NxFilter- How to Make It the Only DNS Server on the Network

 

Introduction

 

NxFilter is a great way to make the internet safer for your kids. Luckily, it’s free for home use as long as you don’t need to monitor more than 20 users or devices. It works by filtering DNS requests to each client. No matter what kind of device they are using (a computer or a phone), as long as they are connected to your WiFi you can control what they can access. It’s also a good way to monitor their online habits and see which websites they are visiting. If your not familiar with NxFilter, you can read more about it here.

Not only that, but you can limit their bandwidth usage too. I give my kids 3 GB of wireless data per day, which is several hours of watching videos on YouTube and streaming music on Spotify. I also set up quota limits based on categories, so they can only spend so much time online before they have to get off their devices and find something else to do (like spend time with their family). Once they go over the bandwidth or quota limit, they are cut off from the internet.

In order to achieve this cutoff though, I need to ensure that NxFilter is controlling their internet usage. NxFilter is a DNS server as well as a filter. But setting up NxFilter doesn’t do any good if the devices on the network can connect to another  DNS server- like Google’s popular public DNS servers (8.8.8.8 and 8.8.4.4).

This post is going to cover the two things we need to do to allow NxFilter to do its job. First, we need the devices on the network to use NxFilter as a DNS server. The second thing we need to do is make sure NxFilter can’t be bypassed by using public DNS servers.

I use pfSense as my gateway/router. As you follow along, you’ll have to find the settings in your specific router. If you need help with your setup, why not try the NxFilter forum right here on HomeTech How-To?

 

 

Set up NxFilter as the network’s DNS server

 

pfSense makes this one pretty easy. The best way to accomplish this is to assign NxFilter as your DNS server using DHCP. I know, I know, that sounds complicated. But it’s really not. When a device connects to the network, it needs an IP address. Most routers serve as DHCP servers. A DHCP server automatically finds an IP address that’s not already being used and issues it to the device that requested it. The process is transparent. So why not have your router assign NxFilter as the DNS server when you assign an IP address?

pfSense allows you to pick the DNS servers that the DHCP server will use. For everyone else not using pfSense, you’ll need to turn off any kind of automatic DNS assignment (in a Netgear Nighthawk router , this option will be under Internet Options → Domain Name Server (DNS) Address → Get Dynamically from ISP), then choose to use a static IP address. The static IP address should be the IP address of the computer where NxFilter is installed.


Slideshow- Tap or click to view

In pfSense, start by going to System → General Setup. Clear out any DNS server IP addresses.

The easiest way to automatically assign a DNS server in pfSense is by letting the DHCP server do the work for you.

Make sure the DHCP server is set up to use the IP address of the computer where NxFilter is installed as its DNS server.



Block external DNS servers

 

This one could be a little tricky for non-pfSense routers (but not impossible). What we want to achieve here is to make sure that a user can’t manually set their DNS to a public server, as shown below:

An easy way to bypass DNS filtering- use public DNS servers.


To prevent this, we need to block the port that handles DNS requests- port 53. Then, we’ll set up a rule that allows only NxFilter to access outside DNS servers. This way, we can let NxFilter control which users and devices are allowed to access the internet.

For pfSense, we can easily set this up using aliases and firewall rules. An alias is a way to group one or more network devices together using IP addresses or host names. A device can belong to more than one alias. You can specify an individual IP address, or you can set a range. Additionally, using aliases adds to the readability of your firewall rules. When you look at the rules again in a few months, it makes it easier to see what you were doing. This definitely helps if you have a lot of firewall rules or need to figure out where to place a rule so that it’s processed correctly.


Slideshow- Tap or click to view

An IP address can be assigned to more than one alias. Notice 10.0.1.181 is used several times for different aliases.

This is the result we want for our alias. Let’s set it up.

Click on + Add at the bottom of the screen. Notice I also created an alias for NxFilter that I’ll be using later on. Creating aliases also helps you read your firewall rules when you look at them again months, or even years, down the road.

Choose a name. Spaces aren’t allowed in the name, but you can add a description with spaces if you want. Add the DNS server you want to use. I’m using Google’s public DNS servers. Click + Add Host.

We’ll add another DNS server address as a backup. When you’re done, click Save.



Now all that’s left to do is set up our firewall rules. I’m going to reemphasize this point several times- pfSense prioritizes rules from top to bottom in the rule list. That means that a block rule listed above an allow rule will take precedence. This is important, because we’re going to make a rule that blocks port 53, then another rule that allows NxFilter to access external DNS servers. If the allow rule isn’t above the block rule, you won’t have any DNS at all for your network.


Slideshow- Tap or click to view

This is the firewall rule we want to create.

To begin, scroll to the bottom of your rules list and click the ↑ Add button to add the rule to the top of your list.

Set the rule up as shown.

Set the source and destination to any as shown. Set the destination port as DNS (53). It’s not necessary to fill in the To port here, but it won’t hurt anything either.

Now click Save. This rule will block all DNS requests on the network, including from NxFilter.

Here’s the firewall rule we want to create to allow NxFilter access to external DNS filters. Notice this rule is above the last rule we created. pfSense LAN firewall rules have priority from top to bottom.

To add the next rule, click the ↑ Add button.

Set the rule as shown.

For source, choose Single host or alias and input the IP address or alias for NxFilter. For destination, choose Single host or alias and select the AllowedDNS alias we created earlier. Set the destination port to DNS (53).

Click Save.

Completely optional, but we can add separators to help us understand our rules in the future. Click the button.

Type in the title of the separator and choose a color. Click Save.

Now just drag and drop the separator up to where you want it.

You can add as many as you need. Once you’re done creating separators, don’t forget to click the Save button. This saves the rule list’s order.

At the top of the page, you must click Apply Changes. Make sure the NxFilter/AllowedDNS rule is above the port 53 block rule! The LAN firewall rules have a top-down priority.

You’ll get a confirmation. Your new firewall rules should now be active.







Conclusion

 

When combined, NxFilter and pfSense make for an extremely effective and powerful networking solution. pfSense is great for controlling access based on flexible firewall rulesets and schedules. NxFilter is my go-to for IP-based control and monitoring. If you know just the basics about networking, you can set this up. Additionally, it’s one more way to teach your kids and to promote good online habits that they can use for the rest of their lives.

Related topics:


 

About Adam Bollmeyer

I'm a home technology enthusiast with a penchant for home automation, networking, and computers. My goal is to help others improve their knowledge of how available technology can be used at home.