![]() ![]() WebProxy and other HTTP filters have enjoyed great popularity for many years – probably because they are comparatively simple to use. The design of the NxFilter user interface can also be customized. For example, companies can use NxFilter to generate their own cloud filter service for paid users. Basically, the developers grant their users extensive rights. Companies, public institutions, and private persons can use the tool. NxFilter is available under a freeware license. Figure 1 illustrates the differences between unfiltered and filtered DNS queries.įigure 1: Comparison of unfiltered (top) and filtered (bottom) DNS traffic. Ideally, the cache provides the responses, which results in a significant reduction of network traffic. If you operate a local DNS filter, the local DNS server serves the queries. Assuming a corporate network uses the Internet provider's DNS servers, the DNS queries have to be sent to these servers, and the network clients have to wait for a response. The reason for the performance gain is the local cache that NxFilter uses and manages for DNS lookups. The news gets better: Experience reports indicate that the use of NxFilter has a positive effect on the Internet connection of all the network clients. Because the DNS protocol is used, the data traffic does not have to pass through a special filter – thus eliminating latency problems. In essence, NxFilter is a forwarding DNS server with a filter function. NxFilter is a freeware DNS filter that can compete with commercial products in terms of functionality and performance. This limitation can be solved with the help of a DNS filter, which can monitor all the traffic, regardless of the protocol used to send or receive data. However, latency is not the only problem: Proxy servers primarily specialize in filtering HTTP connections. ![]() These latency problems grow with the number of users. The use of such filters, often employing the Squid proxy server and similar tools, leads in practice to serious latency problems on the network because the proxy server analyzes and filters the web traffic and thus becomes a bottleneck. Now, I'm quite new to having any kind of "advanced" DNS setup so I hope this isn't to complicated and explodes someones head.Web filters that are based on the HTTP proxy server principle are part of the standard toolkit for protecting corporate networks. But I'm not sure I would be able to apply both BlockerNG rules and NxFilter rules if I go that route, especially for hosts that might be inside my own network. Part of me is thinking that a "better" approach would be to Have dc as the DNS used and add NxFilter and perhaps even dc as forwarding DNS servers in dc. But I'm not sure it is the "correct" way. Now, this seems to actually work out fine. Since router's list of DNS servers includes dc NxFilter first tries to resolve and applies its rules, then if needed it forwards to router which in turn looks up domain stuff using dc. I then simply just added the IP of the NxFilter installation to be the first DNS Server in the list of DNS Servers handed out by the DHCP Server on router and added the IP of router and it's DNS Resolver as the upstream DNS server of NxFilter. To try I just installed NxFilter as a docker container on server with it's own LAN ip. But, I'm starting to feel that it might be a bit "to many" DNS's involved in my setup and that I might not be doing it in the "correct" way. ![]() My idea is to be able to do more fine grained DNS filtering with that for the kids based on their Domain Users. The Active Directory on the domain works fine, internal hostnames work fine and external hosts are resolved correctly.īut, now I was thinking about addin NxFilter to the mix. ![]() I had set the DHCP Server on router to give the ip of dc as the first DNS server and then dc uses router as a forwarding DNS for things outside my own network. Since I have three children in the house it also allows me to apply basic DNS filtering based "protection" against certain "known things" by running BlockerNG and Snort (although I still need more time to configure this). It allows it (and me) to easily add specific hostnames for an ip, reroute stuff etc. For instance server would have issues asking for a DHCP lease from dc if it hadn't started the VM of dc first. Mostly because it's handy to log into the webadmin of pfSense to fix things instead of using Remote Desktop to login to dc and also since dc is a VM and depending on a reboot of its host server might not be up when I need it to. The router is acting as the DHCP server, although I have heard that it's prefered to let dc handle it. I then have another physical machine acting as my router running pfsense ( router). I have a setup consisting of a physical server ( server) running Ubuntu, on that, a Windows 2016 Server running as a VM serves as a Domain Controller ( dc). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |