Using nxfilter with Bind DNS Server

510 views
Skip to first unread message

Nigel Kilner

unread,
Aug 9, 2017, 6:06:26 AM8/9/17
to NxFilter
Hi,

I have a small office Linux server running Bind DNS server for local dns. I also have apache server running. can I use nxfilter with bind and apache?  briefly how do I integrate them? port 80 is already busy!

My knowledge of dns servers is basic so I am guessing. Can I forward dns from bind to nxfilter? or is it the other way around? 

Just need pointing in the right direction and hopefully will e able to do the rest.

Thanks

Nigel

Jinhee

unread,
Aug 9, 2017, 6:25:51 AM8/9/17
to NxFilter
If you have to use your BIND server you have to put it behind NxFilter. If your client connect your BIND server directly you don't do filtering. And if you put NxFilter behind your BIND, NxFilter can't detect client IP address. Means not authentication and no multiple policies.

Don't go too much difficult setup. Install it on another server or VM. NxFilter runs well on a VM with 1G of memory.

jeroen...@gmail.com

unread,
Aug 9, 2017, 5:28:17 PM8/9/17
to NxFilter
If you want to run on the same box:
You need to have at least a second network (fake) interface otherwise that can never work. You already figured that out ... port 80 is in use:) and bind probably already uses port 53
Then you need to tell apache and bind to only use nic 1 and then NXfilter to only use nic 2
Set fixed ip's on the nic's and only set 1 nic to gave a gateway.

In apache it's easy to limit interface or IP, but I do not know how to set binddns to a specific interface. Need to google that yourself.
In NXfilter you can set this in cfg.properties:
listen_ip = 192.168.1.4 (correct to your ip adres)

Jinhee explained perfectly the chain with nxfilter and bind.
Best option to tell clients to us nxfilter as dns and within NXfilter config set your bindserver ip as Upstream DNS Server #1
If bind als handles local dns, you can set that same adres as Local DNS Server. (do not forget to tick the enable box in that same area)

I managed to get dnsmasq and NXfilter running on a single raspberry pi, so it is possible.

Nigel Kilner

unread,
Sep 13, 2017, 2:55:56 PM9/13/17
to NxFilter
Hi guys,

Thanks for your help. I have now setup a dedicated server running nxfilter and by forwarding reqests from bind9 on the main server have gotten nxfilter running and its great!

What i'm trying to do now is to forward some clients to nxfilter and some to use dns on the main server. I belive this has to be done using  'bind views'

I have tried for hours to get it working using similar examples i have found by searching but although I can setup views and start bind, neither set of client can resolve dns.  I wonder if anyone here can shed some light on this or point me in the right direction. here is a sanitzed section of named.conf showing the views. note the acls are declared earlier in the config.

Enter code here...
view "UnFiltered" {
        match-clients {
                unfiltered;
                };
        forwarders { 192.168.0.1; };
        recursion yes;
        zone "." in {
        type hint;
        file "root.hint";
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "master/127.0.0.zone";
                allow-update {
                        none;
                        };
                };
        zone "0.168.192.in-addr.arpa" in {
                type master;
                file "master/192.168.0.zone";
                notify no;
                };
        zone "example-2.com" in {
                type master;
                file "master/example-2.com.zone";
                notify no;
                allow-update {
                        none;
                        };
                allow-query {
                        any;
                        };
                };
        zone "example.co.uk" in {
                type master;
                file "master/example.co.uk.hosts";
                notify no;
                allow-update {
                        none;
                        };
                allow-query {
                        any;
                        };
                };
          };
view "Filtered" {
        match-clients { filtered; };
        forwarders { 192.168.0.125; };
        recursion yes;
        zone "." in {
        type hint;
        file "root.hint";
        };
        zone "0.0.127.in-addr.arpa" in {
                type master;
                file "master/127.0.0.zone";
                allow-update {
                        none;
                        };
                };
        zone "0.168.192.in-addr.arpa" in {
                type master;
                file "master/192.168.0.fil.zone";
                notify no;
                };
        zone "example-2.com" in {
                type master;
                file "master/example-2.com.zone";
                notify no;
                allow-update {
                        none;
                        };
                allow-query {
                        any;
                        };
                };
        zone "example.co.uk" in {
                type master;
                file "master/janus.example.co.uk.hosts";
                notify no;
                allow-update {
                        none;
                        };
                allow-query {
                        any;
                        };
                };
};

I thought it best to start here efore I go lasking on other forums.

Cheers

Nigel

Jahastech

unread,
Sep 13, 2017, 8:14:27 PM9/13/17
to NxFilter
Just put NxFilter on the front and bypass filtering for those domains and use your BIND server as its upstream server.

Other ways,

  - You could set up a local DNS for bypassing specific domain to a specific DNS server

  - You could use zone-transfer on NxFilter to service a specific domain from some DNS server on NxFilter.
Reply all
Reply to author
Forward
0 new messages