- I can bypass NxFilter by accessing websites using IP address.
- It doesn't get blocked/unblocked right away.
- How do I force a user to be filtered by NxFilter?
- How NxFilter determine which policy to applied to a user?
- What is the quickest way of blocking 'facebook.com'?
- I want to block 'facebook.com' for my students only.
- I want to allow sales department to use the internet freely at lunchtime.
- How do I change NxFilter's webserver port?
- How do I reset admin password?
- Can I bind NxFilter to a specific IP address?
- How do I bypass my local domain from filtering?
- Can I use an exact matching keyword for log search?
- Why do I need to re-login after lunch break?
- How do I apply my own SSL certificate?
- How do I enable debugging?
- How do I show NxFilter's block page on HTTPS?
- How do I hide SSL warning?
- Why do I get 'Invalid License' error?
- I don't see any username on 'Logging > DNS Request'.
- How to set up a time zone?
- How do I force a user to logout?
- What is 'Queue full' error?
- How to block porn on Google, Youtube search result?
- Can I bypass a specific user from filtering/logging?
- Can I install NxFilter on my Active Directory domain controller?
- How do I calculate the number of users for a commercial license?
- What is 'Too many requests' error?
- How do I add more users to my license?
- My Internet connection gets faster after I install NxFilter.
- Can I bypass authentication by NxCloud?
- Does NxFilter support IPv6?
- How to update it from v3 to v4?
- How do I utilize the public blocklists from the internet?
- Why do I get SSL warning instead of Login Page?
- How do I allow guest access?
- Can I clear DNS response cache on NxFilter without restarting it?
There are people saying that DNS filtering is useless as they can access a website using IP address. This is a very naive thought and simply not true. In today's Internet environment, most websites are running on virtual hosts. This means there are multiple websites on one IP address. You can't access these websites without using a domain.
And the other thing you need to think about is that there are many URLs embedded in a webpage. This is especially true when it comes to a big portal site. Those URLs are based on DNS as well. If you try to access a blocked website using an IP address, you will get just a broken webpage in most cases.
This is mostly from the DNS cache on your system. If you are on a Windows system there are two kinds of DNS cache. One from your browser and another from your Windows OS. Before them expire, your policy change for blocking/unblocking will not be working. Both cache expire eventually but you might want to clear them out immediately. If it is a browser cache you can clear it out by restarting your browser.
If you want to clear out your Windows DNS cache, use the following command on CMD.
ipconfig /flushdns
Normally, DNS cache expires in a day at the maximum. Of course, it depends on TTL from a DNS record but it is not bigger than 86,400 seconds(1 day) usually. About browser cache, it may take several minutes to get expired. However, it will be expired eventually and your filtering policy will be working. So, in the end, this is not a problem as you don't need to block/unblock a website many times a day.
If you have a firewall in your network, it is a simple task. You just need to block outgoing UDP/53, TCP/53 traffic except from NxFilter. And then use DHCP to set up NxFilter to be the DNS server for your network. Now NxFilter becomes the only DNS server your users can use and their DNS setup to point NxFilter will be done automatically.
If you're an experienced systems administrator, you might already be familiar with many of NxFilter's features, as they are common in other network security solutions. However, for those less experienced with such technologies, NxFilter's policy decision system might not be as straightforward. This is particularly true for home network users.
To read more, https://forum.nxfilter.org/tips-tricks/2739-understanding-the-policy-application-system-of-nxfilter
Add '*.facebook.com' on 'Whitelist > Domain' with Admin Block option.
You need to be able to differentiate your students on NxFilter by authentication first. And then block Social Networking category on a policy when you use Jahaslist. Then assign the policy to the user or group associated to your students.
1. Create a user or a group for your sales department.
2. Define free-time in 'Policy > Free Time' for the lunchtime in your company.
3. Create a policy not blocking anything.
4. Assign the policy as the free-time policy of the user or group.
You can change HTTP/HTTPS listening ports on NxFilter. However, when you change HTTP port you will lose your block page redirection. It is because when NxFilter redirects a user on HTTP, there needs to be something waiting for the browser on TCP/80 port.
To change the ports, you need to modify these two parameters on /nxfilter/conf/cfg.properties file.
https_port = 443
After you change the ports, restart NxFilter.
We have /nxfilter/bin/reset-pw.sh script to reset admin password. Once you run the script, the admin name and password will be reset to 'admin'. You need to run the script while NxFilter running.
You might want to bind NxFilter to a specific IP address to avoid of having port collision problem. You can bind NxFilter to a specific IP address using 'listen_ip' parameter in /nxfilter/conf/cfg.properties file. If you set it to '0.0.0.0' NxFilter will listen on all the IP addresses of your system but if you set it to a specific IP address, NxFilter will listen on the specified IP address only.
On 'DNS > Setup', You can set your local DNS server and local domain. With this setup, if there are DNS queries for your local domain, NxFilter forwards the queries to your local DNS server and bypass authentication, filtering and logging.
You can use square brackets for exact matching on log search.
ex) [john], [192.168.0.1]
Your login session has been expired. If there is no activity(DNS query) from your PC for a certain amount of time, your login session expires. You can increase the value for Login Session TTL on 'System > Setup'.
To use your own SSL certificate, what you need is to build a Java KeyStore or JKS file. If you already have a CRT format certificate, you need to convert it to a JKS file. And then you set two parameters in /nxfilter/conf/cfg.properties file. One is 'keystore_file' and the other one is 'keystore_pass'. You can set your JSK file like below,
keystore_pass = 123456
When there is something wrong with NxFilter, the first thing you can do is to find out what is going on exactly with its system log data. NxFilter keeps its system log data in /nxfilter/log directory. If you need more detailed log data, enable debugging on /nxfilter/conf/log4j.properties. Change 'INFO' to 'DEBUG' inside the file and restart NxFilter.
When you are blocked on HTTPS, you get an SSL warning page instead of the NxFilter block page in your browser. This is for preventing 'Man In The Middle' attack. However, many people find it annoying and want to show block page with a proper block reason.
The simpler one is to enable Silent Block option on 'System > Setup'. With this option enabled, NxFilter doesn't do block redirection. So, there's no block page to be shown and no SSL warning as well. It will appear as a connection problem or a DNS resolution failure in your browser.
Another option is to use CxForward. CxForward is a Chrome/Edge extension we provide. It will bypass SSL warning and forward your browser to the block page. To find out more, read CxForward for blocks on HTTPS
The first thing you need to check would be Enable Authentication option on 'System > Setup'. Some people don't understand that they need to enable authentication before implementing any authentication method.
Some of our users reported that they have a different time zone on NxFilter from the system it is running on. This happens mostly on CentOS. When you need to set up a time zone for NxFilter manually. You can do that on JVM level. On /nxfilter/bin/startup.sh set the following parameter.
You can destroy user login session on 'User > List > Test'.
You get 'Queue full' error when NxFilter can't process the DNS requests in its job queue fast enough. It can happen when you lose the network connection to your upstream server or when you have too many requests for your system performance. If it is caused by a network connection problem it will go away after your connection restored.
If you don't have a network connection problem then you might need to do some tweaks on your system. If you have more than 1,000 users, you may need to increase memory allocation to NxFilter.
You can force Safe Search from NxFilter. We have Safe Search option on a policy.
You might want to bypass some of your users from filtering and logging. You can add the client IP addresses you want to bypass from filtering and logging on 'DNS > Access Control > Bypass All'.
Some people want to install NxFilter on their Active Directory domain controller. It is ideal if you don't want to have one more hardware or VM. However, a domain controller usually has its own MS DNS server and that makes a port collision problem with NxFilter. The solution is to add one more IP on your domain controller and have your MS DNS server listening only one IP address and have your NxFilter listening on another IP address.
For example, if you want to have your NxFilter listening on 192.168.0.100 only, you need to modify the value of 'listen_ip' parameter on c:/nxfilter/conf/cfg.properties file.
listen_ip = 192.168.0.100
NxFilter counts the number of usernames and client IP addresses and DNS requests on daily basis. If one of them exceeds your licensed user number, any unlicensed user or request will appear being blocked on your log view. However, since it is a warning measure, this blocking is not actually happening on user side.
The daily request number for one user allowed by NxFilter is 4,000 (If you have 100 user license, you can make 4000 x 100 requests a day). On our statistics so far, in an ordinary office or school environment, one user makes up to 1,500 requests a day. We added 2,500 requests as a redundancy to it. So, it becomes 4,000 requests a day for one user. For request counting, we only count 'A' type DNS queries.
We count request number for license protection and you are making more DNS requests than the permitted number by your license. Read How can I calculate the number of users for a commercial license?
You can increase your existing license size after its purchase. When you add more users, you only need to pay for the remaining period on your license. Suppose that you want to add 100 users after spending 6 months on your license then you only need to pay 50% of your new purchase. To add more users to your license, contact us at 'support @ nxfilter.org'.
It's because you now have a DNS caching server in your network. Before you install NxFilter, your users were making DNS queries against 'google.com' over and over again. When you use a public DNS server from the internet, this means that your users are sending UDP packets to somewhere on the internet and waiting for the following responses many times a day. However, after you install NxFilter, once a DNS response has been cached by NxFilter, your users will get their DNS responses directly from NxFilter. So, there will be no latency from a public DNS server on the internet and your users will be experiencing a faster Internet connection.
When you run NxCloud, you need to know who is who first as everything needs to belong to an operator. However, some people want to let their users resolving some domains without authentication process. In that case, you can do 'Total Bypass' for a domain. When you whitelist a domain on admin GUI with Bypass Filtering and Bypass Logging flags, it becomes Total Bypass for the domain and it bypasses authentication also.
Yes, you can point NxFilter by its IPv6 address. However, we disabled its socket server on IPv6 address at default. It's because if we accept DNS requests on both IPv4 and IPv6, you may need to login twice when you use authentication. To prevent such confusion, we recommend you to set nothing for the DNS server of your IPv6 network. Your users will use the DNS sever set for your IPv4 network.
If you still want to set NxFilter to be the DNS server for your IPv6 network, one possible approach is to use an IPv4 over IPv6 address. Suppose that your NxFilter is runninig on 192.168.0.100. Then you can use an IPv6 address like below to point the server,
::ffff:192.168.0.100
If you have to use a real IPv6 address for NxFilter, set the value of 'java.net.preferIPv4Stack' to 'false' in /nxfilter/bin/startup.sh.
java -Djava.net.preferIPv4Stack=false -Xmx1024m -cp $NX_HOME/nxd.jar:$NX_HOME//lib/*: nxd.Main
There are some users wanting to update their NxFilter v3 to v4. Basically, there shouldn't be any problem with that but since some of them are using Shallalist which is not supported by v4 they may have a problem. If you update it from v3 to v4 keeping Shallalist option, you will not be able to start up NxFilter. So, you have to change it to Jahaslist or one of other domain categorization options supported by v4 before you update it.
If you have to change it to Jahaslist manually, you can modify /nxfilter/conf/cfg.properties file. Change the value of 'blacklist_type' to 5 like below,
blacklist_type = 5
As of v4.3.3.7 of NxFilter, you can use the public blocklists from the internet for filtering. If it's a hosts file or a file containing domains separated by newlines, you can download and merge it on 'Classifier > Blocklist' overnight automatically. To find out more, read Classifier > Blocklist
You may want to allow network access to the guests visiting your office temporarily while filtering and authentication enabled. With NxFilter, this is a simple task as you can have multiple authentication methods at the same time. You can create a guest account associating an IP range covering entire network for your office. According to the authentication preference by NxFilter, IP range association comes at the last. If your users do single sign-on by NxFilter's SSO agent or if they have single IP association, they will still appear with their own username while your guests appear with the guest account you created.
To find more about the authentication preference by NxFilter, read Authentication precedence
It's mostly from your firewall rules. You need to open outgoing TCP/80, TCP/443, UDP/123 ports for NxFilter.
Since v4.3.9.4, we have 'cachecon.sh' script in /nxfilter/bin directory. To clear out the in-memory cache,
cachecon.sh -m
To clear out the persistent cache,
cachecon.sh -p
You also can delete cache for single domain,
cachecon.sh -m google.com
cachecon.sh -p google.com
If you want view the current cache info for a domain,
cachecon.sh -s google.com
You also can specify query type. If it's for MX query,
cachecon.sh -s google.com 15
cachecon.sh -m google.com 15
In the old days, when your users try to access a website before they log in to NxFilter, they were forwarded to NxFilter's login page. However, since Google has started forcing websites to implement SSL certificate, you get SSL warning instead of the login page when there's a Login Redirection.
To solve this problem you can install CxForward into users' browser. CxForward is a Chrome/Edge extension. You can install it from Chrome Web Store or Microsoft Store. To find out more, read CxForward for blocks on HTTPS