ScoutDNS supports a Relay configuration, allowing operators to install a lightweight service within their network. The relay acts as a local forwarding resolver, processing internal queries while forwarding public queries to the ScoutDNS cloud resolver. Queries intended for internal services remain inside the network.
This setup enables the following ScoutDNS resolver functionalities:
- Set Policy by subnet
- Log LAN IP for queries
- Encrypt DNS traffic
- Configure local network aliases
- Configure local DNS forwarding
- Automatic updating of the relay software
The Relay is a local forwarding resolver that directs internal queries to the appropriate internal resolvers while forwarding external queries to the ScoutDNS cloud-based resolver. Queries intended for internal services remain within the network.
It’s important to note that the Relay is NOT a full DNS server.
Showing DNS query flow with Relay
The ScoutDNS relay is designed as a fully cloud configured service to simplify install and management. Setting up and configuring the relay involves two steps
1) Install the Relay inside a local host
2) Configure the Relay through the ScoutDNS UI
Installing the Relay involves simply downloading the files and executing the install command.
Currently we only support Debian based Linux distros for running the relay service. This includes Ubuntu and Kubuntu.
Preparing the Host
The ScoutDNS relay can run on any hardware that has at least 1 CPU, 1GB of free ram, and 40GB of storage.
If using multiple local forward rules with multiple subnets it is recommended to use 2 CPU and 2GB of free ram and 50GB of storage.
Add 1 CPU and 1GB of ram for every 1000 simultaneous users.
As this host will act as the local DNS for all subnets, be sure all networks are routable to it.
For the Relay host itself, DNS should be set to your local DNS server in order for standard (non-forward specified) local requests to be processed correctly.
Ready to Install
Download the install file from the Help icon at top right of UI.
Once copied to your Relay host, you will need to unpack and then execute the install command.
Install the Relay
sudo ./scoutdns install-dns
The service will start automatically once installed and update itself to the latest version of available.
You can start/stop the Relay service with these commands:
Troubleshoot The Relay
Check service status:
sudo systemctl status scoutdns scoutdns-updater
Restart relay service:
sudo systemctl restart scoutdns
Check Service Logs
sudo journalctl -u scoutdns -scoutdns-updater
Output service logs since the last day to file in order to export for support case:
sudo journalctl -u scoutdns -u scoutdns-updater -S yesterday > scoutdns_log.txt
Uninstall the Relay
You can uninstall the relay service with these commands:
sudo /opt/scoutdns/scoutdns uninstall-dns
The ScoutDNS service will auto configure the relay host DNS settings and change them back en the service is stopped or uninstalled.
The ScoutDNS relay will send DNS queries using DoH over port 443.
For us to detect your Relay, you must first configure the WAN it will use.
Please refer to the Quick Start Setup Guide for instructions on this step.
Once the Relay is installed on a previously configured WAN, it will begin communicating with our relay service to register. The detected Relay will then appear under the Site tab within the selected site, under the Relays subtab.
You will see the relay ID with status "Not Adopted". Click the "Adopt" button to register this relay with on this site. You can install multiple relays within the same site, and all relays share the same configuration as set in the UI. This is recommended for high availability.
Once adopted, the Relay will connect to our relay configuration service via secure HTTPS and periodically check for new configurations set in the UI. Any updates to configurations should take effect within 1–2 minutes.
You can install multiple relays within the same site, and all relays share the same configuration as set in the UI. This is recommended for high availability.
Local Forwarders
With the relay acting as the primary DNS service within your local network, we need to tell the relay about any other DNS service such as Windows domain controllers, that your client devices will need access to. In the Local Forwarders subtab, you can configure the ScoutDNS relay to forward requests as needed to any valid local domain or DNS service.
Click "+ New Domain". Then enter your desired local domain name. You will need to input the IP addresses the forwarding service can be found at. Up to 4 IP addresses for each entry. Finally choose which already configured LAN the rule applies to or leave "All LANs" as defaulted. Select "Save" and your configuration will be updated on the Relay shortly.
Forward Lookup Zones
It is important to add ALL domains with a forward lookup zone from your domain controllers. From the Windows DNS Manager tool, identify all domains listed in the forward lookup zone section.
It is important to add ALL domains with a forward lookup zone from your domain controllers
Redirects
You can create redirects to resolve specified internal IPs to other devices, such as printers, video players, or other services. Additionally, redirects can be used to modify any internal or external domain to point to a specified IP address. Think of this as a way to manually configure DNS records for Relay-connected devices.
To set up a redirect:
- Navigate to the Redirects subtab and select "New Redirect".
- Enter the domain name and the IP address you want it to resolve to.
- Click "Save", and your Relay will update.
Keep in mind that redirecting a domain with an existing certificate may cause a certificate error.
LAN
The LAN subtab allows operators to assign policies based on local subnets. This ensures that users on one network can have a different policy than users on another.
To configure a LAN policy:
- Click "+ New LAN".
- Select the WAN this LAN rule will apply to. By default, ALL WANs is selected, but you can specify a different combination if needed.
- Enter a LAN name (used in reporting and other configuration tabs).
- Set the IP range the rule will apply to.
Here are some valid examples:
192.168.3.0/24
10.10.0.1 /22
10.10.0.1 /20
172.16.0.0 /21
Yes, you can even specify individual IP addresses, allowing a single device to have its own policy. In this case, be sure to set a static IP or a DHCP reservation for that device.
Final Steps:
- Assign one of your existing policies to the LAN.
- Click "Save".
Now, LAN clients will follow the policy assigned to their LAN IP.
Testing the Relays
Before configuring local client devices to use the Relay, first test whether the Relay is accessible from each network you are setting up. Additionally, verify that it can resolve both public and local private DNS queries.
You can do this using simple nslookup commands.
For public DNS try
nslookup test.verify.scoutdns.com (IP address of your relay host)
This is a test domain that only resolves from our service with a configured network. This verifies that the relay is retuning queries from our service to the requesting device.
For local DNS try:
nslookup example.yourlocaldomain.corp (IP address of your relay host)
This verifies that the relay is properly handling local queries withyour non-ScoutDNS local DNS service.
If both domains resolve correctly from all subnets, you are ready for the next step. Otherwise, you will need to ensure the Relay is online and that you can access/ping the relay host from all subnets.
If you have more than one Relay host, you should conduct tests with all relay host IPs to verify proper network access and resolution.
Pointing Local Clients to the Relay
Configure your DHCP server/service to distribute the previously tested Relay Host IP(s). You can assign multiple IPs from different ScoutDNS Relay services if you have more than one installed. Before deployment, be sure to test all Relay Hosts thoroughly.
Important Considerations:
- Do not mix different DNS server types for client devices. For example, you should not configure one IP as a Relay and another as a Domain Controller, ScoutDNS Anycast, or any other DNS service. Doing so will lead to inconsistent policy enforcement, and some queries may not be logged or protected.
- Testing is critical. Ensure the Relay can resolve both external and internal domains before deployment.
- Recommended best practice: Manually set the Relay as the DNS server for a few local client devices and test across all subnets before applying the configuration broadly.
You should not mix DNS server types for client devices
Existing IP Leases
There is no way to force change the DNS IP for existing client devices without restarting them or without using a group policy object. For machines subject to group policy, you can execute a batch file with "ipconfig /renew". This will cause any client devices subject to group policy to renew a new DNS IP from your relay host.
Out of Scope elements: We cannot provide support on local network configurations or host OS/network related issues. We cannot offer support on Windows domain controllers or DCHP configurations in windows or other customer equipment. Please see related vendor documentation for such setup and support.
In Scope elements: ScoutDNS offers support for the install and configuration of the Relay service on qualified hosts as well as support for the cloud-based GUI configuration.