NxFilter as a DNS server
NxFilter is basically a forwarding, caching DNS server with filtering ability. You also can use it
as an authoritative DNS server.
Authoritative DNS server
NxFilter can be working as an authoritative DNS server.
1. Zone File
We use the same format of zone file as BIND. You create a zone file for a domain on 'DNS > Zone File'.
You can add your hosts into the DNS zone by editing it on GUI.
2. Clustering
When you build a cluster of NxFilter, your slave nodes will also be working as an authoritative DNS server
with the settings from the master node. You don't need to set up a secondary DNS server for redundancy.
It is already clustered.
Run it on the internet
Since NxFilter is a DNS filter with authentication, when you use it as an autoritative DNS
server there are several things you would need to think about.
- Authentication
You must enable authentication especially when you put NxFilter on the internet to avoid of
being a target of DNS attack. But the problem is that if you enable authetication,
the DNS queries for your domains from anonymous users will be redirected to NxFilter's logig page.
To allow the anonymous DNS queries against your domain, you need to bypass authentication for the domain.
- Filtering
Being a DNS filter, NxFilter might block your domain for some reason. This will lead
to a failure of resolving your own domain. To avoid of having this kind of problem,
you need to bypass filtering for your domain.
- Too many log data
You could have too many log data for your domain as a result of DNS attack. It might be better to bypass
logging for your domain.
When you are under DNS attacks
When you put NxFilter on cloud, it can be under DNS attacks. Once you are under DNS attacks
you will have massive traffic to your server. Your NxFilter can't handle all the traffic and eventually it will look like almost
dead and you will get error logs about 'Queue full'.
To avoid of having this kind of problem, the best thing is to hide your DNS server and not responding to these attackers.
To hide your NxFilter from these attackers, you can enable authentication firstly. NxFilter will respond to DNS queries
from unknown users with its Block Rediretion IP.
However, they may still think that there is a DNS server to attack as they get response anyway. To hide it from these attackers completely,
we need to drop the packets from these unknown users silently. For this purpose, you can enable 'Disable Login Redirection'
on 'System > Setup' and NxFilter will drop the packets from these attackers.
Running a local recursive server
You many want to run a local recursive DNS server like MaraDNS or Unbound on the same machine you run NxFilter on.
Some people want to do that to speed it up and some people want to do that for hiding themselves
from public DNS servers or Internet Censorship.
When you run a local recursive DNS server, you can have a port collision problem.
So, you need to change the port number of your recursive DNS server. After you change the port number to
a non-standard one like 5353, you can specify the port number for Upstream DNS Server on 'DNS > Setup' using
a colon like below.
ex) 127.0.0.1:5353