NxRelay for whole network
NxRelay is a relaying DNS server for NxCloud. With NxRelay, you can associate a private IP to a user on NxCloud. This means that you can apply policies based on private IPs behind a router from your cloud filtering service.
You can run NxRelay with NxFilter for filteirng multiple branch offices or Active Directory integration over cloud. We will talk about it on NxRelay and NxFilter part.
Globlist doesn't support NxRelay.
How it worksNxRelay itself is a forwarding DNS server. It does filtering by querying NxCloud and it works as a DNS server by forwarding DNS queries to your local DNS server. For NxRelay, NxCloud is not its upstream DNS server. Rather, it's a policy server. Its upstream server is your existing DNS server or MS DNS server if you are on Active Directory. This means that even if you lose the connection to NxCloud, you will not have a DNS failure. And you will not have an issue with Active Directory integration as all the Active Directory DNS queries will be resolved by your MS DNS server.
It sends START and PING signals. You can see if it's running on 'Logging > Agent Signal' on NxCloud GUI.
Installing on WindowsWe provide a Windows installer for NxRelay. It will install NxRelay as a Windows service and runs its GUI setup program. If you need to install NxRelay service on Windows manually, 1. Download its ZIP package 2. Extract it into c:/nxrelay 3. Modify its config parameters in c:/nxrelay/conf/cfg.properties On CMD,
cd c:/nxrelay/bin instsvc.bat net start NxRelay
Installing on Linux1. Download its ZIP package.
We have an RPM package for NxRelay, To find out more, read Install NxRelay using RPM.2. Extract it into /nxrelay. On command line,
To stop it,
cd /nxrelay sudo chmod +x bin/*.sh sudo cp script/nxrelay.service /lib/systemd/system/nxrelay.service sudo systemctl enable nxrelay.service sudo systemctl start nxrelay.service
sudo systemctl stop nxrelay.service
Before you start it, you need to modify its config parameters in /nxrelay/conf/cfg.properties.
How to set it upYou need your NxCloud server IP and a login token from one of your user accounts. It reads its config parameters from /nxrelay/conf/cfg.properties file. For example,
When you have these config values in the config file, your NxCloud server IP is 192.168.0.100 and the login token is 'BSYEB28O' and your local DNS server or existing DNS server is 126.96.36.199 and 188.8.131.52. If you have some domains to bypass from filtering you can add them as a comma separated value of 'local_domain'. After you modify the config file, verify your config values and the connectivity to the server by running /nxrelay/bin/test.sh. Then restart NxRelay and make it as the only DNS server for your network.
server = 192.168.0.100 token = BSYEB28O local_dns = 184.108.40.206,220.127.116.11 local_domain = mydomain.local
You can add multiple NxCloud server IP addresses separated by commas.
You can verify your config values and the connectivity by running /nxrelay/bin/test.sh.
Config parametersNxRelay supports the following parameters in /nxrelay/conf/cfg.properties, - server
Your cloud filtering server or policy server that is NxCloud.- token
Login token of a user from your filtering server.- local_dns
Your local DNS server or Active Directory DNS server doing the actual DNS resolving. If there's no DNS server specified here, we use 18.104.22.168 and 22.214.171.124.- local_domain
Domains to be bypassed to your local DNS server. You can add multiple domains separated by commas.- listen_ip
When you have a port collision on UDP/53, use this parameter to listen on a specific IP address.- block_redi_ip
You can override Block Redirection IP from your server.- use_https_dns
You can use Cloudflare HTTPS DNS server for DNS resolving since v2.4.7 of NxRelay. ex) 0 = false, 1 = true- use_https_query
With this option enabled, NxRelay will do its policy queries over HTTPS. ex) 0 = false, 1 = true- https_query_port
Policy queries over HTTPS will use TCP/443 at default but if you need to use another port you can change it here.- query_cache_ttl
NxRelay has 300 seconds cache for a query result from its policy server. You can set a number between 0 and 3600 seconds. If you increase the value, it will reduce the traffic to your policy server but your filtering policy change will be reflected after the cache expired. ex) 0 = bypass, 300 = 5 minutes, 1200 = 20 minutes- a_query_only
With this option enabled, NxRelay will filter A, AAAA types of queries only and you will have have better performance. ex) 0 = false, 1 = true- run_mapper
NxRelay has an integrated NxMapper module to send Active Directory login username when you install it on a domain controller.- radius_accounting_port
The port to which you receive RADIUS accounting requests. We use UDP/1813 at default.- radius_shared_secret
Shared secret string for your Wi-Fi router to communicate with NxRelay.- radius_enable_logout
Destroy user login session when the status type of an accounting request is 'Stop'. ex) 0 = false, 1 = true- use_radius
Run RADIUS account server. ex) 0 = false, 1 = true
Which policy to applyWhen you run NxRelay as the DNS server for your network it starts filtering with the policy associated to the login token you set in its config file. However, that is just a default policy for NxRelay. You can apply a different policy based on a private IP address in your local network. On NxCloud's operator GUI, create a user and associate a private IP address or IP range to the user. Now the users on the associated IP address or IP address range will be under the policy of the user you created on NxCloud GUI.
Utility scriptsIn /nxrelay/bin there are several utility scripts included.
- startup.sh : Starting NxRelay
- shutdown.sh : Stopping NxRelay
- test.sh : Test the connectivity to NxCloud
- ping.sh : Test if it is running
We have .bat versions of these script for Windows.For Windows we have 2 more,
- instsvc.bat : Installing NxRelay service
- unstsvc.bat : Uninstall NxRelay service
Active Directory integration over cloudActive Directory integration over cloud is possible by NxRelay. When you install NxRelay on a domain controller in your Active Directory, it can detect and send logged-in AD usernames to its server. These are the conditions to impelment Active Directory integration over cloud. 1. Install NxRelay on a domain controller
In order for NxRelay to detect logged-in username, you have to install it on a domain controller. However, you may have a port collision problem with your existing MS DNS server. In that case, you can add one more IP address on your server and bind your MS DNS server to one IP address and NxRelay to the other IP address.
You can install NxRelay on another server when you use CxLogon or 802.1x WiFi authentication.2. Use your Active Directory DNS server as your local DNS server
In Active Directory, DNS is playing a very important role. Not to break anything with your Active Directory integration, you should set your MS DNS server to be the Local DNS of NxRelay and bypass your Active Directory domain as the Local Domain of NxRelay.However, 'Active Directory integration over cloud' is a bit different from when you do 'Active Directory integration' in your local network with NxFilter. On NxCloud, we don't support user importation from Active Directory. So, it's not a full scale Active Directory integration yet. It still can show Active Directory username in 'tokenname_username' form on your log view so that you can find out who is who. For example, if you have 'john100' user in your Active Directory and run NxRelay with the login token of 'myrelay' user on NxCloud, you will see his DNS requests appearing with 'myrelay_john100' username on 'Logging > DNS Request'. And the policy applied to 'john100' would be the policy of 'myrelay' user. If you want to apply a different policy to 'john100' based on his username, you can create 'john100' user on your NxCloud.
On NxCloud, user detection by Active Directory logged-in username comes before user detection by IP association.
User detection by 802.1x Wi-Fi authenticationNxRelay has an integrated RADIUS accounting server module. This module is the same one as the one we use with NxFilter for single sign-on by 802.1x Wi-Fi authentication. NxRelay will send the usernames it detected to NxCloud. To understand how it works, read Single sign-on by 802.1x
User detection by CxLogonNxRelay supports CxLogon since v2.6.4. This means that you can detect the logged-in usernames on the PCs in your network without Active Directory. To find out more about CxLogon, read Single sign-on by CxLogon. At default, it will show you the detected username as in 'tokenname_username' form but if you create a corresponding username on NxCloud, it will show you the username as it is and you can assign a specific policy to the user. This is the same rule as the one we use with Active Directory integration over cloud.
When you use CxLogon with NxRelay, it doesn't create login requests and it will be working without matching usernames on NxCloud.
Bypassing domains en masseYou can reduce the traffic to NxCloud by bypassing domains from policy queries en masse. To bypass domains en masse, you need to create /nxrelay/conf/bypass.txt file and add domains into the file. You can use an asterisk to include subdomains. The domains in the file should be separated by newlines like below,
www.jahastech.com mail.jahastech.com *.nxfilter.org
NxRelay and NxFilterYou may work for a company having multiple branch offices. You want to filter all the branch offices centrally. You also want to have user authentication and single sign-on like you do with NxFilter in a local network. However, you don't want to run NxCloud as you are the only administrator. You don't want to login to each operator GUI to change policies. You can do all these things with NxRelay and NxFilter. By NxRelay, you can associate private IPs behind a router to your users on NxFilter. If you have Active Directory, you can import AD users into your NxFilter and then you can run NxRelay in each branch office to detect AD usernames. If you want to find out more about AD integration by NxRelay, read AD integration over cloud part. Since NxRelay supports CxLogon, you can have single sign-on without Active Directory. And you can implement single sign-on using 802.1x Wi-Fi authentication. So, it's like there's almost nothing different from running NxFilter in a local network. However, there's one condition. Every branch office must use a different IP range. For example, if Branch Office #1 uses 192.168.0.0/24, Branch Office #2 shoud use a different one like 192.168.0.1/24.