Messages

The bug with the Unbound integration has been solved in the latest version of OPNsense 26.1.2 . It should work now!

The bug with the Unbound integrations has been solved in the latest version of OPNsense 26.1.2 . It should work now!

We might have found the culprit. It was most likely due to a 'NULL' response from our server in one of the values of the license check. If anyone needs help, shoot us a message ;-)

Glad it's working again after the reboot! We're curious though if more users have experienced this?

Another solution could be to add a whitelist rule with an alias with all the TOR nodes.

Allright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!

FYI - I'm seeing this issue too however I'm using the qfeed Domains blocklist only within AGH and not within Unbound.  I'm running OPNsense 25.7.11_9-amd64  with AGH setup as the main DNS on port 53, and Unbound is on 5335. Within AGH I have 127.0.0.1:5335 setup as a Private reverse DNS server, and for Local resolution via Unbound on 127.0.0.1:5335 - this has been working well for years.

Blocking of sites on the qfeeds Domains blocklist within AGH worked well previously, however it now seems to have stopped as the example problem url's posted earlier in this thread are no longer blocked and they display warnings in my browser.

The widget shows the blocked number incrementing as I have the floating rules setup to block the qfeeds IPs which works properly - it's just the Domain blocklist isn't working anymore

edited to add - this is the url added to the AGH Qfeeds Malware Domains shown in the screenshot:
https://api.qfeeds.com/api.php?feed_type=malware_domains&api_token=tip_xxxxxxx

Hi vk2him,

This doesn't seem to be related to the Q-Feeds Plugin since you're using AGH. As your screenshot shows it perfectly pulls in the domains? If you try to reach 'cherrypharm.com' (just checked, still in the domains list), can you see any DNS requests for that domain in AGH ?

Thank you very much for bringing this to our attention. We will investigate the options.

Kind Regards,

Stefan

Hi Sammy,

Thank you for reporting; this is indeed a bug (most likely since the last Unbound update). Few other users reported the same behavior here: https://forum.opnsense.org/index.php?topic=50502.0

We're working on it and keep you posted!

Kind regards,

David

Allright! Will look into it together with Deciso and get back to you. Thanks for digging into it already, very helpful!
EDIT: Code is available on GitHub for review if you want to dig into it further: https://github.com/opnsense/plugins/tree/master/security/q-feeds-connector

Hmm that's interesting. Once the checkbox is selected in our plugin the domains should register in the unbound plugin without showing in the blocklists section of the unbound plugin. You should see the blocklist size increase in the reporting of unbound: "https://your-firewall-ip:xxx  /ui/unbound/overview ". And of course it should start blocking. Obviously you might not see any blocks depending on the internet usage (people actually opening malicious domains) but if you try to it should definitely show blocks...

Do you have any other blocklists enabled within unbound?

We will try and replicate this behavior.

EDIT: tried it with domain: "naturah.lat" and got blocked perfectly for both A and AAA records. Also showing up as blocked in the unbound report.

You can pull the lists using our OpenAPI: https://api.qfeeds.com/openapi/#/

The number is not always increasing since we validate the IOCs, so we often delete old IOCs as well to make it efficient and relevant.

Dear community

We kicked off the year with a new feature in our Threat Intelligence Portal called Brand Protection.

This feature monitors typosquatting domains related to your brand and uses smart detection models to assess how likely a domain is being used for phishing. For example, if your brand name or fake login pages are detected, the risk score goes up. If a domain looks malicious, you can submit a takedown request and we'll do our best to get it taken offline.

On top of that, Brand Protection also monitors your SSL certificates, so you'll get alerts if there are issues that could impact availability or trust.

Brand Protection is available with our Premium license or via a 7-day free Premium trial.

If you're curious to try it out, you can register here:
👉 https://tip.qfeeds.com/

As always we're happy to hear your feedback!

Kind regards,

Stefan

Oh my mistake, yes on the latest version you only need to enable it in our plugin indeed.

Please update the documentation to reflect this. Also, it doesn't seem to be working - I don't see any malicious domains getting blocked in the Unbound logs.

We've updated our documentation. The official documentation within the OPNsense docs is in review. Thank you for pointing it out.

That you don't see any domains blocked might be a good sign. It's not a list of Ads and Trackers which gets hits constantly. You can use the test functionality within Unbound (/ui/unbound/dnsbl/index#blocklist_tester) to see if it's working. Try these domains:

Code Select Expand

plant-with-crypto.org
platform8414.com
You should see output like this:

Code Select Expand

{
  "status": "OK",
  "action": "Block",
  "policy": {
    "source_nets": [],
    "address": "0.0.0.0",
    "rcode": 0,
    "description": "compat",
    "id": "09f398e4-3704-4957-b857-baaf590691c9",
    "prio": 3.402823669209385e+38,
    "hidx": 1,
    "bl": "qf_malware_domains"
  }
}

There no longer is a global "enable blocklists" setting in Unbound since the business implementation was merged into the community version in 25.7.8.

If you want to use the Q-Feeds blocklist exclusively, does this mean you only have to enable "register domain feeds" in the Q-Feeds settings and don't have to configure anything in Unbound?

Oh my mistake, yes on the latest version you only need to enable it in our plugin indeed.

I don't see your block list here - do you know if this is expected?

However, under the feed section of your plugin, I see both feeds for Ip and Domain.

Hi Netwarden,

That is expected. If the blocklist feature is both enabled in Unbound and our Plugin the list is active. You can verify by checking the Unbound report where you can see the increase in the blocklist size.

Kind regards,

David