Free Threat Intelligence for OPNsense Users: DugganUSA Blocklists

Published: March 2, 2026 Category: Threat Intelligence Vendor: OPNsense (Firewall/IDS)

⚠️ IMPORTANT: API keys are LIVE. Anonymous access ends March 15, 2026 — register now.

Tiered API keys are deployed today. Anonymous access ends March 15, 2026 — after that date all requests without a key will be rejected.

Free: $0 (25/day) Pro: $99/mo (2,000/day, 24h email SLA) Enterprise: $995/mo (50,000/day, 4h response SLA — [email protected])

Register: https://analytics.dugganusa.com/stix/register

The Value Proposition

DugganUSA’s threat intelligence cascade pipeline produces a 3-source blocklist purpose-built for firewall enforcement — IPs, domains, and URLs — derived from 15 upstream threat feeds.

Your OPNsense firewall is excellent. Our free blocklist feed makes it block more threats automatically.

What You Get

3 blocklist feeds (IP, domain, URL) in firewall-ready plain-text format
Real-time updates from 15 upstream threat feeds via the cascade pipeline
MITRE ATT&CK mapped indicators
Zero cost — Democratic Sharing Law (99.5% public)
15 upstream sources: URLhaus, ThreatFox, Feodo Tracker, Spamhaus DROP, JA3, Tor exit nodes, PhishTank, OpenPhish, Phishing Army, and more

Feed Endpoints:

https://analytics.dugganusa.com/api/v1/opnsense-blocklist/ip
https://analytics.dugganusa.com/api/v1/opnsense-blocklist/domain
https://analytics.dugganusa.com/api/v1/opnsense-blocklist/url

OPNsense Integration

Step 1: Register for an API Key

Visit https://analytics.dugganusa.com/stix/register to obtain a free API key.

Important: Use Authorization: Bearer <key> in all requests. X-API-Key is NOT supported — Cloudflare strips custom headers.

Step 2: Add Blocklist URLs via Aliases

OPNsense uses Aliases (Firewall → Aliases) to import external URL-based blocklists.

IP Blocklist Alias

Navigate to Firewall → Aliases
Click Add (+)
Configure:

Name:        DugganUSA_IP_Blocklist
Type:        URL Table (IPs)
Content:     https://analytics.dugganusa.com/api/v1/opnsense-blocklist/ip
Description: DugganUSA threat intelligence IP blocklist
Refresh:     1d (daily)

Note: OPNsense URL Table aliases fetch without custom headers. Use the cron method below to inject the Bearer token.

Domain Blocklist Alias

Name:        DugganUSA_Domain_Blocklist
Type:        URL Table (Host)
Content:     https://analytics.dugganusa.com/api/v1/opnsense-blocklist/domain
Description: DugganUSA threat intelligence domain blocklist
Refresh:     1d (daily)

Step 3: Cron-Based Refresh with Bearer Auth

Because OPNsense URL Table aliases don’t support custom HTTP headers, use a cron job to pull and cache the lists locally, then point the alias at the local file.

Create the fetch script at /usr/local/bin/update-dugganusa-blocklists.sh:

#!/bin/sh
API_KEY="<YOUR_API_KEY>"
BASE="https://analytics.dugganusa.com/api/v1/opnsense-blocklist"

# Fetch IP blocklist
curl -s -H "Authorization: Bearer ${API_KEY}" \
  "${BASE}/ip" > /var/db/aliastables/dugganusa_ip.txt

# Fetch domain blocklist
curl -s -H "Authorization: Bearer ${API_KEY}" \
  "${BASE}/domain" > /var/db/aliastables/dugganusa_domain.txt

# Fetch URL blocklist
curl -s -H "Authorization: Bearer ${API_KEY}" \
  "${BASE}/url" > /var/db/aliastables/dugganusa_url.txt

# Reload alias tables
pfctl -T load -t dugganusa_ip /var/db/aliastables/dugganusa_ip.txt

Make it executable:

chmod +x /usr/local/bin/update-dugganusa-blocklists.sh

Schedule via OPNsense Cron (System → Settings → Cron → Add):

Command:     /usr/local/bin/update-dugganusa-blocklists.sh
Schedule:    0 */6 * * *   (every 6 hours)
Description: Refresh DugganUSA threat intelligence blocklists

Step 4: Point Aliases to Local Files

Update your aliases to reference the locally-cached files:

Name:        DugganUSA_IP_Blocklist
Type:        URL Table (IPs)
Content:     file:///var/db/aliastables/dugganusa_ip.txt

Step 5: Create Firewall Rules

Navigate to Firewall → Rules → WAN (or LAN for outbound blocking)

Rule: Block Inbound from Malicious IPs

Action:      Block
Direction:   in
Interface:   WAN
Protocol:    any
Source:      DugganUSA_IP_Blocklist
Destination: any
Description: Block DugganUSA malicious IP inbound
Log:         enabled

Rule: Block Outbound to Malicious IPs

Action:      Block
Direction:   out
Interface:   LAN
Protocol:    any
Source:      LAN net
Destination: DugganUSA_IP_Blocklist
Description: Block DugganUSA malicious IP outbound
Log:         enabled

IDS/IPS Integration (Suricata)

If you run Suricata via OPNsense, you can also use the feed for custom rules.

Navigate to Services → Intrusion Detection → Administration → Download

Add Custom Rule Source:

# Fetch IOCs and generate Suricata rules
API_KEY="<YOUR_API_KEY>"

curl -s -H "Authorization: Bearer ${API_KEY}" \
  "https://analytics.dugganusa.com/api/v1/stix-feed?days=7&min_confidence=85" | \
  jq -r '.objects[] | select(.type=="indicator") | .pattern | match("([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)").string' | \
  while read ip; do
    echo "drop ip ${ip} any -> any any (msg:\"DugganUSA Malicious IP\"; sid:9$(echo ${ip} | tr -d '.'); rev:1;)"
  done > /usr/local/etc/suricata/rules/dugganusa.rules

Reload Suricata after generating rules:

configctl ids restart

Feed Parameters

All three blocklist endpoints support filtering:

# High confidence IPs only (last 7 days)
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/opnsense-blocklist/ip?days=7&min_confidence=85"

# All indicators (90 days)
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/opnsense-blocklist/ip?days=90"

# Tor exit nodes only
curl -H "Authorization: Bearer <YOUR_API_KEY>" \
  "https://analytics.dugganusa.com/api/v1/opnsense-blocklist/ip?source=tor"

Upstream Feed Sources

The OPNsense blocklists aggregate from 15 upstream sources across the cascade pipeline:

IP Threats:

URLhaus (abuse.ch) — malware distribution URLs/IPs
ThreatFox (abuse.ch) — C2 infrastructure
Feodo Tracker (abuse.ch) — banking trojan C2
Spamhaus DROP — dedicated hijacked/spam netblocks
Tor exit nodes — anonymization infrastructure

Domain/URL Threats:

PhishTank — community phishing database
OpenPhish — automated phishing intelligence
Phishing Army — phishing URL blocklist

Fingerprints:

JA3 fingerprints — TLS fingerprint-based detection

Rate Limits

Tier	OPNsense Feed	General API
Free	30 req/min	100 req/min
Pro	30 req/min	100 req/min
Enterprise	Unlimited	Unlimited

With daily refresh via cron, Free tier is more than sufficient.

Why This Matters

OPNsense has the enforcement. We have the correlation.

You block at the firewall level. We see 15 threat intelligence sources simultaneously, identifying C2 servers, phishing sites, and botnet infrastructure before they reach your network.

When Feodo Tracker, PhishTank, and our production attack logs all flag the same IP — your OPNsense blocks it automatically.

Free. Forever.

This feed is free because digital goods have zero marginal cost to share.

We don’t hoard threat intelligence behind paywalls. We publish it openly because that’s how you prove you’re not lying about your discoveries.

99.5% public (4,780 files tracked). 7.1x evidence-to-claims ratio. We show receipts.

Technical Details

Formats: Plain text (one entry per line), compatible with OPNsense URL Table aliases
Update Frequency: Real-time from cascade pipeline
License: CC0-1.0 (Public Domain)
Contact: [email protected]

Support

Questions? Email [email protected]

Feed health: https://analytics.dugganusa.com/api/v1/stix-feed/info

Documentation: https://security.dugganusa.com

Your firewall just got smarter.

— DugganUSA LLC (Minnesota)