NxFilter Tutorial
Tutorial Index

NxFilter as a DNS server
NxFilter is basically a forwarding, caching DNS server with filtering ability. But you also can use it as an authoritative DNS server.

Authoritative DNS server
NxFilter can be working as an authoritative DNS server.

1. Zone File
We use the same format of zone file as BIND. You create a zone file for a domain on 'DNS > Zone File'. You can add your hosts into the DNS zone by editing it on GUI.

2. Clustering
When you build a cluster of NxFilter, your slave nodes will be working as an authoritative DNS server with the settings from the master node. You don't need to set up a secondary DNS server for redundancy. It is already clustered.

Run it on the Internet
Since NxFilter is a DNS filter with authentication, when you use it as an autoritative DNS server there are several things you would need to think about.

- Authentication
You must enable authentication especially when you put NxFilter on the Internet to avoid of being a target of DNS attack. But the problem is that if you enable authetication, these anonymous users querying your domain will be redirected to NxFilter's logig page. To allow the anonymous DNS query against your domain, you need to bypass authentication for the domain.

- Filtering
NxFilter is a DNS filter so your domain might be blocked by NxFilter for some reason. This will lead to a failure of resolving the domain you want to service. To avoid of having this kind of problem, you need to bypass filtering for your domain.

- Too many log data
You could have too many log data for your domain as a result of DNS attack. It might be better to bypass logging for your domain.

You can set up a whitelist for your domain with some bypass options but you also can do that using the bypass options of a zone file you created on GUI.

To avoid of having DNS attack
When you put NxFilter on the Internet, it can be under a DNS attack. Once you are under a DNS attack you will have massive traffic to your NxFilter. Your NxFilter can't handle all the traffic and eventually it will look like almost dead and you will get error logs about 'Queue full'.

To avoid of having this kind of problem, the best thing is to hide your DNS server or not responding to these attackers with a valid DNS response. To hide your NxFilter from these attackers, you can enable authentication firstly. NxFilter will respond to the DNS queries from an unknown source IP address with its 'Block Rediretion IP'.

However, they still may think that there is a DNS server to attack as they get a response anyway. To hide it from these attackers completely, we need to drop the packets from these anonymous users silently. For this purpose, you can enable 'Disable Login Redirection' on 'Config > Setup' and NxFilter will drop the packets from these attackers.