doh.opendns.com and other DoH services should be blocked as your users can bypass NxFilter with them. You can whitelist it on 'Whitelist > Domain' if you need though.

You can change your default DNS on 'DNS > Setup'.

If you have to use OpenDNS then you set it as the upstream servers for NxFilter then your users will be filter by NxFilter first and then OpenDNS next.

Thank you for quick response. So what you are saying is, NXF should be the preferred filter. No other dns filtering should be in the flow. Is this correct?

I did change the default DNS from 8.8.8.8 to OpenDNS servers, 208.67.222.222. However, it seems those are blocked by system-block.txt. Therefore I would have to whiltelist those domains, correct?

The reason for two dns filter options (OpenDNS and NXFilter) is I want a harder, more strict filter for certain user group within the network, while other can bypass NXF which would allow them to interact with OpenDNS to use filtering services. Does that make any sense? So yes, I would want OpenDNS as the upstream though users would first be filtered through NXF first before passing through the upstream.

DoH means that you can use DNS over TCP/443. And they don't use UDP/53. This means that your users can use other DNS services as they like to bypass your filtering. You don't want that when you implement DNS filtering. So, we block those DoH servers at default.

If 208.67.222.222 has blocked somewhere it's not by NxFilter. It can't block IP address.

If you want to have multiple policies. Create 2 users. And then create 2 policies. For one user, a stricter policy and for the other one, a lesser strict policy. You can create as many users and policies as you want and you also can create groups and assign policies on group level. You can import these user and group relations from your AD server. That's why you implement user authentication by NxFilter.

Thank you again for comments. In the FAQ there is reference to bypass filtering:

Can I bypass a specific user from filtering and logging?
You might want to bypass some of your users from filtering and logging. You can add the client IP addresses you want to bypass from filtering and logging on 'System > Allowed IP > Bypass All'.

I found this under DNS>Access Control in the new version (4.6). I could set a range of IPs in this section that would bypass filtering and logging. Is this correct? Or could be alternative to the two user/two policies that you referred to? As I said, I am trying to achieve a more strict policy for a certain small user group (range of IPs) however I want the majority of users to bypass NXF and just flow through the primary gateway DNS, which is OpenDNS (208.67.222.222 and 208.67.220.220). Would the DNS > Access control to bypass filtering and logging for a range of IPs be an acceptable practice?

Bypassing means that it doesn't do filtering for the users. So, the upstream DNS server will resolve domains for them. If you set OpenDNS to be the upstream server of NxFilter then they will be filtered by OpenDNS. However, I don't know why you need to use NxFilter in your case. If you have to use OpenDNS, setting OpenDNS as the DNS IP of the majority of users would be easier.

Hi. Good question on why to use two filtering DNS options. As I have explained, I want to enforce a stronger policy for a select user group within our office. Ie, we want to set policy for employees not to view Youtube, FB, etc. This can't be set by OpenDNS. If it were, it would be applied to all users downstream from DNS IP set by DHCP. (Btw, we are using the free version, OpenDNS). So, my idea is to use NXF for the limited user group to block certain domains during working hours. While at the same time, bypass NXF by the majority of other users. Then let OpenDNS content filter do it thing.

I suppose what you are saying is why use OpenDNS at all? I believe what you are saying is throw away OpenDNS as the DNS IP set by DHCP. Set another public DNS IP, such as Google 8.8.8.8 for our gateway DNS. Then for ALL users we should use NXF and apply two different policies based on user group. As noted, 1. stronger, more strict for user group A, 2. general filtering, less strict for user group, B. For A group, we could block Youtube, FB, social media, etc. with a harder policy. For B group, we could filter more general stuff and still allow Youtube, FB, social media, etc but just filter out general workplace/business stuff such as alcohol, gambling, sex, etc. We could let NXF do that for us then pass all traffic through DNS IP, such as Google DNS 8.8.8.8. Is this the recommendation instead of a layered DNS that I have been talking about with bypassing NXF?

What I am saying is that you can have multiple filteirng policies by NxFilter and you don't need another one if it's for your need of Stricter and Another policies. Is this about using a free version with Globlist? You still can have 3 policies and you can create multiple custom categories and put those sites you want to block in a custom category and block it on the stricter policy.

I didn't get a direct answer to my previous post. I understand what NXF does and offers. I'm working through our current setup with OpenDNS and the layered dns filtering that I've been talking about. Looking at my previous post and the second paragraph, I ask, "Is this the recommendation instead of a layered DNS that I have been talking about with bypassing NXF?"

In my testing, I've been using the default, Jahaslist.

Yes. Don't use OpenDNS. Just set multiple filteirng policies by NxFilter and use its user authentication feature. Maybe AD integration as well. That will make you things easier and simpler.