Messages

Dear community

We kicked off the year with a new feature in our Threat Intelligence Portal called Brand Protection.

This feature monitors typosquatting domains related to your brand and uses smart detection models to assess how likely a domain is being used for phishing. For example, if your brand name or fake login pages are detected, the risk score goes up. If a domain looks malicious, you can submit a takedown request and we'll do our best to get it taken offline.

On top of that, Brand Protection also monitors your SSL certificates, so you'll get alerts if there are issues that could impact availability or trust.

Brand Protection is available with our Premium license or via a 7-day free Premium trial.

If you're curious to try it out, you can register here:
👉 https://tip.qfeeds.com/

As always we're happy to hear your feedback!

Kind regards,

Stefan

Oh my mistake, yes on the latest version you only need to enable it in our plugin indeed.

Please update the documentation to reflect this. Also, it doesn't seem to be working - I don't see any malicious domains getting blocked in the Unbound logs.

We've updated our documentation. The official documentation within the OPNsense docs is in review. Thank you for pointing it out.

That you don't see any domains blocked might be a good sign. It's not a list of Ads and Trackers which gets hits constantly. You can use the test functionality within Unbound (/ui/unbound/dnsbl/index#blocklist_tester) to see if it's working. Try these domains:

Code Select Expand

plant-with-crypto.org
platform8414.com
You should see output like this:

Code Select Expand

{
  "status": "OK",
  "action": "Block",
  "policy": {
    "source_nets": [],
    "address": "0.0.0.0",
    "rcode": 0,
    "description": "compat",
    "id": "09f398e4-3704-4957-b857-baaf590691c9",
    "prio": 3.402823669209385e+38,
    "hidx": 1,
    "bl": "qf_malware_domains"
  }
}

There no longer is a global "enable blocklists" setting in Unbound since the business implementation was merged into the community version in 25.7.8.

If you want to use the Q-Feeds blocklist exclusively, does this mean you only have to enable "register domain feeds" in the Q-Feeds settings and don't have to configure anything in Unbound?

Oh my mistake, yes on the latest version you only need to enable it in our plugin indeed.

I don't see your block list here - do you know if this is expected?

However, under the feed section of your plugin, I see both feeds for Ip and Domain.

Hi Netwarden,

That is expected. If the blocklist feature is both enabled in Unbound and our Plugin the list is active. You can verify by checking the Unbound report where you can see the increase in the blocklist size.

Kind regards,

David

Hi Mokaz and Dirtyfreebooter,

Glad everything works as expected! And thanks a lot for your feedback, really appreciated. Please find our answers below.

1.
Your guess is correct, the Community edition only provides open-source intelligence. Our threat lookup (Plus and Premium licenses) feature gives more insight into where items come from. We're not planning to make this available for the Community edition.

2.
As Cedrik already mentioned. :)

3.
We went with this approach because several users asked for a specific category during our beta testing. I guess everyone has their own preferences. :) Our personal view is that it's clearer to keep a distinction between Security and Services, otherwise the Services menu becomes cluttered with too many different functions. That said, I do agree that adding other security related services (including Zenarmor) to the menu would help keep things clean and consistent. I'll add it to our next meeting agenda to have a look at it.

Thanks again!

Kind regards,

David

Good news, we expect to launch support for DNSCrypt-proxy in the next release (Plugin v1.4).

Hi Stefan,

Thanks, it has been fixed. 👍🏻

Perfect! Thanks for letting us know !

Hi vpx,

Thank you so much for letting us know, we had no clue since we're not using Outlook Classic. That said we've added an explicit width to the header in the email now, hoping it's solved for Outlook Classic. Please let us know, much appreciated.

Kind regards,

Stefan

No not all in particular.

Unfortunately, I had to give up on this plugin. In my case, too many resources that were critical to me were blacklisted by Q-Feeds. Otherwise, it worked quite stably. Good luck with developing the service.

That's unfortunate to hear! Sorry it didn't work out for you. We'd really appreciate it if you could share which false positives you ran into, it helps us improve the service for everyone.

Thanks for the suggestion.
However, I don't have managed switches installed. All other networking equipment I have monitored for years without such behaviour.

Strangely nslookup of 94.16.122.152 resolves s7.vonderste.in.
Not known as a part of the ntp.pool, maybe just an NTP client.
Indeed this doesnt explain the source ip.

Update:
Just now a new request was made from 192.168.90.100:123 to a different destination ip: 217.144.138.234, which appears to be an NTP server: ntp2.wup-de.hosts.301-moved.de. Again i am unable to locate the source ip / host on my LAN. Maybe some WireShark is in order...

94.16.122.152 is identified as a TOR node, that's why it's on our list :)

Hi VPX,

Thank you for this Idea! We will investigate the possibility in the upcoming weeks. I noticed that it already has DNSBL functionality so that could be an easy implementation.. we will get back to you!

Hi,

Thank you for the clarification, that makes sense now.
I appreciate the quick and detailed response.

More than welcome!

Hi Shayoo,

Thanks for you kind words.

This is expected behavior, the blocklist won't appear within the Unbound blocklist list. Yet you will see an increase of the number of 'Size of blocklist' in the reporting feature of Unbound on this url https://*****:***/ui/unbound/overview

You can also search for "qf_malware_domains" in the details tab to see if you have any hits.

you right, nothing upload are very good, from this sign. But the plugin matched the list and the blocklist  take from the blocklist the ip. So when the pluing can see that dangerous ip take to connect and block ist, it can also see and write to the plugin log, which port.

for  zero days often, the check in wave specific ports. So when you see that many ips scan for a specific port in a wave, you can take it different.

Where the question to the qfeed maintainer. Can your plugin  without upload to your instances, see which port the attacker probt to be connect ?

In the next release we've added the ports to the Events page. We also added an option to use Threat Lookup quickly by pressing a button next to the IP addresses which then redirects to the threat lookup function in the TIP.