diff -ru pdns-recursor-4.0.6.orig/ws-recursor.cc pdns-recursor-4.0.6/ws-recursor.cc
--- pdns-recursor-4.0.6.orig/ws-recursor.cc	2017-07-04 17:43:07.000000000 +0200
+++ pdns-recursor-4.0.6/ws-recursor.cc	2017-11-02 18:13:55.762458134 +0100
@@ -76,10 +76,11 @@
       throw ApiException("'value' must be an array");
     }
 
+    NetmaskGroup nmg;
     for (auto value : jlist.array_items()) {
       try {
-        Netmask(value.string_value());
-      } catch (NetmaskException &e) {
+        nmg.addMask(value.string_value());
+      } catch (const NetmaskException &e) {
         throw ApiException(e.reason);
       }
     }
@@ -91,9 +92,7 @@
 
     // Clear allow-from, and provide a "parent" value
     ss << "allow-from=" << endl;
-    for (auto value : jlist.array_items()) {
-      ss << "allow-from+=" << value.string_value() << endl;
-    }
+    ss << "allow-from+=" << nmg.toString() << endl;
 
     apiWriteConfigFile("allow-from", ss.str());
 
@@ -201,10 +200,15 @@
       if (server == "") {
         throw ApiException("Forwarded-to server must not be an empty string");
       }
-      if (!serverlist.empty()) {
-        serverlist += ";";
+      try {
+        ComboAddress ca = parseIPAndPort(server, 53);
+        if (!serverlist.empty()) {
+          serverlist += ";";
+        }
+        serverlist += ca.toStringWithPort();
+      } catch (const PDNSException &e) {
+        throw ApiException(e.reason);
       }
-      serverlist += server;
     }
     if (serverlist == "")
       throw ApiException("Need at least one upstream server when forwarding");