NxFilter Tutorial
Tutorial Index

FAQ
Frequently asked questions for NxFilter.


I can bypass NxFilter by accessing websites using IP address.

There are people saying that DNS filtering is useless as they can access a website using IP address. This is a very naive thought and simply not true. In today's Internet environment, most websites are running on virtual hosts. This means there are multiple websites on one IP address. You can't access these websites without using a domain.

And the other thing you need to think about is that there are many URLs embedded in a webpage. This is especially true when it comes to a big portal site. Those URLs are based on DNS as well. If you try to access a blocked website using an IP address, you will get just a broken webpage in most cases.

- Go to index -


It doesn't get blocked/unblocked right away.

This is most likely from the DNS cache on your system. If you are on a Windows system there are two kinds of DNS caches. One from your browser and another from your Windows OS. Before the cache expires, your policy change for blocking/unblocking will not be working. Both caches expire eventually but you might want to clear them out immediately. If it is a browser cache you can clear it out by restarting your browser.

If you want to clear out your Windows DNS cache, use the following command on CMD.


	ipconfig /flushdns

Normally, a DNS cache expires in a day at the maximum. Of course, it depends on TTL from a DNS record but I have not seen it being bigger than 86,400 seconds(1 day) usually. About browser cache, it may take several minutes to get expired. But it will be expired and your filtering policy will be working eventually. So in practice, this is not a problem as you don't need to block/unblock a website many times a day.

- Go to index -


How do I force a user to be filtered by NxFilter?

If you have a firewall in your network, it is a simple task. You just need to block outgoing UDP/53, TCP/53 traffic except from NxFilter. And then use DHCP to set up NxFilter to be the DNS server for your network. Now NxFilter becomes the only DNS server that your users can use and their DNS setup to point NxFilter will be done automatically.

- Go to index -


How NxFilter determine which policy to be applied for a user?

You can assign a policy to a user directly. If a user doesn't have any policy and belongs to a group you can assign a policy on group level. This is simple so far. But when you import users from Active Directory there might be users belonging to multiple groups. You don't know which policy to be applied to a user in this case.

To solve this problem, we introduced 'Priority Points' on a policy. If there are multiple groups and if they have several different policies, the policy having the highest priority points will be applied. When you want to find out which policy being applied to a user, use 'TEST' button on 'User > User'.

- Go to index -


What is the quickest way of blocking 'facebook.com'?

Add '*.facebook.com' on 'Whitelist > Domain' with 'Admin Block' option.

- Go to index -


I want to block 'facebook.com' for my students only.

You need to be able to differentiate your students on NxFilter with authentication first. And then block 'Social Networking' category on a policy when you use Jahaslist. Then assign the policy to the user or group associated to your students.

- Go to index -


I want to allow sales department to use the Internet freely at lunchtime.

1. Create a user or a group for your sales department.

2. Define free-time in 'Policy > Free Time' for the lunchtime in your company.

3. Create a policy not blocking anything.

4. Assign the policy as the free-time policy of the user or group.

- Go to index -


How do I change NxFilter's webserver port?

You can change HTTP/HTTPS listening ports on NxFilter. However, when you change HTTP port you will lose your block page redirection. It is because when NxFilter redirects a user on HTTP, there needs to be something waiting for the browser on TCP/80 port.

To change the ports, you need to modify these two parameters on /nxfilter/conf/cfg.properties file.

http_port = 80
https_port = 443

After you change the ports, restart NxFilter.

- Go to index -


How do I reset admin password?

We have /nxfilter/bin/reset-pw.sh script to reset admin password. Once you run the script, the admin name and password will be reset to 'admin'. You need to run the script while NxFilter running.

There is /nxfilter/bin/reset-acl.sh to reset the access restriction to GUI as well.

- Go to index -


Can I bind NxFilter to a specific IP address?

You might want to bind NxFilter to a specific IP address to avoid of having port collision problem. You can bind NxFilter to a specific IP address using 'listen_ip' parameter in /nxfilter/conf/cfg.properties file. If you set it to '0.0.0.0' NxFilter will listen on all the IP addresses of your system but if you set it to a specific IP address, NxFilter will listen on the specified IP address only.

Even if you bind NxFilter to a specific IP address, you can not run multiple NxFilter on the same machine. This is because NxFilter needs to bind several ports on localhost for internal communication.

- Go to index -


How do I bypass my local domain from filtering?

On 'DNS > Setup', You can set your local DNS server and local domain. With this setup, if there are DNS queries for your local domain, NxFilter forwards the queries to your local DNS server and bypass authentication, filtering and logging.

- Go to index -


Can I use an exact matching keyword for log search?

You can use square brackets for exact matching on log search.

    ex) [john], [192.168.0.1]


Why do I need to re-login after lunch break?

Your login session has been expired. If there is no activity(DNS query) from your PC for a certain amount of time your login session expires. You can increase the value for 'Login Session TTL' on 'Config > Setup'.

If you use single sign-on with Active Directory you can avoid of having this problem.

- Go to index -


How do I apply my own SSL certificate?

We use an embedded Tomcat 7.x as the built-in webserver for NxFilter. If you want to apply your own SSL certificate with Tomcat, there are two parameters you need to set in Tomcat config file. One is 'keystoreFile' and the other one is 'keystorePass'. However, we don't have a separated config file for Tomcat. We use /nxfilter/conf/cfg.properties file to set these parameters.

keystore_file = conf/myown.jks
keystore_pass = 123456

For how to build a keystore file, read Tomcat manual.

- Go to index -


How do I enable debugging?

When there is something wrong with NxFilter, the first thing you can do is to find out what is going on exactly with its system log data. NxFilter keeps its system log data inside /nxfilter/log directory. If you need more detailed log data, enable debugging on /nxfilter/conf/log4j.properties. Change 'INFO' to 'DEBUG' inside the file and restart NxFilter.

- Go to index -


How do I hide SSL warning?

There is a way of showing NxFilter's block page on HTTPS using SSLSplit, To find out more, read https://groups.google.com/forum/?hl=en#!topic/nxfilter200/zR5F9521wPk in our forum.

If it's for Chrome browser, we can show your block page on HTTPS protocol with NxForward. To find out more, read NxForward for block on HTTPS

When a browser being redirected on HTTPS, it warns users that they are being redirected. This is for preventing 'Man In The Middle' attack. That is why you get an SSL warning page instead of NxFilter block page. But many people want to hide the warning message for some reason. While we still can't show the block page on HTTPS but you can hide it by changing HTTPS port of NxFilter. If you use a non-standard HTTPS port, your users will only see 'Connection Error' message.

To change HTTPS port, modify the following line on /nxfilter/conf/cfg.properties file.

https_port = 443

Now we can hide the SSL warning but there's one problem with this approach. Some users reported that their browsing became slower as their browsers need to wait for the timeout events for some embedded websites. So we introduced one more option that is 'hide_ssl_warning'.

hide_ssl_warning = 1

When you set this option on /nxfilter/conf/cfg.properties file, the timeout will be done immediately.

If you want to access your admin GUI and login page using HTTPS protocol while you have 'hide_ssl_warninig' option enabled, you have to change the value of 'https_port' to be a non-standard port. Otherwise, your HTTPS request will be timed out immediately.

- Go to index -


I don't see any username on 'Logging > Request'.

The first thing you need to check would be 'Enable Authentication' option on 'Config > Setup'. Some people don't understand that they need to enable authentication before implementing any authentication method.

- Go to index -


How to set up a time zone.

Some of our users reported that they have a different time zone on NxFilter from the system. This happens mostly on CentOS. When you need to set up a time zone for NxFilter manually. You can do that on JVM level. On /nxfilter/bin/startup.sh set the following parameter.

-Duser.timezone=Europe/Rome

- Go to index -


My Browsers keep restarting after NxClient starting.

NxClient is a local proxy so it needs to update the system proxy settings to redirect HTTP/HTTPS traffic of your browser to itself. And after it updates the proxy settings, it needs to restart your browser to apply the changes. But you might have another Windows program preventing the update or doing the update for itself. You have a race condition here. To fix it, you have to disable one of them.

- Go to index -


How do I force a user to logout?

We don't have it on GUI. But in most cases, people want to force a user to logout when they leave their PC and they want to force the next user to login with his/her own username. For this, you can use our logout signal domain that is 'logout.signal.nxfilter.org'. Make a DNS query against it using 'nslookup' and the login session associated with the IP address of the system on which you run 'nslookup' will be deleted.


	nslookup logout.signal.nxfilter.org.

- Go to index -


What is 'Queue full' error?

You get 'Queue full' error when NxFilter can't process the DNS request in its job queue fast enough. It can happen when you lose the network connection to your upstream server or when you have too many requests for your system performance. If it is caused by a network connection problem it will be solved after your connection restored.

NxFilter introduced 'Persistent Cache' as of v4.1.1. NxFilter works with Persistent Cache when it loses its connection to its upstream servers. So your NxFilter will be working even if you lose your upstream server connection.

If you don't have a network connection problem then you might need to do some tweaks on your system. If you have more than 1,000 users, you may need to increase memory allocation to NxFilter.


How to block porn on Google, Youtube search result?

You can force Safe Search from NxFilter. We have Safe Search option on a policy.

Switching between 'Moderate' and 'Strict' makes a difference only for Youtube.

- Go to index -


Can I bypass a specific user from filtering and logging?

You might want to bypass some of your users form filtering and logging. With v4.1.4, we added an option for bypassing filtering/logging based on client IP address. You can add the client IP addresses you want to bypass from filtering and logging on 'Config > Allowed IP > Bypass All'.

- Go to index -


Can I install NxFilter on my Active Directory domain controller?

Some people want to install NxFilter on their Active Directory domain controller. It is ideal if you don't want to have one more hardware or VM. However, a domain controller usually has its own MS DNS server and that makes a port collision problem with NxFilter. The solution is to add one more IP on your domain controller and have your MS DNS server listening only one IP address and have your NxFilter listening on another IP address.

For example, if you want to have your NxFilter listening on '192.168.0.100' only, you need to modify the value of 'listen_ip' parameter on c:/nxfilter/conf/cfg.properties file.

    listen_ip = 192.168.0.100

We have a video tutorial for this on Youtube - View Youtube tutorial!

- Go to index -


How can I calculate the number of users for a commercial license?

NxFilter counts the number of usernames and client IP addresses and DNS requests on daily basis. If one of them exceeds your licensed user number, any unlicensed user or request will appear being blocked on your log view. However, since it is a warning measure this blocking is not actually happening on user side.

The daily request number for one user allowed by NxFilter is 3,000. On our statistics so far, one user makes up to 1,000 requests a day. We added 2,000 requests as redundancy on it. So it becomes 3,000 requests a day. For request counting, we only count 'A' type DNS query.

To find out the number of users in your network, view the usage report for the last 30 days on 'Report > Usage'.

There are 'request sum' and 'request count' on the usage report. We use 'request count' which is smaller for license restriction.

- Go to index -


What is 'Too many requests' error?

We count request number for license protection and you are making more DNS requests than the permitted number by your license. Read How can I calculate the number of users for a commercial license?

- Go to index -


How do I add more users on my license?

You can add any number of users on your existing license. When you add more users, you only need to pay for the remaining period on your license. Suppose that you want to add 100 users after spending 6 months on your license then you only need to pay 50% of your new purchase. To add more users on your license, contact us using 'support @ nxfilter.org'.

- Go to index -


My Internet connection gets faster after I install NxFilter.

It's because you now have a DNS caching server in your network. Before you install NxFilter, your users were making DNS queries against 'google.com' over and over again. When you use a public DNS server from the Internet, this means your users sending UDP packets to somewhere on the Internet and waiting for the response so many times a day. But after you install NxFilter, once a DNS response stored into NxFilter's DNS response cache, your users will get their DNS response directly from NxFilter. So there will be no latency from a public DNS server on the Internet and your users will be experiencing a faster Internet connection.

- Go to index -


Can I bypass authentication on NxCloud?

On NxCloud, we need to know who is who first as everything needs to belong to an operator. However, some people want to let their users resolving some domains without identification process. In that case, you can do 'Total Bypass' for a domain. When you whitelist a domain on admin GUI with 'Bypass Filtering' and 'Bypass Logging' flags, it becomes 'Total Bypass' and it also bypasses authentication.


Does NxFilter support IPv6?

Yes, it does. You can get an IPv6 address as a DNS response or you can point NxFilter as your DNS server using an IPv6 address. However, we disabled its socket server on IPv6 address at default. The reason why we made it not listening on IPv6 is that if we accept DNS requests on both IPv4 and IPv6, you may need to login twice when you use authentication. It's because that when you logged-in over IPv4 and then make a DNS request over IPv6 we can't find your login session as we created it with your IPv4 address. Plus, IPv6 is not so human readable so most of our users don't use it in their authentication scheme yet. So we disabled IPv6 listening at the moment.

If you want to enable IPv6 listening on NxFilter, set the value of 'java.net.preferIPv4Stack' to 'false' in /nxfilter/bin/startup.sh.

    java -Djava.net.preferIPv4Stack=false -Xmx768m -cp $NX_HOME/nxd.jar:$NX_HOME//lib/*: nxd.Main

- Go to index -


How to update it from v3 to v4?

There are some users wanting to update their NxFilter v3 to v4. Basically, there shouldn't be any problem with that but since some of them are using Shallalist which is not supported by v4 they may have a problem. If you update it from v3 to v4 keeping Shallalist option, you will not be able to start up NxFilter. So you have to change it to Jahaslist or one of other domain categorization options supported by v4 before you update it. If you have other options on GUI you can do it easily but if you don't have any other option you can choose on GUI you can do it manually on /nxfilter/conf/cfg.properties. Change the value of 'blacklist_type' to 5 like below,

    blacklist_type = 5


How do I utilize the public blocklists from the Internet?

As of v4.3.3.7 of NxFilter, you can use the public blocklists from the Internet for filtering. If it's a host file or a file containing domains separated by new lines, you can download and merge it on 'Classifier > Blocklist' overnight automatically. To find out more, read Classifier > Blocklist

- Go to index -


How do I import users and groups from G Suite LDAP?

You can import users and groups from G Suite LDAP using our OpenLDAP connection setup. To find out more, read Google's GSuite Secure LDAP import to NxFilter.