NxFilter Tutorial

FAQ
Frequently asked questions for NxFilter.


I can bypass NxFilter by accessing websites using IP address.

There are people saying that DNS filtering is useless as they can access a website using IP address. This is a very naive thought and simply not true. In today's Internet environment, most websites are running on virtual hosts. This means there are multiple websites on one IP address. You can't access these websites without using a domain.

And the other thing you need to think about is that there are many URLs embedded in a webpage. This is especially true when it comes to a big portal site. Those URLs are based on DNS as well. If you try to access a blocked website using an IP address, you will get just a broken webpage in most cases.

- Go to index -


It doesn't get blocked/unblocked  right away.

This is mostly from the DNS cache on your system. If you are on a Windows system there are two kinds of DNS cache. One from your browser and another from your Windows OS. Before them expire, your policy change for blocking/unblocking will not be working. Both cache expire eventually but you might want to clear them out immediately. If it is a browser cache you can clear it out by restarting your browser.

If you want to clear out your Windows DNS cache, use the following command on CMD.


	ipconfig /flushdns

Normally, DNS cache expires in a day at the maximum. Of course, it depends on TTL from a DNS record but it is not bigger than 86,400 seconds(1 day) usually. About browser cache, it may take several minutes to get expired. However, it will be expired eventually and your filtering policy will be working. So, in the end, this is not a problem as you don't need to block/unblock a website many times a day.

- Go to index -


How do I force a user to be filtered by NxFilter?

If you have a firewall in your network, it is a simple task. You just need to block outgoing UDP/53, TCP/53  traffic except from NxFilter. And then use DHCP to set up NxFilter to be the DNS server for your network. Now NxFilter becomes the only DNS server your users can use and their DNS setup to point NxFilter will be done automatically.

- Go to index -


How NxFilter determine which policy to be applied to a user?

If you're an experienced systems administrator, you might already be familiar with many of NxFilter's features, as they are common in other network security solutions. However, for those less experienced with such technologies, NxFilter's policy decision system might not be as straightforward. This is particularly true for home network users.

To read more, https://forum.nxfilter.org/tips-tricks/2739-understanding-the-policy-application-system-of-nxfilter

- Go to index -


What is the quickest way of blocking 'facebook.com'?

Add '*.facebook.com' on 'Whitelist > Domain'  with Admin Block  option.

- Go to index -


I want to block 'facebook.com' for my students only.

You need to be able to differentiate your students on NxFilter by authentication first. And then block Social Networking  category on a policy when you use Jahaslist. Then assign the policy to the user or group associated to your students.

- Go to index -


I want to allow sales department to use the internet freely at lunchtime.

1. Create a user or a group for your sales department.

2. Define free-time  in 'Policy > Free Time'  for the lunchtime in your company.

3. Create a policy not blocking anything.

4. Assign the policy as the free-time policy of the user or group.

- Go to index -


How do I change NxFilter's webserver port?

You can change HTTP/HTTPS  listening ports on NxFilter. However, when you change HTTP port you will lose your block page redirection. It is because when NxFilter redirects a user on HTTP, there needs to be something waiting for the browser on TCP/80 port.

To change the ports, you need to modify these two parameters on /nxfilter/conf/cfg.properties file.

http_port = 80
https_port = 443

After you change the ports, restart NxFilter.

- Go to index -


How do I reset admin password?

We have /nxfilter/bin/reset-pw.sh script to reset admin password. Once you run the script, the admin name and password will be reset to 'admin'. You need to run the script while NxFilter running.

There is /nxfilter/bin/reset-acl.sh to reset the access restriction to GUI as well.

- Go to index -


Can I bind NxFilter to a specific IP address?

You might want to bind NxFilter to a specific IP address to avoid of having port collision problem. You can bind NxFilter to a specific IP address using 'listen_ip' parameter in /nxfilter/conf/cfg.properties file. If you set it to '0.0.0.0' NxFilter will listen on all the IP addresses of your system but if you set it to a specific IP address, NxFilter will listen on the specified IP address only.

Even if you bind NxFilter to a specific IP address, you can not run multiple NxFilter on the same machine. This is because NxFilter needs to bind several ports on localhost for internal communication.

- Go to index -


How do I bypass my local domain from filtering?

On 'DNS > Setup', You can set your local DNS server and local domain. With this setup, if there are DNS queries for your local domain, NxFilter forwards the queries to your local DNS server and bypass authentication, filtering and logging.

- Go to index -


Can I use an exact matching keyword for log search?

You can use square brackets for exact matching on log search.

    ex) [john], [192.168.0.1]


Why do I need to re-login after lunch break?

Your login session has been expired. If there is no activity(DNS query) from your PC for a certain amount of time, your login session expires. You can increase the value for Login Session TTL  on 'System > Setup'.

If you use single sign-on with Active Directory you can avoid of having this problem.

- Go to index -


How do I apply my own SSL certificate?

To use your own SSL certificate, what you need is to build a Java KeyStore or JKS file. If you already have a CRT format certificate, you need to convert it to a JKS file. And then you set two parameters in /nxfilter/conf/cfg.properties file. One is 'keystore_file' and the other one is 'keystore_pass'. You can set your JSK file like below,

keystore_file = conf/myown.jks
keystore_pass = 123456

There are many documents in the internet for how to build JKS file or convert CRT file into JKS file.

- Go to index -


How do I enable debugging?

When there is something wrong with NxFilter, the first thing you can do is to find out what is going on exactly with its system log data. NxFilter keeps its system log data in /nxfilter/log  directory. If you need more detailed log data, enable debugging on /nxfilter/conf/log4j.properties. Change 'INFO'  to 'DEBUG'  inside the file and restart NxFilter.

- Go to index -


How do I hide SSL warning?

When you are blocked on HTTPS, you get an SSL warning page instead of the NxFilter block page in your browser. This is for preventing 'Man In The Middle' attack. However, many people find it annoying and want to show block page with a proper block reason.

The simpler one is to enable Silent Block option on 'System > Setup'. With this option enabled, NxFilter doesn't do block redirection. So, there's no block page to be shown and no SSL warning as well. It will appear as a connection problem or a DNS resolution failure in your browser.

Another option is to use CxForward. CxForward is a Chrome/Edge extension we provide. It will bypass SSL warning and forward your browser to the block page. To find out more, read CxForward for blocks on HTTPS

- Go to index -


I don't see any username on 'Logging > DNS Request'.

The first thing you need to check would be Enable Authentication  option on 'System > Setup'. Some people don't understand that they need to enable authentication before implementing any authentication method.

- Go to index -


How to set up a time zone?

Some of our users reported that they have a different time zone on NxFilter from the system it is running on. This happens mostly on CentOS. When you need to set up a time zone for NxFilter manually. You can do that on JVM level. On /nxfilter/bin/startup.sh set the following parameter.

-Duser.timezone=Europe/Rome

- Go to index -


How do I force a user to logout?

You can destroy user login session on 'User > List > Test'.

- Go to index -


What is 'Queue full'  error?

You get 'Queue full'  error when NxFilter can't process the DNS requests in its job queue fast enough. It can happen when you lose the network connection to your upstream server or when you have too many requests for your system performance. If it is caused by a network connection problem it will go away after your connection restored.

NxFilter introduced Persistent Cache  as of v4.1.1. NxFilter will be working with Persistent Cache when it loses its connection to its upstream server.

If you don't have a network connection problem then you might need to do some tweaks on your system. If you have more than 1,000 users, you may need to increase memory allocation to NxFilter.


How to block porn on Google, Youtube search result?

You can force Safe Search from NxFilter. We have Safe Search option on a policy.

Switching between Moderate and Strict options makes a difference only for Youtube.

- Go to index -


Can I bypass a specific user from filtering and logging?

You might want to bypass some of your users from filtering and logging. You can add the client IP addresses you want to bypass from filtering and logging on 'DNS > Access Control > Bypass All'.

- Go to index -


Can I install NxFilter on my Active Directory domain controller?

Some people want to install NxFilter on their Active Directory domain controller. It is ideal if you don't want to have one more hardware or VM. However, a domain controller usually has its own MS DNS server and that makes a port collision problem with NxFilter. The solution is to add one more IP on your domain controller and have your MS DNS server listening only one IP address and have your NxFilter listening on another IP address.

For example, if you want to have your NxFilter listening on 192.168.0.100 only, you need to modify the value of 'listen_ip' parameter on c:/nxfilter/conf/cfg.properties file.

    listen_ip = 192.168.0.100

We have a video tutorial for this on Youtube - View Youtube tutorial!

- Go to index -


How can I calculate the number of users for a commercial license?

NxFilter counts the number of usernames and client IP addresses and DNS requests on daily basis. If one of them exceeds your licensed user number, any unlicensed user or request will appear being blocked on your log view. However, since it is a warning measure, this blocking is not actually happening on user side.

The daily request number for one user allowed by NxFilter is 4,000 (If you have 100 user license, you can make 4000 x 100 requests a day). On our statistics so far, in an ordinary office or school environment, one user makes up to 1,500 requests a day. We added 2,500 requests as a redundancy to it. So, it becomes 4,000 requests a day for one user. For request counting, we only count 'A' type DNS queries.

To find out the number of users in your network, view the usage report for the last 30 days on 'Report > Usage'.

There are 'total'  and 'unique'  for request counting on the usage report. We use 'unique'  which is smaller for license restriction.

- Go to index -


What is 'Too many requests'  error?

We count request number for license protection and you are making more DNS requests than the permitted number by your license. Read How can I calculate the number of users for a commercial license?

we only count 'A' type DNS queries.

- Go to index -


How do I add more users to my license?

You can increase your existing license size after its purchase. When you add more users, you only need to pay for the remaining period on your license. Suppose that you want to add 100 users after spending 6 months on your license then you only need to pay 50% of your new purchase. To add more users to your license, contact us at 'support @ nxfilter.org'.

- Go to index -


My Internet connection gets faster after I install NxFilter.

It's because you now have a DNS caching server in your network. Before you install NxFilter, your users were making DNS queries against 'google.com' over and over again. When you use a public DNS server from the internet, this means that your users are sending UDP packets to somewhere on the internet and waiting for the following responses many times a day. However, after you install NxFilter, once a DNS response has been cached by NxFilter, your users will get their DNS responses directly from NxFilter. So, there will be no latency from a public DNS server on the internet and your users will be experiencing a faster Internet connection.

- Go to index -


Can I bypass authentication by NxCloud?

When you run NxCloud, you need to know who is who first as everything needs to belong to an operator. However, some people want to let their users resolving some domains without authentication process. In that case, you can do 'Total Bypass'  for a domain. When you whitelist a domain on admin GUI with Bypass Filtering  and Bypass Logging  flags, it becomes Total Bypass  for the domain and it bypasses authentication also.

- Go to index -


Does NxFilter support IPv6?

Yes, you can point NxFilter by its IPv6 address. However, we disabled its socket server on IPv6 address at default. It's because if we accept DNS requests on both IPv4 and IPv6, you may need to login twice when you use authentication. To prevent such confusion, we recommend you to set nothing for the DNS server of your IPv6 network. Your users will use the DNS sever set for your IPv4 network.

If you still want to set NxFilter to be the DNS server for your IPv6 network, one possible approach is to use an IPv4 over IPv6 address. Suppose that your NxFilter is runninig on 192.168.0.100. Then you can use an IPv6 address like below to point the server,

    ::ffff:192.168.0.100

If you have to use a real IPv6 address for NxFilter, set the value of 'java.net.preferIPv4Stack' to 'false' in /nxfilter/bin/startup.sh.

    java -Djava.net.preferIPv4Stack=false -Xmx1024m -cp $NX_HOME/nxd.jar:$NX_HOME//lib/*: nxd.Main

- Go to index -


How to update it from v3 to v4?

There are some users wanting to update their NxFilter v3 to v4. Basically, there shouldn't be any problem with that but since some of them are using Shallalist which is not supported by v4 they may have a problem. If you update it from v3 to v4 keeping Shallalist option, you will not be able to start up NxFilter. So, you have to change it to Jahaslist or one of other domain categorization options supported by v4 before you update it.

If you have to change it to Jahaslist manually, you can modify /nxfilter/conf/cfg.properties file. Change the value of 'blacklist_type' to 5 like below,

    blacklist_type = 5

- Go to index -


How do I utilize the public blocklists from the internet?

As of v4.3.3.7 of NxFilter, you can use the public blocklists from the internet for filtering. If it's a hosts file or a file containing domains separated by newlines, you can download and merge it on 'Classifier > Blocklist'  overnight automatically. To find out more, read  Classifier > Blocklist

- Go to index -


How do I allow guest access?

You may want to allow network access to the guests visiting your office temporarily while filtering and authentication enabled. With NxFilter, this is a simple task as you can have multiple authentication methods at the same time. You can create a guest account associating an IP range covering entire network for your office. According to the authentication preference by NxFilter, IP range association comes at the last. If your users do single sign-on by NxFilter's SSO agent or if they have single IP association, they will still appear with their own username while your guests appear with the guest account you created.

To find more about the authentication preference by NxFilter, read Authentication precedence

- Go to index -


Why do I get 'Invalid License' error?

It's mostly from your firewall rules. You need to open outgoing TCP/80, TCP/443, UDP/123 ports for NxFilter.

- Go to index -


Can I clear DNS response cache on NxFilter without restarting it?

Since v4.3.9.4, we have 'cachecon.sh' script in /nxfilter/bin directory. To clear out the in-memory cache,


	cachecon.sh -m

To clear out the persistent cache,


	cachecon.sh -p

You also can delete cache for single domain,


	cachecon.sh -m google.com
	cachecon.sh -p google.com

If you want view the current cache info for a domain,


	cachecon.sh -s google.com

You also can specify query type. If it's for MX query,


	cachecon.sh -s google.com 15
	cachecon.sh -m google.com 15

On Windows, use 'cachecon.bat' file.

- Go to index -


Why do I get SSL warning instead of Login Page?

In the old days, when your users try to access a website before they log in to NxFilter, they were forwarded to NxFilter's login page. However, since Google has started forcing websites to implement SSL certificate, you get SSL warning instead of the login page when there's a Login Redirection.

To solve this problem you can install CxForward into users' browser. CxForward is a Chrome/Edge extension. You can install it from Chrome Web Store or Microsoft Store. To find out more, read CxForward for blocks on HTTPS

- Go to index -