Please updating the Default DNS Blocklists and Intrusion Detection (Suricata Rules)

Started by Armani, December 16, 2025, 03:09:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 16, 2025, 03:09:08 AM Last Edit: December 16, 2025, 03:42:55 AM by Armani
Dear OPNsense Team,

I would like to suggest a more frequent update cycle for the default blocklists available in the system, specifically in the Services: Intrusion Detection (Suricata Rules) and Services: Unbound DNS: Blocklists sections.

Please verify and maintain the default list sets in the Services: Intrusion Detection and Services: Unbound DNS: Blocklists sections.

The problem is that in the current configuration, some links to sources are inactive (the lists have been removed by their authors), and some new expected lists are missing from the default OPNsense packages/configuration.

For example, the Unbound DNS: Blocklists ruleset lacks lists of the most abused top-level domains (TLDs) Normal and Aggressive, the same applies to Suricata, as the collections lists are not up-to-date.

Please ensure that these lists are regularly updated and supplemented to ensure all default lists are up-to-date, accessible, and functional. Including more comprehensive and regularly updated community lists would significantly improve the default security level of OPNsense installations.

The current infrastructure for downloading these lists is excellent; this request only concerns updating the default sources.

Thank you for considering this enhancement.
December 19, 2025, 11:06:32 AM #1 Last Edit: December 19, 2025, 11:41:17 AM by Armani
DNS blocklists are missing Hagezi lists, such as "Most Abused TLDs" (both Normal and Aggressive), which I mentioned earlier. In addition, several lists in Suricata are outdated or empty, for example "IP SSLBL Abuse.ch".

Furthermore, some lists could be moved from Suricata to DNS or simply offered as an option in both places. A good example is URLHaus (URL-based); blocking this at the DNS level is faster and more resource-efficient (lower RAM/CPU usage) while achieving the same effect.

In particular, I am referring to behavioral / anomaly / hunting rules focused on web client behavior (browsers, curl, wget, etc.), TLS/JA3/JA4 fingerprinting, and the detection of unusual application behavior patterns within the network. I would prefer to optimize Suricata and its rule sets toward deep detection: suspicious behaviors, JA3/JA4 fingerprints, and identification and blocking of C2 infrastructure and IP addresses. In practice, Suricata should handle all detection tasks that DNS cannot provide. This would represent the most effective approach, minimizing resource usage and avoiding duplication of detection mechanisms.

I hope I am not the only one who has noticed this fundamental issue with outdated lists in such a powerful and comprehensive system as OPNsense. For this reason, I am raising this topic again and requesting an update and refresh of the lists for both DNS and Suricata.
Today at 07:38:18 AM #2
+1 It would be really nice to get an updated version of both (to be fair, Unbound Blocklists are more recent than Suricata Rulesets).

I assume that you need to create an issue to address your request: https://github.com/opnsense/core/issues

Thank you and regards
Wrigleys
Print
Go Up Pages1
User actions