Testing firewall rules with qfeeds

[DEC740airp414user]

Can a list be posted of the qfeeds blocklist.  Community edition

I have a few vlans I want to test to make sure they are successfully blocked.
And see the number increase on the home page widget

[Q-Feeds]

You can pull the lists using our OpenAPI: https://api.qfeeds.com/openapi/#/

The number is not always increasing since we validate the IOCs, so we often delete old IOCs as well to make it efficient and relevant.

[DEC740airp414user]

Thanks
I exported both malware ip and malware domains to my device as a txt file.
As a free account. My device is running business edition opnsense and I am using Nextdns as my provider. DNS over tls.
All ip address visited within Firefox focus listed are blocked and show up as blocked in the console

If I choose and visit a malware domain they are not blocked. And my test device running Firefox focus warns me about the site could be malicious

I changed unbound to non forwarding, standard unbound

I am seeing the same issue.

I setup a floating rule
Block
Chose all interfaces utilized
Direction in
Destination  malware ip which is all that is available
And log
Gateway is default

Are my expectations incorrect that it should be blocking domains from what I exported and viewed?

[meyergru]

Probably. The Qfeeds list contain IPs, not domains, so you have to use the alias in a firewall rule, not in a DNS blocklist.

[DEC740airp414user]

So the malware domains are listed/ downloaded but ignored?

[meyergru]

Oh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?

[DEC740airp414user]

At this time I do not see them listed under block list or extended block list.
If I am looking in the wrong area let me know

[Patrick M. Hausen]

Oh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?

Yes, they are supposed to be used in Unbound. If you use AGH you will need a second API key because both OPNsense alias management and AGH downloading triggers their rate limiting. Support will set up a second key for you if you are a paying customer and want to run AGH on the same device.

[meyergru]

This is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.

[DEC740airp414user]

This is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.

Are You are running latest community?

[meyergru]

Yep. But I cannot choose a "Qfeeds" blocklist and I also do not see anything special in the generated Unbound config files, so this seems to have no effect.

[Q-Feeds]

Hmm that's interesting. Once the checkbox is selected in our plugin the domains should register in the unbound plugin without showing in the blocklists section of the unbound plugin. You should see the blocklist size increase in the reporting of unbound: "https://your-firewall-ip:xxx  /ui/unbound/overview ". And of course it should start blocking. Obviously you might not see any blocks depending on the internet usage (people actually opening malicious domains) but if you try to it should definitely show blocks...

Do you have any other blocklists enabled within unbound?

We will try and replicate this behavior.

EDIT: tried it with domain: "naturah.lat" and got blocked perfectly for both A and AAA records. Also showing up as blocked in the unbound report.

[meyergru]

I had two lists, but both disabled. I deleted them and still get ~235000 entries in the blocklist, maybe those are the Qfeeds items.

However, they are there regardless of me having "Register domain feeds" enabled or disabled. How do you register your blocklist into Unbound technically? This looks like there is a downloaded domain list that is injected into Unbound, but after disabling it, the list persists.

I found /var/unbound/data/dnsbl.json that seems to have the data included. I wonder how the different blocklists and the Qfeeds lists are integrated without interfering with one another...

[DEC740airp414user]

I had several blocklists added.   I have now removed them entirely.   I am still utilizing DNS over TLS with Nextdns.    I can try just unbound if requested?   but it did the same thing yesterday with just unbound not forwarding

I uninstalled. and reinstalled the plugin,  rebooted the entire firewall.  qfeeds shows:  Database
Size: 138,912 on the widget.
reporting unbound:  234908
Size of blocklist

recreated the firewall rule on floating:
block
all utilized interfaces
direction in
destination Qfeeds malware IP
gateway is default.

on 2 different devices if I bring up " cherrypharm.com"
the website is not blocked and I get a warning on both browsers

wigdet and security > events are 0

[meyergru]

It seems there is no way I can disable the Qfeeds domain blocklist - the content of dnsbl.json is still there and used after uninstalling the Qfeeds plugins completely.

The only way I found is to recreate an empty dnsbl.json and restart Unbound.