Can a list be posted of the qfeeds blocklist. Community edition
I have a few vlans I want to test to make sure they are successfully blocked.
And see the number increase on the home page widget
You can pull the lists using our OpenAPI: https://api.qfeeds.com/openapi/#/
The number is not always increasing since we validate the IOCs, so we often delete old IOCs as well to make it efficient and relevant.
Thanks
I exported both malware ip and malware domains to my device as a txt file.
As a free account. My device is running business edition opnsense and I am using Nextdns as my provider. DNS over tls.
All ip address visited within Firefox focus listed are blocked and show up as blocked in the console
If I choose and visit a malware domain they are not blocked. And my test device running Firefox focus warns me about the site could be malicious
I changed unbound to non forwarding, standard unbound
I am seeing the same issue.
I setup a floating rule
Block
Chose all interfaces utilized
Direction in
Destination malware ip which is all that is available
And log
Gateway is default
Are my expectations incorrect that it should be blocking domains from what I exported and viewed?
Probably. The Qfeeds list contain IPs, not domains, so you have to use the alias in a firewall rule, not in a DNS blocklist.
So the malware domains are listed/ downloaded but ignored?
Oh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?
At this time I do not see them listed under block list or extended block list.
If I am looking in the wrong area let me know
Quote from: meyergru on January 25, 2026, 09:10:47 PMOh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?
Yes, they are supposed to be used in Unbound. If you use AGH you will need a second API key because both OPNsense alias management and AGH downloading triggers their rate limiting. Support will set up a second key for you if you are a paying customer and want to run AGH on the same device.
This is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.
Quote from: meyergru on January 25, 2026, 09:28:40 PMThis is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.
Are You are running latest community?
Yep. But I cannot choose a "Qfeeds" blocklist and I also do not see anything special in the generated Unbound config files, so this seems to have no effect.
Hmm that's interesting. Once the checkbox is selected in our plugin the domains should register in the unbound plugin without showing in the blocklists section of the unbound plugin. You should see the blocklist size increase in the reporting of unbound: "https://your-firewall-ip:xxx /ui/unbound/overview ". And of course it should start blocking. Obviously you might not see any blocks depending on the internet usage (people actually opening malicious domains) but if you try to it should definitely show blocks...
Do you have any other blocklists enabled within unbound?
We will try and replicate this behavior.
EDIT: tried it with domain: "naturah.lat" and got blocked perfectly for both A and AAA records. Also showing up as blocked in the unbound report.
I had two lists, but both disabled. I deleted them and still get ~235000 entries in the blocklist, maybe those are the Qfeeds items.
However, they are there regardless of me having "Register domain feeds" enabled or disabled. How do you register your blocklist into Unbound technically? This looks like there is a downloaded domain list that is injected into Unbound, but after disabling it, the list persists.
I found /var/unbound/data/dnsbl.json that seems to have the data included. I wonder how the different blocklists and the Qfeeds lists are integrated without interfering with one another...
I had several blocklists added. I have now removed them entirely. I am still utilizing DNS over TLS with Nextdns. I can try just unbound if requested? but it did the same thing yesterday with just unbound not forwarding
I uninstalled. and reinstalled the plugin, rebooted the entire firewall. qfeeds shows: Database
Size: 138,912 on the widget.
reporting unbound: 234908
Size of blocklist
recreated the firewall rule on floating:
block
all utilized interfaces
direction in
destination Qfeeds malware IP
gateway is default.
on 2 different devices if I bring up " cherrypharm.com"
the website is not blocked and I get a warning on both browsers
wigdet and security > events are 0
It seems there is no way I can disable the Qfeeds domain blocklist - the content of dnsbl.json is still there and used after uninstalling the Qfeeds plugins completely.
The only way I found is to recreate an empty dnsbl.json and restart Unbound.
Allright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
EDIT: Code is available on GitHub for review if you want to dig into it further: https://github.com/opnsense/plugins/tree/master/security/q-feeds-connector
Quote from: Q-Feeds on January 26, 2026, 06:10:59 PMAllright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist
only within AGH and not within Unbound. I'm running OPNsense 25.7.11_9-amd64 with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.
Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.
The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore
edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx
Quote from: vk2him on January 31, 2026, 01:30:09 AMQuote from: Q-Feeds on January 26, 2026, 06:10:59 PMAllright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound. I'm running OPNsense 25.7.11_9-amd64 with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.
Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.
The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore
edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx
Hi vk2him,
This doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?
Quote from: Q-Feeds on January 31, 2026, 11:07:50 PMThis doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?
Yes, you're correct - after a bit more checking, it seems the Warning for that website was generated by my browser natively, or via an add-in (Brave) - I could see within the AGH log that it actually blocked access. When I tried Safari, I didn't get the warning as it must not have the same website checking, and again aGH blocked it. Sorry for my misunderstanding :)