NxFilter Tutorial
Tutorial Index

NxRelay for whole network
NxRelay is a relaying DNS server for NxCloud. With NxRelay, you can associate a private IP to a user on NxCloud. This means that you can apply policies based on private IPs behind a router from your cloud filtering service.

You can run NxRelay with NxFilter for filtering multiple branch offices or Active Directory integration over cloud. We will talk about it on NxRelay and NxFilter part.

Globlist doesn't support NxRelay.

How it works
NxRelay itself is a forwarding DNS server. It does filtering by querying NxCloud and it works as a DNS server by forwarding DNS queries to your local DNS server. For NxRelay, NxCloud is not its upstream DNS server. Rather, it's a policy server. Its upstream server is your existing DNS server or MS DNS server if you are on Active Directory. This means that even if you lose the connection to NxCloud, you will not have a DNS failure. And you will not have an issue with Active Directory integration as all the DNS queries related to Active Directory will be resolved by your MS DNS server.

It sends START and PING signals. You can see if it's running on 'Logging > Agent Signal' on NxCloud GUI.

Installing on Windows
We provide a Windows installer for NxRelay. It will install NxRelay as a Windows service and runs its GUI setup program.

If you need to install NxRelay service on Windows manually,

1. Download its ZIP package

2. Extract it into c:/nxrelay

3. Modify its config parameters in c:/nxrelay/conf/cfg.properties


	cd c:/nxrelay/bin
	net start NxRelay

Installing on Linux
1. Download its ZIP package.

We have an RPM package for NxRelay, To find out more, read Install NxRelay using RPM.

2. Extract it into /nxrelay.

On command line,

	cd /nxrelay
	sudo chmod +x bin/*.sh
	sudo cp script/nxrelay.service /lib/systemd/system/nxrelay.service
	sudo systemctl enable nxrelay.service
	sudo systemctl start nxrelay.service

To stop it,

	sudo systemctl stop nxrelay.service

Before you start it, you need to modify its config parameters in /nxrelay/conf/cfg.properties.

How to set it up
You need your NxCloud server IP and a login token from one of your user accounts. It reads its config parameters from /nxrelay/conf/cfg.properties file.

For example,

	server =
	token = BSYEB28O
	local_dns =,
	local_domain = mydomain.local

When you have these config values in the config file, your NxCloud server IP is and the login token is 'BSYEB28O' and your local DNS server or existing DNS server is and If you have some domains to bypass from filtering you can add them as a comma separated value of 'local_domain'.

After you modify the config file, verify your config values and the connectivity to the server by running /nxrelay/bin/test.sh. Then restart NxRelay and set it as the only DNS server for your network.

You can add multiple NxCloud server IP addresses separated by commas.

You can verify your config values and the connectivity by running /nxrelay/bin/test.sh.

Config parameters
NxRelay supports the following parameters in /nxrelay/conf/cfg.properties,

- server
Your cloud filtering server or policy server that is NxCloud.

- token
Login token of a user from your filtering server.

- local_dns
Your local DNS server or Active Directory DNS server doing the actual DNS resolving. If there's no DNS server specified here, we use and

- local_domain
Domains to be bypassed to your local DNS server. You can add multiple domains separated by commas.

- listen_ip
When you have a port collision on UDP/53, use this parameter to listen on a specific IP address.

- block_redi_ip
You can override Block Redirection IP from your server.

- use_https_dns
You can use DNS over HTTPS service for DNS resolving.
    ex) 0 = false, 1 = true

- https_dns_type
You can choose between Cloudflare or Google DNS for upstream HTTPS DNS service.
    ex) 1 = Cloudflare, 1 = Google

- use_https_query
With this option enabled, NxRelay will do its policy queries over HTTPS.
    ex) 0 = false, 1 = true

- https_query_port
Policy queries over HTTPS will use TCP/443 at default but if you need to use another port you can change it here.

- query_cache_ttl
NxRelay has 300 seconds cache for a query result from its policy server. You can set a number between 0 and 3600 seconds. If you increase the value, it will reduce the traffic to your policy server but your filtering policy change will be reflected after the cache expired.
    ex) 0 = bypass, 300 = 5 minutes, 1200 = 20 minutes

- a_query_only
With this option enabled, NxRelay will filter A, AAAA types of queries only and you will have have better performance.
    ex) 0 = false, 1 = true

- run_mapper
NxRelay has an integrated NxMapper module to send Active Directory login username when you install it on a domain controller.

- radius_accounting_port
The port to which you receive RADIUS accounting requests. We use UDP/1813 at default.

- radius_shared_secret
Shared secret string for your Wi-Fi router to communicate with NxRelay.

- radius_enable_logout
Destroy user login session when the status type of an accounting request is 'Stop'.
    ex) 0 = false, 1 = true

- use_radius
Run RADIUS account server.
    ex) 0 = false, 1 = true

- drop_blocked_request_type
Enable request type control on NxRelay. You can set blocked request types on 'DNS > Server Protection > Request Type Control' .
    ex) 0 = false, 1 = true

Which policy to apply
When you run NxRelay as the DNS server for your network it starts filtering with the policy associated to the login token you set in its config file. However, that is just a default policy for NxRelay. You can apply a different policy based on a private IP address in your local network. On NxCloud's operator GUI, create a user and associate a private IP address or IP range to the user. Now the users on the associated IP address or IP address range will be under the policy of the user you created on NxCloud GUI.

Utility scripts
In /nxrelay/bin  there are several utility scripts included.

  • startup.sh : Starting NxRelay
  • shutdown.sh : Stopping NxRelay
  • test.sh : Test the connectivity to NxCloud
  • ping.sh : Test if it is running

We have .bat versions of these script for Windows.

For Windows we have 2 more,

  • instsvc.bat : Installing NxRelay service
  • unstsvc.bat : Uninstall NxRelay service

For Ubuntu Linux, we have a systemd script that is /nxrelay/script/nxrelay.service.

Active Directory integration over cloud
Active Directory integration over cloud is possible by NxRelay. When you install NxRelay on a domain controller in your Active Directory, it can detect and send logged-in AD usernames to its server.

These are the conditions to impelment Active Directory integration over cloud.

1. Install NxRelay on a domain controller
In order for NxRelay to detect logged-in username, you have to install it on a domain controller. However, you may have a port collision problem with your existing MS DNS server. In that case, you can add one more IP address on your server and bind your MS DNS server to one IP address and NxRelay to the other IP address.

You can install NxRelay on another server when you use CxLogon or 802.1X WiFi authentication.

2. Use your Active Directory DNS server as your local DNS server
In Active Directory, DNS is playing a very important role. Not to break anything with your Active Directory integration, you should set your MS DNS server to be the Local DNS of NxRelay and bypass your Active Directory domain as the Local Domain of NxRelay.

However, 'Active Directory integration over cloud' is a bit different from when you do 'Active Directory integration' in your local network with NxFilter. On NxCloud, we don't support user importation from Active Directory. So, it's not a full scale Active Directory integration yet. It still can show Active Directory username in 'tokenname_username' form on your log view so that you can find out who is who.

For example, if you have 'john100' user in your Active Directory and run NxRelay with the login token of 'myrelay' user on NxCloud, you will see his DNS requests appearing with 'myrelay_john100' username on 'Logging > DNS Request'. And the policy applied to 'john100' would be the policy of 'myrelay' user. If you want to apply a different policy to 'john100' based on his username, you can create 'john100' user on your NxCloud.

On NxCloud, user detection by Active Directory logged-in username comes before user detection by IP association.

User detection by 802.1X Wi-Fi authentication
NxRelay has an integrated RADIUS accounting server module. This module is the same one as the one we use with NxFilter for single sign-on by 802.1X Wi-Fi authentication. NxRelay will send the usernames it detected to NxCloud. To understand how it works, read Single sign-on by 802.1X

User detection by CxLogon
NxRelay supports CxLogon since v2.6.4. This means that you can detect the logged-in usernames on the PCs in your network without Active Directory. To find out more about CxLogon, read Single sign-on by CxLogon.

At default, it will show you the detected username as in 'tokenname_username' form but if you create a corresponding username on NxCloud, it will show you the username as it is and you can assign a specific policy to the user. This is the same rule as the one we use with Active Directory integration over cloud.
When you use CxLogon with NxRelay, it doesn't create login requests and it will be working without matching usernames on NxCloud.

Bypassing domains en masse
You can reduce the traffic to NxCloud by bypassing domains from policy queries en masse. To bypass domains en masse, you need to create /nxrelay/conf/bypass.txt file and add domains into the file. You can use an asterisk to include subdomains. The domains in the file should be separated by newlines like below,


NxRelay and NxFilter
You may work for a company having multiple branch offices. You want to filter all the branch offices centrally. You also want to have user authentication and single sign-on like you do with NxFilter in a local network. However, you don't want to run NxCloud as you are the only administrator. You don't want to login to each operator GUI to change policies. You can do all these things with NxRelay and NxFilter.

By NxRelay, you can associate private IPs behind a router to your users on NxFilter. And you can import AD users into your NxFilter and then you can run NxRelay in each branch office to detect AD usernames. NxRelay also supports CxLogon for single sign-on without Active Directory. And you can implement 802.1X Wi-Fi authentication. So, it's like there's almost nothing different from running NxFilter in a local network. However, there's one condition. Every branch office must use a different IP range. For example, if Branch Office #1 uses, Branch Office #2 shoud use a different one like This is for preventing IP collision.

Domain redireciton
You may want to set domain redirections for your local network running NxRelay. To set domain redirections, create /nxrelay/conf/redirection.txt file and add domain to IP map into the file like below,


Request type control
You can block certain types of DNS requests by NxRelay. It will fetch the request type control settings from NxFilter and drop the blocked type queries. To enable this kind of function, you need to set 'drop_blocked_request_type' to '1' in /nxrelay/conf/cfg.properties file like below,

drop_blocked_request_type = 1