NxFilter FAQ
- I can bypass NxFilter by accessing websites using IP address.
- It doesn't get blocked/unblocked right away.
- How do I force a user to be filtered by NxFilter?
- How NxFilter determine which policy to apply for a user?
- What is the quickest way of blocking 'facebook.com'?
- I want to block 'facebook.com' only for students.
- I want to allow sales department to use the Internet freely at lunchtime.
- How do I change NxFilter's webserver port?
- How do I reset admin password?
- Can I bind NxFilter to a specific IP address?
- How do I bypass my local domain?
- Can I use an exact matching keyword for log search?
- Why do I need to re-login after lunch break?
- How do I apply my own SSL certificate?
- How do I enable debug mode?
- How do I hide SSL warning?
- I don't see any username on 'Logging > Request'.
- My Browsers keep restarting after NxClient starting.
- How do I force a user to logout?
- What is 'Queue full' error?
- How do I restrict porn on Google, Youtube search result?
- Can I bypass a specific user from filtering/logging?
- Can I install NxFilter on my Active Directory domain controller?
- How do I calculate the number of users for a commercial license?
- What is 'Too many requests' error?
- How do I add more users on my license?
- My Internet connection gets faster after I install NxFilter.
- Can I bypass authentication on NxCloud?
- Does NxFilter support IPv6?
- Do you have a reseller program?
- How to update it from v3 to v4?
I can bypass NxFilter by accessing websites using IP address.

There are people saying that DNS filtering is useless as they can access a website using IP address. This is a very naive thought and simply not true. In today's Internet environment, most websites are running on virtual hosts. This means there are multiple websites on one IP address. You can't access these websites without using a domain.

And the other thing you need to think about is that there are many URLs in a webpage. This is especially true when it comes to a big portal site. Those URLs are based on DNS as well. If you try to access a blocked website using an IP address, you will get just a brocken webpage.

* NxFilter can block IP host in URL with its local proxy agents.

- Go index -

It doesn't get blocked/unblocked right away.

This is most likely from the DNS cache on your system. If you are on a Windows system there are two kinds of DNS caches. One is from your browser and the other is from your Windows OS. Before the cache expires, your policy change for blocking/unblocking will not be working. Both caches expire eventually but you might want to clear it out immediately. If it is a browser cache you can clear it out by restarting your browser.

If you want to clear out your Windows DNS cache, use the following command on CMD.

ipconfig /flushdns

Normally, DNS cache from Windows expires in a day at the maximum. Of course, it depends on TTL from DNS record but I have not seen it being bigger than 86,400 seconds(1 day) usually. About browser cache, it may take several minutes to get expired. But it will be expired and blocked eventually. So in practice, this is not a problem as you don't need to block/unblock a site many times a day.

- Go index -

How do I force a user to be filtered by NxFilter?

If you have a firewall in your network, it is a simple task. You just need to block outgoing UDP/53, TCP/53 traffic except from NxFilter. And then you use DHCP to set up NxFilter to be the DNS server for your network. Now, NxFilter became the only DNS server that your users can use and their DNS setup to point NxFilter will be done automatically.

- Go index -

How NxFilter determin which policy to apply for a user?

You can assign a policy to a user directly. If a user doesn't have any policy and belongs to a group you can assign a polcy on group level. This is simple so far. But when you import users from Active Directory there might be users belonging to multiple groups. You don't know which policy to apply to a user in this case.

To solve this problem, we introduced 'Priority Points' on a policy. If there are multiple groups and if they have several different policies, the policy having the highest priority points will be applied. When you want to find out which policy being applied to a user, use 'TEST' button on 'User > User'.

- Go index -

What is the quickest way of blocking 'facebook.com'?

Add '*.facebook.com' into 'Whitelist > Domain' and check 'Admin Block' option.

- Go index -

I want to block 'facebook.com' only for students.

You need to be able to differentiate your students on NxFilter with authentication first. And then block 'Social Networking' category on a policy when you use Jahaslist. Then assign the policy to the user or group for your students.

- Go index -

I want to allow sales department to use the Internet freely at lunchtime.

Create a user or a group for your sales department and define a free-time in 'Policy > Free Time' then assign a free-time policy which is more lenient to the user or group.

- Go index -

How do I change NxFilter's webserver port?

You can change HTTP/HTTPS listening ports on NxFilter. However, when you change HTTP port you will lose your block-page redirection. It is because when NxFilter redirects a user on HTTP, there needs to be something waiting for the browser on TCP/80 port.

To change the ports, you need to modify these two parameters on '/nxfilter/conf/cfg.properties' file.

http_port = 80
https_port = 443

After you change the ports, restart NxFilter.

- Go index -

How do I reset admin password?

We have '/nxfilter/bin/reset-pw.sh' script to reset admin password. Once you run the script, the admin name and password will be reset to 'admin'. You need to run the script while NxFilter running.

* There is '/nxfilter/bin/reset-acl.sh' to reset access restriction to GUI as well.

- Go index -

Can I bind NxFilter to a specific IP address?

You might want to bind NxFilter to a specific IP address to avoid of having port collision problem. You can bind NxFilter to a specific IP address using 'listen_ip' parameter in '/nxfilter/conf/cfg.properties' file. If you set it to '0.0.0.0' NxFilter will listen on all the IP addresses of your system but if you set it to a specific IP address, NxFilter will listen on the specified IP address only.

* Even if you bind NxFilter to a specific IP address you can not run multiple NxFilter on the same machine. This is because NxFilter needs to bind several ports on localhost for internal communication.

- Go index -

How do I bypass my local domain?

On 'DNS > Setup', You can set your local DNS server and local domain. With this setup, if there are DNS queries for your local domain, NxFilter forwards the queries to your local DNS server and bypass authentication, filtering and logging.

- Go index -

Can I use an exact matching keyword for log search?

You can use square brackets for exact matching on log search.

    ex) [john], [192.168.0.1]

- Go index -

Why do I need to re-login after lunch break?

Your login session has been expired. If there is no activity(DNS query) from your PC for a certain amount of time your login session expires. You can increase the value for 'Login Session TTL' on 'Config > Setup'.

* If you use single sign-on with Active Directory you can avoid of having this problem.

- Go index -

How do I apply my own SSL certificate?

We use an embedded Tomcat 7.x as the built-in webserver for NxFilter. If you want to apply your own SSL certificate with Tomcat, there are two parameters you need to set in Tomcat config file. One is 'keystoreFile' and the other one is 'keystorePass'. However, we don't have a separated config file for Tomcat. We use '/nxfilter/conf/cfg.properties' file to set these parameters.

keystore_file = conf/myown.keystore
keystore_pass = 123456

* About how to build keystore file, read Tomcat manual.

- Go index -

How do I enable debug mode?

When there is something wrong with NxFilter, the first thing you can do is to find out what is going on exactly with its log data. NxFilter keeps its system log data inside '/nxfilter/log' directory. If you need more detailed log data, enable debug mode on '/nxfilter/conf/log4j.properties'. Change 'INFO' to 'DEBUG' inside the file and restart NxFilter.

- Go index -

How do I hide SSL warning?

* If it's for Chrome browser, we can show your block-page on HTTPS protocol with NxForward. To find out more, read NxForward to show block-page on HTTPS part on this tutorial.

When a browser being redirected on HTTPS, it warns users that they are being redirected. This is for preventing 'Man in the Middle' attack. That is why you get an SSL warning page instead of NxFilter block-page. But many people want to hide the warning message for some reason. While we still can't show the block-page on HTTPS but you can hide it by changing HTTPS port of NxFilter. If you use a non-standard HTTPS port, your users will only see 'Connection Error' message.

To change HTTPS port, modify the following line on '/nxfilter/conf/cfg.properties' file.

https_port = 443

Now, we can hide the SSL warning but there's one problem with this approach. Some users reported that their browsing became slower as their browsers need to wait for the timeout for some embedded websites. So we introduced one more option that is 'hide_ssl_warning'.

hide_ssl_warning = 1

When you set this option on the config file, the timeout will be done immediately.

* If you want to access your admin GUI and login-page using HTTPS protocol while you have 'hide_ssl_warninig' option enabled, you have to change the value of 'https_port' to be a non-standard port. Otherwise, your HTTPS request will be timed out immediately.

- Go index -

I don't see any username on 'Logging > Request'.

The first thing you need to check would be 'Enable Authentication' option on 'Config > Setup'. Some people don't understand that they need to enable authentication before implementing any authentication method.

- Go index -

How to set up a time zone.

Some of our users reported that they have a different time zone on NxFilter from the system. This happens mostly on CentOS. When you need to set up a time zone for NxFilter manually. You can do that on JVM level. On '/nxfilter/bin/startup.sh' set the following parameter.

-Duser.timezone=Europe/Rome

- Go index -

My Browsers keep restarting after NxClient starting.

NxClient is a local proxy so it needs to update the system proxy settings to redirect HTTP/HTTPS traffic of your browser to itself. And after it updates the proxy settings, it needs to restart your browser to apply the changes. But you might have another Windows program preventing the update or doing the update for itself. You have a race condition here. To fix it, you have to disable one of them.

- Go index -

How do I force a user to logout?

We don't have it on GUI. But in most cases, people want to force a user to logout when they leave their PC and they want to force the next user to login with his/her own username. For this, you can use our logout signal domain that is 'logout.signal.nxfilter.org'. Make a DNS query against it using 'nslookup' and the login session associated with the IP address of the system on which you run 'nslookup' will be deleted.

nslookup logout.signal.nxfilter.org.

- Go index -

What is 'Queue full' error?

You get 'Queue full' error when NxFilter can't process the DNS request in its job queue fast enough. It can happen when you lose the network connection to your upstream server or when you have too many requests for your system performance. If it is caused by a network connection problem it will be solved after your connection restored.

* NxFilter introduced 'Persistent Cache' as of v4.1.1. NxFilter works with Persistent Cache when it loses its connection to its upstream servers. So your NxFilter will be working even if you lose your upstream server connection.

If you don't have a network connection problem then you might need to do some tweaks on your system. If you have more than 1,000 users, you may need to increase memory allocation to NxFilter. If you use clustering and have more than 3,000 users it might be from 'Database Connection Bottleneck' problem. We have Performance tuning guide on this tutorial to deal with these problems.

- Go index -

How do I restrict porn on Google, Youtube search result?

You can force safe-search from NxFilter. We have 'Safe-search' option on a policy.

* Switching between 'Moderate' and 'Strict' makes difference only for Youtube.

- Go index -

Can I bypass a specific user from filtering/logging?

You might want to bypass some of your users form filtering and logging. With v4.1.4, we added an option for bypassing filering/logging based on client IP address. You can add the client IP addresses you want to bypass from filtering/logging on 'Config > Allowed IP > Bypass All'.

- Go index -

Can I install NxFilter on my Active Directory domain controller?

Some people want to install NxFilter on their Active Directory domain controller. It is ideal if you don't want to have one more hardware or VM. However, a domain controller usually has its own MS DNS server and that makes a port collision problem with NxFilter. The solution is to add one more IP on your domain controller and have your MS DNS server listening only one IP address and have your NxFilter listening on another IP address.

For example, if you want to have your NxFilter listening on '192.168.0.100' only, you need to modify the value of 'listen_ip' parameter on 'c:/nxfilter/conf/cfg.properties' file.

    listen_ip = 192.168.0.100

* We have a video tutorial for this on Youtube - View Youtube tutorial!

- Go index -

How can I calculate the number of users for a commercial license?

NxFilter counts the number of unique usernames and client IP addresses on daily basis. If one of them exceeds your licensed user number, any unlicensed user will be appeared being blocked on your log view. However, since it is a warning measure this blocking is not actually happening on user side.

* To find out the number of users in your network, view the usage report for the last 30 days on 'Report > Usage'.

* NxFilter also counts request number. About request counting read this, What is 'Too many requests' error?

- Go index -

What is 'Too many requests' error?

Since we found that there were people trying to use NxFilter behind a router several times we do license checking by request counting. On our statistics so far, one user makes up to 1,000 requests a day. We added 2,000 requests as redundancy on it. So we allow one user to make up to 3,000 requests a day. This is more than enough considering most DNS filter companies allowing under 1,500 requests per-user a day.

This license protection by request counting is especially needed for our cloud business partners as they can have a customer trying to put several thousand users under one username and depleting all their system resource. It is not just for protecting our business, it is also for protecting our partner's business.

* We have request-sum and request-cnt. We use request-cnt which is smaller for license restriction.

* We only count 'A' type DNS query for license restriction.

* Before you buy your license, you might want to check the numbers on 'Report > Usage'. It is the usage report for the past 30 days.

- Go index -

How do I add more users on my license?

You can add any number of users on your existing license. When you add more users, you only need to pay for the remaining period on your license. Suppose that you want to add 100 users after spending 6 months on your license then you only need to pay 50% of your new purchase. To add more user on your license, contact us using 'support @ nxfilter.org'.

- Go index -

My Internet connection gets faster after I install NxFilter.

It's because you now have a DNS caching server in your network. Before you install NxFilter, your users were making DNS queries against 'google.com' over and over again. When you use a public DNS server from the Internet, this means your users sending UDP packets to somewhere on the Internet and waiting for the response so many times a day. But after you install NxFilter, once a DNS response stored into NxFilter's DNS response cache, your users will get their DNS response directly from NxFilter. So there will be no latency from a public DNS server on the Internet and your users will be experiencing a faster Internet connection.

- Go index -

Can I bypass authentication on NxCloud?

On NxCloud, we need to know who is who first as everything needs to belong to an operator. However, some people want to let their users resolving some domains without identification process. In that case, you can do 'Total Bypass' for a domain. When you whitelist a domain on admin GUI with 'Bypass Filtering' and 'Bypass Logging' flags, it becomes 'Total Bypass' and it also bypasses authentication.

Does NxFilter support IPv6?

Yes, it does. You can get an IPv6 address as a DNS response or you can point NxFilter as your DNS server using an IPv6 address. However, we disabled its socket server on IPv6 address at default. The reason why we made it not listening on IPv6 is that if we accept DNS requests on both IPv4 and IPv6, you may need to login twice when you use authentication. It's because that when you logged-in over IPv4 and then make a DNS request over IPv6 we can't find your login session as we created it with your IPv4 address. Plus, IPv6 is not so human readable so most of our users don't use it in their authentication scheme yet. So we disabled IPv6 listening at the moment.

If you want to enable IPv6 listening on NxFilter, set the value of 'java.net.preferIPv4Stack' to 'false' in '/nxfilter/bin/startup.sh'.

    java -Djava.net.preferIPv4Stack=false -Xmx768m -cp $NX_HOME/nxd.jar:$NX_HOME//lib/*: nxd.Main

- Go index -

Do you have a reseller program?

No. We don't have any kind of reseller program at the moment. However, we have our own license portal with which you can issue Jahaslist license with your prepaid license credits. In other words, you can buy Jahaslist license in prepaid way with some discount and you can issue your own Jahaslist license for your customers.

- Go index -

How to update it from v3 to v4?

There are some users wanting to update their NxFilter v3 to v4. Basically, there shouldn't be any problem with that but since some of them are using Shallalist which is not supported by v4 they may have a problem. If you update it from v3 to v4 keeping Shallalist option, you will not be able to start up NxFilter. So you have to change it to Jahaslist or one of other blacklist options supported by v4 before you update it. If you have other options on GUI you can do it easily but if you don't have any other option you can choose on GUI you can do it manually on '/nxfilter/conf/cfg.properties'. Change the value of 'blacklist_type' to 5 like below,

    blacklist_type = 5

- Go index -