NxFilter Tutorial

DNS over HTTPS
You can run DNS over HTTPS service by NxFilter. With this feature, you can filter roaming iOS or Android mobile devices.

Globlist doesn't support DNS over HTTPS service.


Why we need it
DNS over HTTPS has been around for several years. We didn't think it's useful for filtering as UDP/53 is way faster than using TCP/443. In today's network environment, so many kinds of software are using DNS protocol for their own purpose and their DNS traffic grows as we grow our network capacity. So, it's already maxed out. It's a very dangerous movement to switch it to TCP with encryption overhead if you run a large scale network.

However, DoH could be useful when you want to filter iOS or Android devices as we don't have any solid way of filtering these mobile devices. iOS devices support system wide DoH settings and on Android we can set Chrome or Chromium based browsers to use DoH service. These mobile devices will be under your filtering rules as long as they use DoH service by NxFilter.


Conditions for DoH service
There are several conditions to use DNS over HTTPS service by NxFilter.

1. You need v4.6.2.2 or later version of NxFilter.

2. You need to install your own SSL certificate. It should be a single domain certificate if you want to filter iOS/macOS devices.

3. You should service it through TCP/443 if you want to filter iOS/macOS devices.

4. Since NxFilter identifies users by Login Token, You have to enable User Authentication by NxFilter first.

To find out how to install your SSL certificate on NxFilter, read How do I apply my own SSL certificate?


How to use it
If it's for Chrome browser, we can set it up on Settings > Privacy and security > Security. Enable Use secure DNS and then add a custom URL like below,

You need to replace 'doh.nxfilter.org' with your own domain. And '4RYEO5P2' needs to be replaced with a login token from one of your users. The DNS requests from the Chrome browser will appear with the username associated to the login token '4RYEO5P2'.


Filtering iOS/macOS devices
You can set Apple devices running iOS and macOS to use your DoH service as their system wide DNS server by a .mobileconfig file. If it's an iPhone with iOS 15, when you download a .mobileconfig file into your phone, you can install it on Setting > General > VPN & Device Management. If it's on a macOS which supports system wide DoH then double-click a .mobileconfig file.

We have a template for .mobileconfig file on System > Mobile Config. You can download a user specific .mobileconfig file based on the template from user edit page.


Filtering Android devices
Android devices don't support system wide DoH settings yet. We know there's 'DNS over TLS' for Android but with DoT, your mobile users can be blocked in other network if they block TCP/853. They may lose their Internet connection outside your network. So, before Android devices supporting DoH, the best option is to use Chromium based browsers supporting DoH.


Servicing NxFilter to roaming users
You may want to filter the roaming users outside your network by NxFilter while filtering your local network at the same time. You can port forwarding TCP/80 and TCP/443 traffic to NxFilter by your router. If you don't need to do Block Redirection for showing your block page, TCP/443 alone would be enough.


Block redirection for roaming users
When you set your block redirection IP with a private IP, you may wonder what happens when there's a roaming user blocked outside your network. NxFilter tries to find its public IP automatically and it uses the public IP when it needs to block redirection the DNS requests from a public IP.


Bypassing your own DoH server domain form your filtering
You don't want to block your DoH server domain by NxFilter itself. NxFilter will try to find out your DoH domain and bypass it automatically. But it's still clearer to whitelist your domain by yourself. You can add your DoH server domain on 'Whitelist > Domain' with bypass_filter and bypass_auth flags.