NxFilter Tutorial
Tutorial Index

NxFilter as a DNS server
NxFilter is basically a forwarding, caching DNS server with filtering ability. But you also can use it as an authoritative DNS server.


Authoritative DNS server
NxFilter can be working as an authoritative DNS server.

1. Zone File
We use the same format of zone file as BIND. You create a zone file for a domain on 'DNS > Zone File'. You can add your hosts into the DNS zone by editing it on GUI.

2. Clustering
When you build a cluster of NxFilter, your slave nodes will also be working as an authoritative DNS server with the settings from the master node. You don't need to set up a secondary DNS server for redundancy. It is already clustered.


Run it on the Internet
Since NxFilter is a DNS filter with authentication, when you use it as an autoritative DNS server there are several things you would need to think about.

- Authentication
You must enable authentication especially when you put NxFilter on the Internet to avoid of being a target of DNS attack. But the problem is that if you enable authetication, the DNS queries for your domains from anonymous users will be redirected to NxFilter's logig page. To allow the anonymous DNS queries against your domain, you need to bypass authentication for the domain.

- Filtering
Being a DNS filter, NxFilter might block your domain for some reason. This will lead to a failure of resolving your own domain. To avoid of having this kind of problem, you need to bypass filtering for your domain.

- Too many log data
You could have too many log data for your domain as a result of DNS attack. It might be better to bypass logging for your domain.

You can create whitelist for your domain with necessary bypass options but you also can do that with the zone files you created on GUI as they have bypass options.


When you are under DNS attacks
When you put NxFilter on cloud, it can be under DNS attacks. Once you are under DNS attacks you will have massive traffic to your server. Your NxFilter can't handle all the traffic and eventually it will look like almost dead and you will get error logs about 'Queue full'.

To avoid of having this kind of problem, the best thing is to hide your DNS server and not responding to these attackers. To hide your NxFilter from these attackers, you can enable authentication firstly. NxFilter will respond to DNS queries from unknown users with its Block Rediretion IP.

However, they may still think that there is a DNS server to attack as they get response anyway. To hide it from these attackers completely, we need to drop the packets from these unknown users silently. For this purpose, you can enable 'Disable Login Redirection' on 'Config > Setup' and NxFilter will drop the packets from these attackers.

To find out more about DNS attack preventing measures, read Preventing DNS attacks.

Running a local recursive server
You many want to run a local recursive DNS server like MaraDNS or Unbound on the same machine you run NxFilter on. Some people want to do that to speed it up and some people want to do that for hiding themselves from public DNS servers or Internet Censorship.

When you run a local recursive DNS server, you can have a port collision problem. So, you need to change the port number of your recursive DNS server. After you change the port number to a non-standard one like 5353, you can specify the port number for Upstream DNS Server on 'DNS > Setup' using a colon like below.

    ex) 127.0.0.1:5353

You can specify port number for Upstream DNS Server parameter on 'DNS > Setup' since v4.3.9.1 of NxFilter and NxCloud.

DNS over TLS
Since v4.3.8.1 of NxFilter, NxCloud. there's a DNS over TLS server module integrated. To activate it, you need to have your own public domain and a Java KeyStore or JKS file. About Java KeyStore file, read How do I apply my own SSL certificate?

When you have your own Java KeyStore file added, you need to add the following line into /nxfilter/conf/cfg.properties file.

    enable_tls = 1

After restarting it, your server will listen on TCP/853 for servicing DNS over TLS to your users.