DNS === nEdge can enforce a specific DNS server to be used by the LAN devices. nEdge ships with some preset of secure DNS servers, which provide an additional security against malware sites. Global DNS ---------- The `Global DNS` is the DNS server used in the following cases: - When the DHCP server is enabled in routing mode, it will configure the non child-safe clients to use these DNS servers - By the nEdge device for interfaces configured in static address mode .. figure:: img/global_dns.png :align: center :alt: Global DNS Global DNS configuration If the `Enforce Global DNS` option is set, nEdge will enforce the use of the specified `Global DNS` even if the clients manually change their DNS servers. Secure DNS servers can be chosen from the provided presets or be specified manually. Child Safe ---------- The `Child Safe` DNS is the DNS used for users which are marked with the `Child Safe` option. .. figure:: img/child_dns.png :align: center :alt: Child DNS Child DNS configuration Such DNS can protect the children from inappropriate adult content. **Note**: nEdge will always enforce the use of such a DNS for all the child safe users, even if they manually change their DNS servers. DNS issue: 5 seconds delay -------------------------- Due to a bug_ into the kernel, there is an issue with the DNS resolver of some versions of glibc, which causes a client program to stuck for about 5 seconds when performing A and AAAA DNS requests using the same socket. This can be verified with the following command: `conntrack -S` When the issue occurs, the command above will increase the `insert_failed` counter. A temporary solution to the issue is to force glibc to use a different socket for the AAAA request. On a Linux client, this can be done by adding the following line to `/etc/resolv.conf`: `options single-request-reopen` .. _bug: https://www.weave.works/blog/racy-conntrack-and-dns-lookup-timeouts