NxFilter Tutorial
Tutorial Index

Preventing DNS attacks
We see many kinds of DNS attacks these days. This is especially true when you put NxFilter on cloud. In old days, we don't give much attention to this problem as NxFilter is supposed to be in a local network. However, we get more and more users wanting to run NxFilter on cloud and we also have NxCloud which is for cloud based filtering service providers. So, we want to discuss on some features which NxFilter and NxCloud already have to prevent DNS attacks.


Access control by IP blocks
You don't need to provide your service to everybody. And there are attackers spoofing their IPs. So, you want to accept DNS requests from only specific countries or IP blocks. You can create your access control list by countries or IP blocks and add it into 'DNS > Access Control'.
When your access control is too big, you browser can't post all the content. In that case, you have to create 'dns-allow-ip.txt' file for 'Allowed IP for DNS' and 'dns-block-ip.txt' for 'Blocked IP for DNS' in /nxfilter/conf directory. You can populate these files in the same format as in GUI. When you use clustering, you have to copy these files into all the nodes.


Enable authentication
NxFilter is a DNS server supporting user authentication. You have to enable its user authentication to restrict access from unknown users. When you enable authentication, all those unknown users or possible attackers will be redirected to its login page.
Disable login redirection
When you enable user authentication, NxFilter will respond to these DNS attacks with its login redirection or block redirection IP address. So, there's no upstream queries and additional processing. However, the attackers still think there's a DNS server to attack as they get a response anyway. To hide your server from these attackers completely, we have 'Disable Login Redirection' option on 'Config > Setup'.
For NxCloud, Login Redirection is off at default as it's supposed to be on cloud in the first place.

Block specific DNS request types
Some attackers send only specific types of DNS requests for their own purpose. The most well known case is using 'Any' type DNS request to attack a victim server with bigger size DNS packets. You can block or allow only specific types of requests on 'DNS > Server Protection'.


Drop queries for local domains
When you run NxFilter on cloud, you don't want to respond to queries for '.local' domains or 'WPAD' like hostnames without domains or reverse lookups for private IPs. To block local domains, you can add an entry for '.local' and '.localdomain' on 'Whitelist > Domain'. For hostnames without domains and reverse lookups for private IPs, we already have necessary options on 'DNS > Server Protection'.