Faster and lighter
Traditionally we made a web-filter based on HTTP proxy server. There are many commercial products based on Squid proxy. But with this approach you might have a serious latency problem on your network. This is because your web traffic needs to go through one point in your network that is your web-filter and it becomes a bottle neck in your network. This latency problem gets bigger when you have bigger number of users. But there’s another approach. That’s DNS filtering and NxFilter is a dns-filter. It’s basically a forwarding DNS server with filtering ability. Since it uses light weight DNS protocol there’s no need to have your traffic going through anywhere. You get no latency problem with NxFilter.
Boosting up your Internet speed
Some users reported that after they installed NxFilter on their network their Internet speed improved greatly. This is because NxFilter keeps local cache for DNS lookup. Suppose in your network everybody uses Google public DNS server or your ISP DNS server. Their DNS queries need to be sent to these DNS servers on the Internet and your users need to wait for the response back from these servers. But if you have NxFilter in your network it keeps cache for the DNS response from its upstream DNS servers and reduces the network traffic greatly and your users don’t need to wait for the response from these DNS servers on the Internet.
Even though it’s faster and lighter than the traditional web-proxy based filtering, DNS filtering had its own limit in the past. It did not support user authentication. This is natural because DNS protocol doesn’t have authentication scheme. It was the biggest obstacle for a dns-filter to be employed in real-world enterprise environment.
However being a dns-filter, NxFilter provides 4 types of authentication methods for user identification.
- IP based authentication
- Password based authentication
- LDAP authentication
- Single sign-on with Active Directory
With NxFilter you can differentiate users and apply different filtering policies.
NxFilter supports application control through its agents, NxLogon and NxClient. With this feature you can block UltraSurf, Tor, uTorrent, Skype, Minecraft and other applications you want to block.
- NxLogon is the Active Directory single sign-on agent of NxFilter and NxClient is the remote user filtering agent for NxFilter.
There are many benefits only from a dns-filter but we had to give up several things if we want to go with a dns-filter so far. You can’t enforce safe-search and you can’t have keyword filtering against URL as it’s working on DNS level. But now NxFilter provides web-proxy filtering through its agents, NxLogon and NxClient. NxLogon and NxClient themselves are local web-proxy and they can do whatever a web-filter can do. Currently It supports safe-search enforcing and URL keyword filtering, IP host blocking.
One might think providing these web-proxy agents, NxFilter is not a light-weight filtering solution anymore. But it still is. These web-proxy agents are working as local web-proxy only for one user so it doesn’t cause any network performance issue.
When you deploy a web-filter in your network. The most tricky part would be forcing filtering on your users without too much hassle. If you go with a web-proxy based filtering product you need to setup all the browsers pointing your web-filter as their proxy server. To make things easier you can use so called ‘transparent proxy’ setup so that you don’t need to setup all the browsers one by one. But with the transparent proxy setup you have a problem for HTTPS filtering as it is breaking the browser restriction for ‘man in the middle attack’. Your browser will not send HTTPS request to your proxy if you try to redirect the traffic transparently. And plus this transparent proxy setup is quite challenging even for a seasoned systems engineer.
If you go with a dns-filter you are free from all these hassles. You just need to setup your DHCP server using NxFilter as the DNS server for its clients. Then your users will use NxFilter as their DNS server and they will be under filtering. Forcing filtering to users is also possible. You can block outgoing 53 port on UDP and TCP except from NxFilter. Now NxFilter becomes the only DNS server your users can use. It’s already transparent and doesn’t cause ‘man in the middle attack’ problem with HTTPS.
It’s not just for HTTP traffic
If it’s a web-proxy based filtering product you only can filter HTTP and HTTPS but with DNS filtering you can filter almost every protocols including HTTP, HTTPS, FTP, P2P as long as they use DNS.
NxFilter is also capable of detecting malware and botnet based on DNS packet inspection. It is possible because NxFilter is working on DNS level.
- Unset Alert Categories at default.
- Use ‘block_public_ip’ option when it’s actually set.
- Baselist has been updated to 3740797.