https://www.ipfire.org/dbl
My eyes hurt when I open that link... :(
You should have linked to : https://www.ipfire.org/blog/introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone
Still a lot of RED but just a fraction compared to the link above !!
Seems to work with Pi-Hole too, but not going to use it for now since a lot of websites/companies claim to have the best Block List out there and not all of them are actually that great...
I am going to try them in AdGuard Home because blocklist management and logging in AGH is great, so why not.
Can we get this integrated into the unbound blocklists?
Quote from: abraxxa on February 17, 2026, 10:12:14 PMCan we get this integrated into the unbound blocklists?
You can easily configure it.
- Navigate to https://www.ipfire.org/dbl/how-to-use
- Scroll down to "Plaintext Formats"
- Pick e.g. Domains > Malware
This results in this URL: https://dbl.ipfire.org/lists/malware/domains.txt
In OPNsense navigate to Service > Unbound > Blocklists, click the tiny + to add one, enable advanced mode, enter the URL above into the "URLs of Blocklists" field, add a description, save and apply.
Done. Repeat for more lists as you see fit.
This is what it looks like in AdGuard Home which is what I use. Should work in Unbound all the same.
(https://forum.opnsense.org/index.php?action=dlattach;attach=52433;image)
Thanks for the quick reply!
I wasn't aware of keeping the Type field empty and entering the URL(s) instead.
Reading the IPFire DBL how-to-use docs guided me towards using the 'DNS Request Policy Zone (RPZ)' feature of unbound but I guess this isn't configurable via the OPNSense WebUI?
I've been using these lists for a couple days and I'm a bit confused at how they're supposed to work with Unbound in OPNsense in particular.
For example the domain 'facebook.com' exists in the social list: https://dbl.ipfire.org/lists/social/domains.txt
If I try to resolve 'facebook.com' literally, then it's of course blocked:
$ nslookup facebook.com
Server: 127.0.0.53
Address: 127.0.0.53#53
** server can't find facebook.com: NXDOMAIN
(note: I specify to return 'NXDOMAIN' in the Unbound policy under Advanced settings)
However, if I resolve subdomains like 'www.facebook.com' these are not blocked:
$ nslookup www.facebook.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.facebook.com canonical name = star-mini.c10r.facebook.com.
Name: star-mini.c10r.facebook.com
Address: 31.13.66.35
Name: star-mini.c10r.facebook.com
Address: 2a03:2880:f31d:1:face:b00c:0:25de
And sure enough I can get to Facebook just by appending 'www.' in the browser.
Is this working correctly and I'm just not understanding the reason why the blocklist doesn't also include 'www.facebook.com' or '*.facebook.com'? Or, is it supposed to block all 'facebook.com' domains and Unbound just isn't working with this format?
It's not the only Unbound DNSBL in this format. I took a peek (https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Unbound/core/blocklists.conf) at the built-in AdGuard list and it also doesn't use wildcards or 'www.' prefixes, but others (like Hagezi's lists) do.
Quote from: abraxxa on February 17, 2026, 10:33:02 PMReading the IPFire DBL how-to-use docs guided me towards using the 'DNS Request Policy Zone (RPZ)' feature of unbound but I guess this isn't configurable via the OPNSense WebUI?
Sorry, no idea. As I said I am not using blocklists in Unbound (I gave them a quick try before writing my last reply, though). I can wholeheartedly recommend AdGuard Home.
Quote from: OPNenthu on February 18, 2026, 09:45:53 PMHowever, if I resolve subdomains like 'www.facebook.com' these are not blocked:
The blocklists will consider a domain as a wildcard if the domain starts with "*." in the downloaded list. In all other cases it does an exact match.
I would love to know how to incorporate the IPfire Suricata IDS/IPS rules (for malware TLS/HTTPS SNI inspection)
Accessible here: https://www.ipfire.org/dbl/how-to-use with a link to https://dbl.ipfire.org/lists/suricata.tar.gz
Does anyone know how to include them as (custom) rulesets in opnsense?
The DNSBL as such are ... meh.
Quote from: OPNenthu on February 18, 2026, 09:45:53 PMAnd sure enough I can get to Facebook just by appending 'www.' in the browser.
Quote from: tuto2 on February 19, 2026, 09:27:40 AMThe blocklists will consider a domain as a wildcard if the domain starts with "*." in the downloaded list. In all other cases it does an exact match.
In AdGuard Home it seems blocking of a domain also blocks all subdomains:
$ dig 0019x.com
[...]
;; ANSWER SECTION:
0019x.com. 10 IN A 0.0.0.0
$ dig www.0019x.com
[...]
;; ANSWER SECTION:
www.0019x.com. 10 IN A 0.0.0.0
$ dig foo.0019x.com
[...]
;; ANSWER SECTION:
foo.0019x.com. 10 IN A 0.0.0.0
So just use AdGuard Home? What's the reason you don't? The UI alone is far superior to blocklist integration in Unbound.
Thanks, that confirms that there's a difference in how the blocklists are handled between the two and that some of the URL lists we have are not written with Unbound in mind.
Quote from: Patrick M. Hausen on February 20, 2026, 01:26:48 PMSo just use AdGuard Home? What's the reason you don't?
I would consider it over PiHole for a standalone DNS, but in OPNsense I prefer the integrated solution and would rather advocate for improving it.
AdGuard Home *is* the OPNsense integrated solution ;-)
If it's OK I've moved this part of the discussion to https://forum.opnsense.org/index.php?topic=51004.0, so that @abulafia and others can continue discussing about the IPFire lists specifically.
I think I differ with you on the meaning of integrated @Patrick, but it's neither here nor there I guess. This is another Coke vs. Pepsi thing now like Dnsmasq and Kea :P
Quote from: OPNenthu on February 20, 2026, 09:18:12 PMThis is another Coke vs. Pepsi thing now like Dnsmasq and Kea :P
So is AdGuard vs. Pi-Hole but I would rather see you choose
"the wrong one" (AdGuard in this case) than use Unbound which does not have a nice and handy webGUI to manage anything you need and more than that! :P
#Pi-Hole+UnboundFTW!!! ^_^
No... I won't be further triggered here! We can do that in the other thread I set up. :)
Since we're on page 2 now, let's not forget @abulafia's question (https://forum.opnsense.org/index.php?msg=260900) on page 1.
https://github.com/juergen2025sys/NETSHIELD