Testing firewall rules with qfeeds

DEC740airp414user · January 25, 2026, 04:36:46 PM

Can a list be posted of the qfeeds blocklist. Community edition

I have a few vlans I want to test to make sure they are successfully blocked.
And see the number increase on the home page widget

Q-Feeds · January 25, 2026, 06:32:19 PM

You can pull the lists using our OpenAPI: https://api.qfeeds.com/openapi/#/

The number is not always increasing since we validate the IOCs, so we often delete old IOCs as well to make it efficient and relevant.

DEC740airp414user · January 25, 2026, 09:00:16 PM

Thanks
I exported both malware ip and malware domains to my device as a txt file.
As a free account. My device is running business edition opnsense and I am using Nextdns as my provider. DNS over tls.
All ip address visited within Firefox focus listed are blocked and show up as blocked in the console

If I choose and visit a malware domain they are not blocked. And my test device running Firefox focus warns me about the site could be malicious

I changed unbound to non forwarding, standard unbound

I am seeing the same issue.

I setup a floating rule
Block
Chose all interfaces utilized
Direction in
Destination malware ip which is all that is available
And log
Gateway is default

Are my expectations incorrect that it should be blocking domains from what I exported and viewed?

meyergru · January 25, 2026, 09:05:25 PM

Probably. The Qfeeds list contain IPs, not domains, so you have to use the alias in a firewall rule, not in a DNS blocklist.

DEC740airp414user · January 25, 2026, 09:09:26 PM

So the malware domains are listed/ downloaded but ignored?

meyergru · January 25, 2026, 09:10:47 PM

Oh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?

DEC740airp414user · January 25, 2026, 09:15:03 PM

At this time I do not see them listed under block list or extended block list.
If I am looking in the wrong area let me know

Patrick M. Hausen · January 25, 2026, 09:26:21 PM

Quote from: meyergru on January 25, 2026, 09:10:47 PMOh, I never used those, didn't not know they exist. Are they in a useable format for Unbound?

Yes, they are supposed to be used in Unbound. If you use AGH you will need a second API key because both OPNsense alias management and AGH downloading triggers their rate limiting. Support will set up a second key for you if you are a paying customer and want to run AGH on the same device.

meyergru · January 25, 2026, 09:28:40 PM

This is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.

DEC740airp414user · January 25, 2026, 10:26:12 PM

Quote from: meyergru on January 25, 2026, 09:28:40 PMThis is supposed to work with Unbound according to the docs, but even after I checked "Register domain feeds", I cannot see anything w/r to Qfeeds in the Unbound blocklists, although both sets (IPs and domains) seem to be licensed.

Are You are running latest community?

meyergru · January 25, 2026, 10:33:53 PM

Yep. But I cannot choose a "Qfeeds" blocklist and I also do not see anything special in the generated Unbound config files, so this seems to have no effect.

Testing firewall rules with qfeeds

DEC740airp414user

January 25, 2026, 04:36:46 PM

Q-Feeds

January 25, 2026, 06:32:19 PM #1

DEC740airp414user

January 25, 2026, 09:00:16 PM #2

meyergru

January 25, 2026, 09:05:25 PM #3

DEC740airp414user

January 25, 2026, 09:09:26 PM #4

meyergru

January 25, 2026, 09:10:47 PM #5

DEC740airp414user

January 25, 2026, 09:15:03 PM #6

Patrick M. Hausen

January 25, 2026, 09:26:21 PM #7

meyergru

January 25, 2026, 09:28:40 PM #8

DEC740airp414user

January 25, 2026, 10:26:12 PM #9

meyergru

January 25, 2026, 10:33:53 PM #10 Last Edit: January 25, 2026, 10:35:39 PM by meyergru