There are three methods you can use to protect your networks and users with ScoutDNS.
1) WAN Forwarding: involves configuring ScoutDNS with your WAN IP address and then forwarding DNS queries from inside your network us our anycast resolver IPs.
Advantage: Simple and fast to deploy, usually within minutes.
Disadvantage: Provides limited visibility to DNS queries behind your firewall. Allows one policy per WAN IP. Only allows us to log and track the WAN IP for each query.
Use Case: BYOD. When you need to protect everything behind your firewall quickly, with the easiest and quickest deployment method
2) LAN Relay: involves setting up the ScoutDNS relays as local forwarders inside your network, then assigning the forwarders through DCHP to your connected devices.
Advantage: Protects all devices including headless devices on your network with per device LAN IP logging/tracking. Can set different policy based on VLAN/Subnet. Encrypts DNS.
Disadvantage: Requires the setup of on-premise host or virtual machines
Use Case: BYOD, When you want different polices per VLAN, want to protect IoT devices with greater logging, require per device LAN IP per query.
3) Roaming Client (Scout360): Involves installing the Scout360 roaming client on your client devices.
Advantage: Can protect devices inside and outside the network. Can deploy device level policy or policy to groups of devices. IP LAN, Domain, and User level logging per query. Encrypts DNS
Disadvantage: Must install Scout360 device agent. Cannot protect headless devices.
Use Case: When you need to provide off-network protection both on and off the VPN. When you need user level logging.
This guide will walk you through the steps needed to configure ScoutDNS to your network using the quickest setup method, WAN Network Forwarding.
When planning to use LAN Relay you must configure WAN Network Forwarding. WAN Forwarding It is not required for roaming clients however is recommended in order to be site aware.
Step 1: Register Network IP
ScoutDNS operates as a closed/private DNS resolver. This helps to improve security and prevent system abuse by third parties. As a closed system, our DNS resolvers will only answer requests from known users/networks. For this reason, we must configure your WAN IP network address with the ScoutDNS application.
All networks must be associated to a site. By default, ScoutDNS allows up to four networks to be configured to a single site location.
Click "New Site"
Enter a Site name and click "Save"
Once you have created the Site, it is time to add the network and associate a policy.
Click "Add Network". Enter network name and WAN IP address. If you are using a Dynamic DNS service, you can enter your domain name instead. Select policy and click the check mark to register the network. Finalize by clicking "Save".
You can always ask google what your IP address is if you are unsure.
Step 2: Configure Network to ScoutDNS
Locate your network DNS server settings
Identify which device or server on your network points your client devices to your public DNS servers. This is usually a router or sometimes a firewall. Typically, the device that handles your IP address (DHCP) or the device that serves as your default gateway is also where you configure public DNS servers.
Log on to the server or router where DNS is configured
Once you’ve logged in, find the DNS settings for this device. If you're unsure of where these settings are, please refer to your device configuration manual.
Example of Sonicwall DNS settings for network.
Change your DNS server addresses
Change your DNS server address to IPs provided from the GUI. ScoutDNS Operates a global anycast network for performance and resiliency.
Make sure your DNS is set to be static. Write down the previous DNS server information in case you wish to revert the change.
** Advanced users may try to work around your DNS settings to add their own. This can be fixed by creating firewall rules. To create firewall rules restricting DNS go here.
Restart Machines/Clear Cache
If your users acquire DNS from DHCP, these machines may need to reboot or reconnect to the network in order to adopt the new server settings.
If DNS is applied via network proxy, you should clear the proxy resolver cache.
*** Remember to clear ALL CACHE in local machine, browser, and domain controllers if applicable.
To confirm your system is now using ScoutDNS resolvers, click here: verify.ScoutDNS.com
. In some DNS proxy cases the verification check my not register even when DNS traffic is passing. Another option to verify is by checking the ScoutDNS Logs.