Announcement

**support200** · 09-03-2022, 06:57 AM

We have Local DNS Server and Auto-switch Domain on Policy > NxProxy. NxProxy tries to find its server in its current network. If it found that it's in its own network or if it is in your office network and there's its server that is NxFilter using Auto-switch Domain, it yields the filtering job to NxFilter. Might be working with VPN as well.

guess you need to add your NxFilter IP in your local network and its IP on your VPN both as the value of Local DNS Server. You can add multiple IP addresses separated commas there.

**Keanne1021** · 09-03-2022, 09:31 AM

I guess this is the part where I fail to grasp how nxProxy differentiates its own network.

NxProxy tries to find its server in its current network. If it found that it's in its own network or if it is in your office network and there's its server that is NxFilter using Auto-switch Domain

How does NxProxy do this exactly? What configuration example should I follow?

Also, what is the auto-switch domain parameter in the Policy -> NxProxy? Currently, the value of that parameter in my NxProxy install is:

auto-switch-l3h01662196336.ojdfp.local

How exactly should I use this auto-switch domain?

**support200** · 09-03-2022, 09:46 AM

NxProxy queries the domain to the local DNS server it found. If it gets an answer for the domain then its your server because it is generated to be unique. So just enable Use Auto-switching option.

**Keanne1021** · 09-06-2022, 06:15 AM

Ok. I am sure I am doing it wrong. Since I can't even make auto-switching work even in my LAN. Can you please confirm the following?
1. Should the NxProxy be able to directly connect to the NxFilter server's port UDP/53, TCP/80, TCP/443? or Only TCP/80 and TCP/443?
2. NxProxy client setting: NxFilter's server - the Internet facing IP of the NxFilter, correct?
3. Bypassing local domain: Here is the scenario - the local (AD) domain and public domain is the same. How could I go about this? Should I put the AD domain in the local domain parameter?
4. Auto-switch: The auto-switch domain auto-switch-vd3l1662199808.<mydomain> is reachable and answering using all local DNS, and yet NxProxy does not auto-switch or bypass anything. How can I tell in the debug logs if it's auto-switching or not?
5. Why is NxProxy using 8.8.8.8/53 as DNS? I have not configured 8.8.8.8/53 in any NxFilter or NxProxy configuration.
6. in NxProxy; thus bypass means that it will forward all DNS queries to the DNS configured in the client by DHCP?

**support200** · 09-06-2022, 06:32 AM

1. Should the NxProxy be able to directly connect to the NxFilter server's port UDP/53, TCP/80, TCP/443? or Only TCP/80 and TCP/443?
- It uses TCP/80 and TCP/443 but it uses UDP/53 for the DNS server in its local network.

2. NxProxy client setting: NxFilter's server - the Internet facing IP of the NxFilter, correct?
- Yes.

3. Bypassing local domain: Here is the scenario - the local (AD) domain and public domain is the same. How could I go about this? Should I put the AD domain in the local domain parameter?
- Add it into Local Domain. Local Domain is the domains to be bypassed to your local DNS server.

4. Auto-switch: The auto-switch domain auto-switch-vd3l1662199808.<mydomain> is reachable and answering using all local DNS, and yet NxProxy does not auto-switch or bypass anything. How can I tell in the debug logs if it's auto-switching or not?
- You can see Auto-switching related messages in C:\Program Files (x86)\nxproxy\log\nxproxy.log file.
- You also can enabled debugging in C:\Program Files (x86)\nxproxy\conf\log4j.properties file. Change Info to DEBUG in the file.

5. Why is NxProxy using 8.8.8.8/53 as DNS? I have not configured 8.8.8.8/53 in any NxFilter or NxProxy configuration.
- It couldn't find your local DNS server or change the DNS settings. The last resort is to use 8.8.8.8.
- It might not be able to do DHCP. You can find something in the log file.

6. in NxProxy; thus bypass means that it will forward all DNS queries to the DNS configured in the client by DHCP?
- Yes. But you can tell NxProxy which IP is your NxFilter IP. You can set it as one of Local DNS Server on 'Polixy > NxProxy'.

**support200** · 09-06-2022, 06:44 AM

Did you set Local DNS Server?

**Keanne1021** · 09-07-2022, 06:35 AM

Hi. Yes. I even tried with (Nxfilter private IP, AD local IP) and without (blank).

I think my problem is the auto-switching.

What's happening is, NxProxy is always using the last DNS server regardless if I am in LAN or not.

Example: (Local DNS server is blank)

1. Power on PC, Join LAN network - OK. (DNS is NxFilter local IP address)
2. Change from LAN to public Internet network - NOT OK. (Socket timeout due to DNS is still NxFilter local IP address)
3. Restart NxProxy service - OK (DNS changes to 8.8.8.8 / Though the public internet DNS is 192.168.0.1)
4. Join LAN again - NOT OK (DNS server Is still 8.8.8.8)
5. Restart NxProxy service - OK (DNS is NxFilter local IP address)

It is the same If I will put a different Local DNS server, the NxProxy service needs to be restarted to pick up the correct DNS server to be used.

What am I doing wrong?

**support200** · 09-07-2022, 06:54 AM

Firstly, for DNS resolving to find its local DNS is not that important. It uses DoH to NxFilter, so it resolves DNS anyway. It only uses Local Resolver when its DoH gets blocked but I don't think it gets blocked. And it bypasses *.local domain and its Active Directory domain it it's joined to any Active Directory to its local DNS server. It tries to find its AD domain in background.

Outside your office or VPN network, it doesn't need to join any Active Directory. And you don't need to resolve any .local domain except your own. I guess this is normal. So the only thing matters here is to resolve your own AD domain. But I guess your NxProxy can resolve it as it does DNS query to your NxFilter.

The reason it can find its local NxFilter IP if I read it correctly, it does DHCP to find out its local DNS server when it starts. But I don't know why it can't find it when you restart NxProxy service.

Did you set your NxFilter IP in 'Policy > NxProxy'? I guess you need to set 2 IPs. One is for your local network. And the other one is for VPN. If your NxFilter IP is 192.168.0.1 in your network and it uses 10.0.0.1 in VPN then,

Code:

Local DNS Server : 192.168.0.1,10.0.0.1

Anyway, finding local DNS is not that important if it's for DNS resolving. And with the new version, we will add one more method for DNS resolving. After everything fails, we will use Google DoH server. If your user in some network block everything? Then your user will restart his laptop and I guess it will find the local DNS server by DHCP process.

For auto-switching problem, show me your log file with debugging on.
- You can see Auto-switching related messages in C:\Program Files (x86)\nxproxy\log\nxproxy.log file.
- You also can enabled debugging in C:\Program Files (x86)\nxproxy\conf\log4j.properties file. Change Info to DEBUG in the file.

**Keanne1021** · 09-07-2022, 08:29 AM

Ok, I was just focusing on looking up my local domains. My previous comment only pertains to local domains.

Right now, I am just trying to make this work in a LAN / External network scenario without the VPN just to simplify.

Here is my NxProxy policy wherein 172.17.10.60 is the local IP of the NxFilter.

My issue it seems is not the DNS resolution of external domains, but DNS resolution of my own domain(s). The domains that are configured in Local Domain and those that are in Whitelist domain.
What I am trying to achieve is:
1. When in LAN - resolve the local domain using private IP
2. When in External network - resolve the local domain using public IP

Here are my test results:

1. When the PC is in LAN: NxProxy uses NxFilter as DNS and I can resolve my domain using private IP address (OK)

INFO [09-07 15:48:25] - Main.doWork, LocalResolver started.
INFO [09-07 15:48:25] - Main.doWork, HandyMan started.
INFO [09-07 15:48:25] - Main.doWork, Starting DNS.
INFO [09-07 15:48:25] - Main.doWork, RequestHandler started.
INFO [09-07 15:48:25] - Main.doWork, UdpServer started.
DEBUG [09-07 15:48:25] - Sending localhost./A, id=54745 to udp/172.17.10.60:53
DEBUG [09-07 15:48:25] - Starting dnsjava NIO selector thread
INFO [09-07 15:48:25] - LocalResolver.setResolver, Local resolver IP = 172.17.10.60.
INFO [09-07 15:48:25] - LocalResolver.findLocalDnsIpByPolicy, New local DNS server = 172.17.10.60.
INFO [09-07 15:48:27] - HandyMan.hijackDns, Updating DNS settings on Windows.
DEBUG [09-07 15:48:28] - RequestHandler.run, RH #1, 1.0.0.127.in-addr.arpa, rqSize= 0, rDc = 1, rTtl = 0, rType = 12
DEBUG [09-07 15:48:28] - RequestHandler.run, Other type query bypass for 1.0.0.127.in-addr.arpa, type = 12.
DEBUG [09-07 15:48:28] - Sending 1.0.0.127.in-addr.arpa./PTR, id=1 to udp/172.17.10.60:53
DEBUG [09-07 15:48:28] - RequestHandler.run, RH #2, lowjack.abx-3072-8743-7449.com, rqSize= 0, rDc = 1, rTtl = 0, rType = 1
DEBUG [09-07 15:48:28] - RequestHandler.run, RH #1, lowjack.abx-3072-8743-7449.com, rqSize= 0, rDc = 1, rTtl = 0, rType = 28
INFO [09-07 15:48:28] - HandyMan.isDnsHijacked, We found that it's already hijacked by nslookup.
INFO [09-07 15:48:28] - HandyMan.hijackDns, We changed DNS settings.
INFO [09-07 15:49:25] - NxPing.run, Sending PING.
INFO [09-07 15:49:25] - NxPing.run, Ping success! IP = <NxProxy Public IP>
INFO [09-07 15:49:30] - HandyMan.hijackDns, Updating DNS settings on Windows.
ERROR [09-07 15:49:30] - HandyMan.hijackDns, Couldn't update it.

Ping result is OK

Code:

Pinging openchange.mydomain.com [172.17.10.24] with 32 bytes of data:
Reply from 172.17.10.24: bytes=32 time=2ms TTL=64
Reply from 172.17.10.24: bytes=32 time=1ms TTL=64
Reply from 172.17.10.24: bytes=32 time=1ms TTL=64
Reply from 172.17.10.24: bytes=32 time=1ms TTL=64

Ping statistics for 172.17.10.24:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

2. However, If I switch to an external network (e.g. Public WIFI), and ping the server machine in my domain:

Code:

pinging openchange.mydomain.com
Ping request could not find host openchange.mydomain.com. Please check the name and try again.

Here is NxProxy's log:

DEBUG [09-07 15:58:11] - RequestHandler.run, RH #1, openchange.mydomain.com, rqSize= 0, rDc = 1, rTtl = 0, rType = 1
DEBUG [09-07 15:58:11] - RequestHandler.run, Local domain bypass for openchange.mydomain.com.
DEBUG [09-07 15:58:11] - Sending openchange.mydomain./A, id=8852 to udp/172.17.10.60:53
ERROR [09-07 15:58:11] - Request.handleException, Socket timeout from an upstream server! - openchange.mydomain.com
ERROR [09-07 15:58:13] - Request.handleException, Socket timeout from an upstream server! - openchange.mydomain.com
DEBUG [09-07 15:58:25] - {"ef":true,"ad":"auto-switch-vd3l1662199808.mydomain.com","nv":"4.6.3.2","ld":["*.mydomain.com"],"dn":"172.17.10.60","up":120,"ua":true,"tb":[]}
INFO [09-07 15:58:25] - NxPing.run, Sending PING.
INFO [09-07 15:58:25] - NxPing.run, Ping success! IP = <NxProxy Public IP>
INFO [09-07 15:58:39] - HandyMan.hijackDns, Updating DNS settings on Windows.
ERROR [09-07 15:58:39] - HandyMan.hijackDns, Couldn't update it.

It seems it's still trying to use udp/172.17.10.60:53 to resolve my local domains.

**support200** · 09-07-2022, 08:50 AM

I can't see your image. And there's an error in your log.

HandyMan.hijackDns, Couldn't update it.

This means that it is not able to update system DNS settings. Does it have enough permission or do you block DNS change by GPO or something?

It just test 172.17.10.60 to see if it can reach it. Outside your office, it will not be able to contact it. Then it will try to find local DNS server using DHCP.

NxProxy will try to find local DNS server by its policy. If it can contact it then it will talk to the DNS server with auto-switch domain. If it's not your own NxFilter then it will ignore it and try to find another local DNS server using DHCP. But maybe it's not able to do anything with your network settings then it will use 8.8.8.8 which is the last one.

**support200** · 09-07-2022, 08:54 AM

One problem is that it has its own DNS response cache. So, I don't think you can switch between a private IP and a public IP for the same domain. Is it important for you to switch between them?

**support200** · 09-07-2022, 08:56 AM

What's the TTL for the domain? You can try to make it very short.

**Keanne1021** · 09-07-2022, 09:03 AM

I'll try to upload the image again:

The NxProxy was installed using the defaults. It running using Local System account:

**support200** · 09-07-2022, 09:08 AM

Send me the log files using PM.

Announcement

NxProxy and VPN network question

NxProxy and VPN network question

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment