3 files changed, 89 insertions, 0 deletions

diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index ea700406c..deeb250f0 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -40,6 +40,16 @@ dnssec={{ dnssec }}
 dns64-prefix={{ dns64_prefix }}
 {% endif %}
 
+{% if dont_throttle_netmasks is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extensions is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
 # serve rfc1918 records
 serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 
diff --git a/interface-definitions/service_dns_forwarding.xml.in b/interface-definitions/service_dns_forwarding.xml.in
index 7dce9b548..0f8863438 100644
--- a/interface-definitions/service_dns_forwarding.xml.in
+++ b/interface-definitions/service_dns_forwarding.xml.in
@@ -670,6 +670,19 @@
                 </properties>
                 <defaultValue>3600</defaultValue>
               </leafNode>
+              <leafNode name="serve-stale-extension">
+                <properties>
+                  <help>Number of times the expired TTL of a record is extended by 30 seconds when serving stale</help>
+                  <valueHelp>
+                    <format>u32:0-65535</format>
+                    <description>Number of times to extend the TTL</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 0-65535"/>
+                  </constraint>
+                </properties>
+                <defaultValue>0</defaultValue>
+              </leafNode>
               <leafNode name="timeout">
                 <properties>
                   <help>Number of milliseconds to wait for a remote authoritative server to respond</help>
@@ -694,6 +707,34 @@
                   <valueless/>
                 </properties>
               </leafNode>
+              <leafNode name="exclude-throttle-address">
+                <properties>
+                  <help>IP address or subnet</help>
+                  <valueHelp>
+                    <format>ipv4</format>
+                    <description>IPv4 address to match</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv4net</format>
+                    <description>IPv4 prefix to match</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6</format>
+                    <description>IPv6 address</description>
+                  </valueHelp>
+                  <valueHelp>
+                    <format>ipv6net</format>
+                    <description>IPv6 address</description>
+                  </valueHelp>
+                  <multi/>
+                  <constraint>
+                    <validator name="ipv4-address"/>
+                    <validator name="ipv4-prefix"/>
+                    <validator name="ipv6-address"/>
+                    <validator name="ipv6-prefix"/>
+                  </constraint>
+                </properties>
+              </leafNode>
             </children>
           </node>
         </children>
diff --git a/smoketest/scripts/cli/test_service_dns_forwarding.py b/smoketest/scripts/cli/test_service_dns_forwarding.py
index bc50a4ffe..4f2f182e5 100755
--- a/smoketest/scripts/cli/test_service_dns_forwarding.py
+++ b/smoketest/scripts/cli/test_service_dns_forwarding.py
@@ -239,6 +239,44 @@ class TestServicePowerDNS(VyOSUnitTestSHIM.TestCase):
         tmp = get_config_value('dns64-prefix')
         self.assertEqual(tmp, dns_prefix)
 
+    def test_exclude_throttle_adress(self):
+        exclude_throttle_adress_examples = [
+            '192.168.128.255',
+            '10.0.0.0/25',
+            '2001:db8:85a3:8d3:1319:8a2e:370:7348',
+            '64:ff9b::/96'
+        ]
+
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
+        for exclude_throttle_adress in exclude_throttle_adress_examples:
+            self.cli_set(base_path + ['exclude-throttle-address', exclude_throttle_adress])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify dont-throttle-netmasks configuration
+        tmp = get_config_value('exclude-throttle-address')
+        self.assertEqual(tmp, ','.join(exclude_throttle_adress_examples))
+
+    def test_serve_stale_extension(self):
+        for network in allow_from:
+            self.cli_set(base_path + ['allow-from', network])
+        for address in listen_adress:
+            self.cli_set(base_path + ['listen-address', address])
+
+        self.cli_set(base_path + ['serve-stale-extension', '20'])
+
+        # commit changes
+        self.cli_commit()
+
+        # verify configuration
+        tmp = get_config_value('serve-stale-extension')
+        self.assertEqual(tmp, '20')
+
     def test_listening_port(self):
         # We can listen on a different port compared to '53' but only one at a time
         for port in ['1053', '5353']: