -99,8 +99,8 @@
                         <th data-column-id="retry" data-type="string" data-visible="true">{{ lang._('Retry') }}</th>
                         <th data-column-id="expire" data-type="string" data-visible="true">{{ lang._('Expire') }}</th>
                         <th data-column-id="negative" data-type="string" data-visible="true">{{ lang._('Negative TTL') }}</th>
+                        <th data-column-id="commands" data-width="9em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                         <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
-                        <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
                     </tr>
                 </thead>
                 <tbody>
@@ -200,6 +200,7 @@
                     <tr>
                         <th data-column-id="enabled" data-type="string" data-formatter="rowtoggle">{{ lang._('Enabled') }}</th>
                         <th data-column-id="domainname" data-type="string" data-visible="true">{{ lang._('Zone') }}</th>
+                        <th data-column-id="forwardonly" data-type="string" data-formatter="boolean" data-visible="true">{{ lang._('Forward Only') }}</th>
                         <th data-column-id="forwardserver" data-type="string" data-visible="true">{{ lang._('Forwarder IPs') }}</th>
                         <th data-column-id="uuid" data-type="string" data-identifier="true" data-visible="false">{{ lang._('ID') }}</th>
                         <th data-column-id="commands" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
@@ -427,8 +428,8 @@ $(document).ready(function() {
     }).on("loaded.rs.jquery.bootgrid", function(e) {
         // Checkzone button
         $("#grid-primary-domains").find(".command-bind-checkzone").off("click").on("click", function(ev) {
-            if (!$(this).closest("tr").hasClass("text-muted")) {
-                let zonename = $(this).closest('tr').find('td.zonename').text();
+            if (!$(this).closest(".tabulator-row").hasClass("text-muted")) {
+                let zonename = $(this).closest(".tabulator-row").find("[tabulator-field='domainname']").text();
                 zone_test(zonename);
             } else {
                 BootstrapDialog.show({
diff --git a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
index 9196b5de3e..83399f9389 100644
--- a/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
+++ b/dns/bind/src/opnsense/service/templates/OPNsense/Bind/named.conf
@@ -10,28 +10,47 @@ acl "{{ acl_list.name }}" { {{ acl_list.networks.replace(',', '; ') }}; };
 
 options {
 
-        directory       "/usr/local/etc/namedb/working";
-        pid-file        "/var/run/named/pid";
-        dump-file       "/var/dump/named_dump.db";
-        statistics-file "/var/stats/named.stats";
+        directory          "/usr/local/etc/namedb/working";
+        pid-file           "/var/run/named/pid";
+        dump-file          "/var/dump/named_dump.db";
+        statistics-file    "/var/stats/named.stats";
 
-{% for listenv4 in OPNsense.bind.general.listenv4.split(',') %}
-        listen-on port {{ OPNsense.bind.general.port }} { {% if listenv4 == '0.0.0.0' %}any{% else %}{{ listenv4 }}{% endif %}; };
-{% endfor %}
-{% for listenv6 in OPNsense.bind.general.listenv6.split(',') %}
-        listen-on-v6 port {{ OPNsense.bind.general.port }} { {% if listenv6 == '::' %}any{% else %}{{ listenv6 }}{% endif %}; };
-{% endfor %}
+{%   if helpers.exists('OPNsense.bind.general.listenv4') and OPNsense.bind.general.listenv4 != '' %}
+        listen-on          port {{ OPNsense.bind.general.port }} {
+{%              for acl in OPNsense.bind.general.listenv4.split(',') %}
+{%              set listenv4_acl = helpers.getUUID(acl) %}
+                {{ listenv4_acl.name }};
+{%              endfor %}
+        };
+{% else %}
+        listen-on          port {{ OPNsense.bind.general.port }} { any; }
+{% endif %}
+
+{% if helpers.exists('OPNsense.bind.general.disablev6') and OPNsense.bind.general.disablev6 != '1' %}
+{%   if helpers.exists('OPNsense.bind.general.listenv6') and OPNsense.bind.general.listenv6 != '' %}
+        listen-on-v6       port  {{ OPNsense.bind.general.port }} {
+{%              for acl in OPNsense.bind.general.listenv6.split(',') %}
+{%              set listenv6_acl = helpers.getUUID(acl) %}
+                {{ listenv6_acl.name }};
+{%              endfor %}
+        };
+{%   else %}
+        listen-on-v6       port {{ OPNsense.bind.general.port }} { any; }
+{%   endif %}
+{% else %}
+        listen-on-v6       { none; };
+{% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.querysource') and OPNsense.bind.general.querysource != '' %}
-        query-source {{ OPNsense.bind.general.querysource }};
+        query-source       {{ OPNsense.bind.general.querysource }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.querysourcev6') and OPNsense.bind.general.querysourcev6 != '' %}
-        query-source-v6 {{ OPNsense.bind.general.querysourcev6 }};
+        query-source-v6    {{ OPNsense.bind.general.querysourcev6 }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.transfersource') and OPNsense.bind.general.transfersource != '' %}
-        transfer-source {{ OPNsense.bind.general.transfersource }};
+        transfer-source    {{ OPNsense.bind.general.transfersource }};
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.transfersourcev6') and OPNsense.bind.general.transfersourcev6 != '' %}
@@ -39,21 +58,36 @@ options {
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.general.forwarders') and OPNsense.bind.general.forwarders != '' %}
-        forwarders    { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
+{%   if helpers.exists('OPNsense.bind.general.forwardonly') and OPNsense.bind.general.forwardonly == '1' %}
+        forward            only
+{%   endif -%}
+        forwarders         { {{ OPNsense.bind.general.forwarders.replace(',', '; ') }}; };
 {% endif -%}
 
 {% if helpers.exists('OPNsense.bind.dnsbl.enabled') and OPNsense.bind.dnsbl.enabled == '1' %}
-        response-policy { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
-{% endif %}
+        response-policy    { {% if helpers.exists('OPNsense.bind.dnsbl.type') and OPNsense.bind.dnsbl.type != '' %}zone "whitelist.localdomain"; zone "blacklist.localdomain";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafegoogle') and OPNsense.bind.dnsbl.forcesafegoogle == '1' %}zone "rpzgoogle";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeduckduckgo') and OPNsense.bind.dnsbl.forcesafeduckduckgo == '1' %}zone "rpzduckduckgo";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcesafeyoutube') and OPNsense.bind.dnsbl.forcesafeyoutube == '1' %}zone "rpzyoutube";{% endif %}{% if helpers.exists('OPNsense.bind.dnsbl.forcestrictbing') and OPNsense.bind.dnsbl.forcestrictbing == '1' %}zone "rpzbing";{% endif %} };
+{% endif -%}
 
-{% if helpers.exists('OPNsense.bind.general.recursion') and OPNsense.bind.general.recursion != '' %}
+{% if helpers.exists('OPNsense.bind.general.enablerecursion') and OPNsense.bind.general.enablerecursion == '1' %}
         recursion          yes;
+{%   if helpers.exists('OPNsense.bind.general.recursionallowedacls') and OPNsense.bind.general.recursionallowedacls != '' %}
         allow-recursion {
-{%              for acl in OPNsense.bind.general.recursion.split(',') %}
-{%              set recursion_acl = helpers.getUUID(acl) %}
-                {{ recursion_acl.name }};
+{%              for acl in OPNsense.bind.general.recursionallowedacls.split(',') %}
+{%              set recursionallowedacls_acl = helpers.getUUID(acl) %}
+                {{ recursionallowedacls_acl.name }};
+{%              endfor %}
+        };
+{%   endif %}
+{%   if helpers.exists('OPNsense.bind.general.allowcachequeries') and OPNsense.bind.general.allowcachequeries != '' %}
+        allow-query-cache {
+{%              for acl in OPNsense.bind.general.allowcachequeries.split(',') %}
+{%              set allowcachequeries_acl = helpers.getUUID(acl) %}
+                {{ allowcachequeries_acl.name }};
 {%              endfor %}
         };
+{%   endif %}
+{% else %}
+        recursion          no;
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.allowtransfer') and OPNsense.bind.general.allowtransfer != '' %}
@@ -75,26 +109,70 @@ options {
 {% endif %}
 
 {% if helpers.exists('OPNsense.bind.general.maxcachesize') and OPNsense.bind.general.maxcachesize != '' %}
-        max-cache-size    {{ OPNsense.bind.general.maxcachesize }}%;
+        max-cache-size     {{ OPNsense.bind.general.maxcachesize }}%;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.dnssecvalidation') and OPNsense.bind.general.dnssecvalidation != '' %}
-        dnssec-validation    {{ OPNsense.bind.general.dnssecvalidation }};
+        dnssec-validation  {{ OPNsense.bind.general.dnssecvalidation }};
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.hidehostname') and OPNsense.bind.general.hidehostname == '1' %}
-        hostname none;
+        hostname           none;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.hideversion') and OPNsense.bind.general.hideversion == '1' %}
-        version none;
+        version            none;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.disableprefetch') and OPNsense.bind.general.disableprefetch == '1' %}
         prefetch 0;
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.enableratelimiting') and OPNsense.bind.general.enableratelimiting == '1' %}
-{%   if helpers.exists('OPNsense.bind.general.ratelimitcount') and OPNsense.bind.general.ratelimitcount != '' %}
+{%   if helpers.exists('OPNsense.bind.general.ratelimitrespps') and OPNsense.bind.general.ratelimitrespps != '' %}
 	rate-limit {
-                responses-per-second {{ OPNsense.bind.general.ratelimitcount }};
-{%     if helpers.exists('OPNsense.bind.general.ratelimitexcept') and OPNsense.bind.general.ratelimitexcept != '' %}
-                exempt-clients { {{ OPNsense.bind.general.ratelimitexcept.replace(',', '; ') }}; };
+                responses-per-second   {{ OPNsense.bind.general.ratelimitrespps }};
+{%     if helpers.exists('OPNsense.bind.general.ratelimitwindow') and OPNsense.bind.general.ratelimitwindow != '' %}
+                window                 {{ OPNsense.bind.general.ratelimitwindow }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitipv4prefixlength') and OPNsense.bind.general.ratelimitipv4prefixlength != '' %}
+                ipv4-prefix-length     {{ OPNsense.bind.general.ratelimitipv4prefixlength }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitipv6prefixlength') and OPNsense.bind.general.ratelimitipv6prefixlength != '' %}
+                ipv6-prefix-length     {{ OPNsense.bind.general.ratelimitipv6prefixlength }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitnodataps') and OPNsense.bind.general.ratelimitnodataps != '' %}
+                nodata-per-second      {{ OPNsense.bind.general.ratelimitnodataps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitnxdomsps') and OPNsense.bind.general.ratelimitnxdomsps != '' %}
+                nxdomains-per-second   {{ OPNsense.bind.general.ratelimitnxdomsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitrefsps') and OPNsense.bind.general.ratelimitrefsps != '' %}
+                referrals-per-second   {{ OPNsense.bind.general.ratelimitrefsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimiterrsps') and OPNsense.bind.general.ratelimiterrsps != '' %}
+                errors-per-second      {{ OPNsense.bind.general.ratelimiterrsps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitallps') and OPNsense.bind.general.ratelimitallps != '' %}
+                all-per-second         {{ OPNsense.bind.general.ratelimitallps }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitslip') and OPNsense.bind.general.ratelimitslip != '' %}
+                slip                   {{ OPNsense.bind.general.ratelimitslip }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitscale') and OPNsense.bind.general.ratelimitscale != '' %}
+                qps-scale              {{ OPNsense.bind.general.ratelimitscale }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitmaxtbl') and OPNsense.bind.general.ratelimitmaxtbl != '' %}
+                max-table-size         {{ OPNsense.bind.general.ratelimitmaxtbl }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitmintbl') and OPNsense.bind.general.ratelimitmintbl != '' %}
+                min-table-size         {{ OPNsense.bind.general.ratelimitmintbl }};
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimitexempt') and OPNsense.bind.general.ratelimitexempt != '' %}
+                exempt-clients         {
+{%                      for acl in OPNsense.bind.general.ratelimitexempt.split(',') %}
+{%                      set ratelimitexempt_acl = helpers.getUUID(acl) %}
+                        {{ ratelimitexempt_acl.name }};
+{%                      endfor %}
+                };
+{%     endif %}
+{%     if helpers.exists('OPNsense.bind.general.ratelimittry') and OPNsense.bind.general.ratelimittry != '' %}
+                log-only               {{ OPNsense.bind.general.ratelimittry }};
 {%     endif %}
         };
 {%   endif %}
@@ -104,8 +182,9 @@ options {
 {% if helpers.exists('OPNsense.bind.general.rndcalgo') and helpers.exists('OPNsense.bind.general.rndcsecret') %}
 key "rndc-key" {
         algorithm "{{ OPNsense.bind.general.rndcalgo }}";
-        secret "{{ OPNsense.bind.general.rndcsecret }}";
+        secret    "{{ OPNsense.bind.general.rndcsecret }}";
 };
+
 controls {
         inet 127.0.0.1 port 9530
                 allow { 127.0.0.1; } keys { "rndc-key"; };
@@ -154,6 +233,11 @@ zone "rpzbing" { type primary; file "/usr/local/etc/namedb/primary/bing.db"; not
 zone "{{ domain.domainname }}" {
         type {{ domain.type }};
 {%       if domain.type == 'forward' %}
+{%         if domain.forwardonly == '1' %}
+        forward only;
+{%         else %}
+        forward first;
+{%         endif %}
         forwarders { {{ domain.forwardserver.replace(',', '; ') }}; };
 {%       elif domain.type == 'secondary' %}
 {%         if domain.transferkey is defined %}
@@ -261,7 +345,12 @@ plugin query "/usr/local/lib/bind/filter-aaaa.so" {
 {%   endif %}
 {% endif %}
 {% if helpers.exists('OPNsense.bind.general.filteraaaaacl') and OPNsense.bind.general.filteraaaaacl != '' %}
-        filter-aaaa    { {{ OPNsense.bind.general.filteraaaaacl.replace(',', '; ') }}; };
+                   filter-aaaa       {
+{%                      for acl in OPNsense.bind.general.filteraaaaacl.split(',') %}
+{%                      set filteraaaa_acl = helpers.getUUID(acl) %}
+                        {{ filteraaaa_acl.name }};
+{%                      endfor %}
+                   };
 {% endif %}
            };
 {% endif %}