Nexapp - InstaShield DNS

InstaShield DNS

InstaShield DNS is the DNS-level filtering engine in NexappOS. It uses domain-reputation blocking to stop connections to malicious or unwanted domains before any traffic is established. When a client requests a blocked domain, NexappOS prevents resolution, effectively denying access at the earliest stage.

The service can load:

  • Community-maintained blocklists (public, broad coverage)
  • Enterprise threat-intelligence feeds (licensed, frequently updated and security-focused)

Note: Enterprise feeds require an active subscription and a valid entitlement for InstaShield DNS.

Configuration

InstaShield DNS is disabled by default. To enable it:

  1. Navigate to Security → InstaShield DNS
  2. Open the Settings tab
  3. Turn Status to On

When enabled, the Blocklist sources tab displays all available lists.
Enable or disable each list using the switch on the right. Active lists update automatically at regular intervals.

Apply DNS filtering to specific zones

To decide where InstaShield DNS must be enforced:

  • In Settings, use Force DNS redirection on these zones
  • Select the zones (LAN, Guest, DMZ, etc.) where client DNS requests must be redirected through NexappOS

Redirected ports

The Redirected ports field defines which client ports will be transparently redirected to InstaShield DNS.
In most deployments this includes standard DNS ports (UDP/TCP 53). Add additional ports only if your network uses non-standard DNS services.

Community blocklists

Community sources are contributed and maintained externally. They usually cover domains related to:

  • malware and phishing
  • ads and trackers
  • spam and abuse
  • explicit or unsafe content categories
  • piracy or risky sites

These lists are provided “as-is”. Licensing terms depend on each provider, so verify usage rights if your deployment is non-personal or commercial.

Community list maintenance

Feed URLs are bundled into NexappOS at release time.
If a provider changes their URL later, that list may stop updating until a new release restores the source.

Enterprise blocklists

Subscription required

Enterprise lists are curated for security accuracy and offer major advantages:

  • High quality and accuracy
    Professionally validated threat intelligence with dedicated monitoring.

  • Fast update cycle
    New malicious domains are added quickly as threats emerge.

  • Reduced false positives
    Entries are verified to minimize blocking of legitimate services.

  • Designed for production networks
    Suitable for business environments needing predictable, stable filtering.

Enterprise sources appear only when the unit has a valid subscription and entitlement.

Filter bypass

Some devices or networks may require unrestricted DNS resolution (for example, lab systems or trusted management hosts).

To configure bypass:

  1. Open Filter bypass tab
  2. Click Add bypass
  3. Enter an IPv4/IPv6 address or CIDR subnet

Traffic from bypassed addresses will not be filtered by InstaShield DNS.

Local blocklist

Local blocklist lets you manually block domains not included in any feed.

To add a domain:

  1. Open Local blocklist tab
  2. Click Add domain
  3. Enter:
    • Domain name
    • Optional description (recommended)

Warning: Domains added here also affect DNS resolution for the NexappOS unit itself.

Advanced behavior (automatic)

When InstaShield DNS is enabled, NexappOS automatically:

  • Generates a category source file based on unit registration and entitlements
  • Redirects all client DNS queries to the local resolver
  • Configures the DNS filtering engine to use the selected sources
  • Starts and keeps the service updated without manual intervention

While advanced manual tuning is possible, it is not recommended unless required for special deployments.

Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on