-
Notifications
You must be signed in to change notification settings - Fork 0
FAQ
Common questions about FilterDNS Proxy.
FilterDNS Proxy is a .NET 10-based DNS master proxy server that serves zone transfers (AXFR/IXFR) to configured slave DNS servers, with IP whitelisting, NOTIFY support, and selective record filtering.
FilterDNS allows you to sanitize and transform DNS zones before serving them to public-facing slave DNS servers. Common use cases include:
- Hiding internal nameservers (e.g., Active Directory) from public DNS
- Filtering private IP addresses from Internet zones
- Separating internal and external DNS views
- Controlling zone transfer access
FilterDNS acts as a DNS master proxy - it sits between your upstream master DNS (e.g., Active Directory) and your public slave DNS servers. It filters and transforms zones before serving them to slaves.
FilterDNS is compatible with:
- Knot DNS - Fully tested and supported
- BIND - Compatible with BIND master and slave servers
- Other RFC-compliant DNS servers - Should work with any server following RFC 1995 and RFC 1996
- Operating System: Linux (tested on Ubuntu, Debian, RHEL/CentOS)
- Architecture: AMD64 (x86_64)
- .NET Runtime: .NET 10 runtime (included in deployment package)
- Privileges: Root access required to bind to port 53
No, the deployment package includes the .NET runtime. You don't need to install .NET separately.
No, FilterDNS requires root privileges to bind to port 53 (the standard DNS port). You can run it on a different port, but then slave servers won't be able to use the standard DNS port.
- Stop the service:
sudo systemctl stop filter-dns - Backup your configuration:
cp appsettings.json appsettings.json.backup - Extract the new version
- Restore your configuration
- Start the service:
sudo systemctl start filter-dns
See Installation for detailed instructions.
Edit appsettings.json and add zones to the Zones array. See Configuration for detailed configuration options.
Yes, you can configure multiple zones in the Zones array. Each zone can have different upstream masters, filtering rules, and slave servers.
- Slaves: DNS servers that receive NOTIFY messages and are automatically whitelisted for zone transfers
- XferWhitelist: Additional IPs/networks allowed for zone transfers (e.g., monitoring tools)
Set FilterPrivateIPs: true in your zone configuration. See Configuration for details.
Yes, use the PrivateIPRanges array to specify custom CIDR ranges. If empty, FilterDNS uses default RFC 1918 ranges.
If SoaRname is not configured, FilterDNS preserves the original rname from the upstream zone.
Yes, FilterDNS has full RFC 1995-compliant IXFR support with zone history tracking.
- Incremental: Sends only the changes between zone versions (more efficient)
- FullZone: Always sends the complete zone (more reliable, less efficient)
Use FullZone mode if you experience zone data corruption with incremental transfers.
FilterDNS maintains a history of zone versions for IXFR support. History is stored in JSON format and persists across restarts. You can configure history depth per zone or globally.
This usually means:
- History hasn't built up yet (normal on first transfer)
- History depth is too low for your update frequency
- History files are missing or corrupted
See Troubleshooting for solutions.
Yes, set IxfrResponseMode: "FullZone" in server configuration. This makes FilterDNS always send full zone transfers (AXFR format) in response to IXFR requests.
Yes, FilterDNS sends RFC 1996-compliant NOTIFY messages to all configured slave servers when zones are updated.
Yes, FilterDNS receives and processes NOTIFY messages from upstream master servers, automatically triggering zone updates.
Check FilterDNS logs for NOTIFY-related messages:
sudo journalctl -u filter-dns | grep -i notifyYou should see messages like "Successfully notified slave {Ip}:{Port} for zone {Zone}".
FilterDNS can filter/modify:
- SOA records: Modifies mname (primary nameserver) and optionally rname
- NS records: Completely replaces all NS records with configured ones
- A/AAAA records: Optionally filters records pointing to private IP addresses
Yes, FilterDNS preserves serial numbers and all other SOA fields (TTL, refresh, retry, expire, minimum).
Currently, FilterDNS filters:
- SOA (modifies mname/rname)
- NS (replaces all)
- A/AAAA (filters private IPs if enabled)
Other record types pass through unchanged.
Records that don't match any filter criteria pass through unchanged (except NS records, which are always replaced).
FilterDNS enforces IP whitelisting for zone transfers:
- Configured slaves are automatically whitelisted
- Additional IPs can be added via
XferWhitelist - Unauthorized transfer requests are refused
Yes, both XferWhitelist and HealthCheckAcl support CIDR notation:
"XferWhitelist": ["192.0.2.0/24", "2001:db8::/64"]Yes, FilterDNS fully supports IPv6 for:
- Upstream masters
- Slave servers
- Whitelist entries
- Health check ACLs
Health checks allow monitoring systems to query FilterDNS and receive filtered zone data responses, verifying that filtering is working correctly.
Add IP addresses/networks to HealthCheckAcl in server configuration:
"HealthCheckAcl": ["127.0.0.1", "10.0.0.0/8"]Health checks support standard DNS query types: A, AAAA, NS, SOA, and others.
sudo systemctl status filter-dns# Recent logs
sudo journalctl -u filter-dns -n 100
# Follow logs in real-time
sudo journalctl -u filter-dns -fFrom a configured slave server:
dig @filterdns-server example.com AXFR
dig @filterdns-server example.com IXFR=12345Check:
- Slave IPs are configured correctly
- Network connectivity (UDP port 53)
- NOTIFY messages in logs
- Serial numbers are changing on upstream
See Troubleshooting for detailed solutions.
Configurable via UpstreamPollInterval (default: 300 seconds). FilterDNS also responds to NOTIFY messages immediately.
Yes, filtered zones are cached in memory for fast zone transfer responses. Cache is updated only when upstream zones change.
Depends on:
- Number of zones
- History depth per zone
- Zone size
- Update frequency
History files are typically small (JSON format). BIND format exports are optional and can be disabled.
FilterDNS is licensed under GNU General Public License v3.0 (GPL-3.0).
Yes, GPL-3.0 allows commercial use. However, if you distribute modified versions, you must also license them under GPL-3.0 and provide source code.
- Check the Troubleshooting guide
- Review the Configuration documentation
- Open an issue on GitHub
Open an issue on GitHub with:
- Description of the problem
- Relevant log excerpts
- Configuration (sanitized)
- Steps to reproduce
Yes! Contributions are welcome. Please open a pull request or issue on GitHub.
- Installation - Get started with FilterDNS
- Configuration - Configure your zones
- Use-Cases - Common usage scenarios
- Troubleshooting - Solve common issues