ScoutDNS provides device agents for organizations that wish to protect devices with DNS-layer security both on and off the network. The ScoutDNS device agent is an extremely lightweight application, best installed on managed devices where administrative access is required to start and stop services or remove software. The device agent performs essential tasks to keep devices protected wherever they are used, including home networks, coffee shops, hotels, and more.
The ScoutDNS device agent offers several key benefits:
Zero-Touch Silent Installs: Dynamically generated install files link profiles to embedded keys, eliminating the need for extra inputs during deployment.
Encrypted DNS: ScoutDNS device agents utilize DNS-over-HTTPS (DoH) to encrypt all DNS traffic from the device to our cloud service using port 443.
On and Off-Network Protection: The device agent provides roaming client support to protect devices even when they are off secure corporate networks.
User-Level/Granular Reporting: With the device agent installed, operators gain in-depth device and user-level reporting.
Dynamic Policy: Using profiles, operators can group users into specific categories for tracking and policy enforcement. Dynamic policies allow devices to apply different policies based on their location and whether they are on or off the network.
The device agent consists of two services: the Device Agent and the Device Agent Updater.
Device Agent:
On startup, including during any network changes, the device agent records the existing network DNS servers and any joined domains. This information is used to properly handle local queries, including those intended for local domains.
The device agent checks for connectivity to the ScoutDNS service. If the service is reachable, it binds to 127.0.0.1:53 for IPv4 and ::1 for IPv6 on the installed device.
If the ScoutDNS network cannot be reached, the device agent fails open and restores the DNS settings to the originally assigned network DNS servers. It continuously monitors for service availability and will revert DNS settings back to the ScoutDNS network once the service is restored.
The device agent constantly monitors network, user, and device changes, adjusting settings accordingly. It always fails open in case of any connection issues with the ScoutDNS network.
Device Agent Updater:
This service operates separately to ensure the ScoutDNS device agent remains up to date with the latest features and security updates.
When an update is detected, the updater creates a backup of the existing instance before downloading and installing the update.
Updates occur seamlessly in the background within seconds, without user interruption.
If, after an update, the device agent is unable to connect to the ScoutDNS network, the updater automatically rolls back to the last working version.
The ScoutDNS device agent is fully configured through the ScoutDNS UI. Setting up device agents involves two main steps:
Configure Profiles
Install the Device Agent on Clients
Profiles in ScoutDNS link policies to groups of client devices. In the profile settings, operators can configure how devices assigned to a profile adopt specific policies. You will need to create a profile and set a default policy.
Profile Name: Assign a name that fits the group of client devices or users, such as "Sales Team," "Office Staff," or "Engineers."
Default Policy: The fallback policy that any device will use unless additional profile and policy settings apply.
Profile Description: A description of the profile's purpose for internal reference.
Block Page: Select the block page template you want to apply to this group of devices.
Enable User Policies: Allows Active Directory-based policies to override the default profile policy for matching groups configured in Personas.
Dynamic Policy: When enabled, operators can set policies based on the location of the client device.
You can assign a specific policy or allow the device to inherit site/network-based rules for any ScoutDNS-configured network the client connects to.
A different policy can also be assigned for offsite/roaming devices.
Sites are determined based on configured ScoutDNS sites and networks.
You can use multiple profiles to assign policies to groups of devices based on different user types. This approach works well when users are assigned specific devices. Where possible, another option is to create fewer profiles and rely on policy decisions based on Active Directory groups configured in the Users tab using Personas.
By default, Scout360 records the local resolvers discovered at each network join and automatically forwards requests in the following instances:
Local designated domains, such as .local, along with local reverse lookups.
Assigned domains, such as those assigned to devices joined to an Active Directory server.
In some cases, operators may require greater control over local forwarding. When needed, they can use the Local Forwarding tab within the profile to configure custom forwarding settings.
You can designate local forward zones in the profile and configure how queries are handled. To create a new local forward zone, set the following options:
Domain: Enter the domain for which you want to forward requests.
Resolvers set to Auto: In Auto mode, the Scout360 agent will first attempt to forward requests to the discovered local resolvers. If the local resolvers fail to respond, requests are sent out via the WAN to the ScoutDNS resolver network.
Resolvers set to Specific IPs: You can enter a list of dedicated resolver IPs. In this mode, the Scout360 agent will forward requests only to these IPs in order. If these resolvers fail, the requests will be sent out via the WAN to the ScoutDNS resolver network.
To streamline the deployment of device agents, install files are dynamically generated from the profile using install keys embedded in the install file or packaged based on operator settings.
Platform: Windows or macOS.
Architecture:
Windows: x86 (32-bit) or x64 (64-bit).
macOS: x86 (32-bit) or ARM (M-series chips).
Duration: Defines how long the install key remains active for auto-registration into the profile.
Installs: Sets the maximum number of registrations allowed with this key.
Save the key settings and click "Download" to retrieve the install file.
ScoutDNS generates an .msi file for installation on Windows 10 and 11. This file can be executed at the machine level or deployed via Active Directory using Group Policy Objects (GPOs).
Since no command-line options, keys, or tags are required, simply upload the .msi file to a network share and assign it to the desired GPO. Some administrators may choose to hide the application from the Add/Remove Programs list on workstations.
Alternatively, for installations on a small number of machines, you can copy the file via a network share or USB stick. It is recommended to install as a machine administrator to prevent regular users from stopping the service.
Once the client is installed, it will check in with the client API service to register and associate with the correct profile. You will see all registered clients in the Manage Clients view. You can filter this view based on All, Online, or Offline clients, as well as whether clients are on-site or off-site. Additionally, you can filter clients by a specific profile.
OS: The operating system the device is running.
Client Name: The name assigned to the client. By default, this is the hostname, but a custom name can be set in the Manage Client detail section.
User: The most recently logged-in user.
Status: The most recent status based on the latest sync.
Last Sync: The last time the device agent checked in.
Profile: The assigned device profile.
Version: The current device agent version.
WAN: The last known WAN IP address.
LAN: The last known LAN IP address.
Site: The last known site, determined from your ScoutDNS managed sites.
Policy: The most recent policy governing the device.
Name: You can set the client name by giving it a custom name that may be easier to identify in other views. This only affects the name within ScoutDNS and does not alter the hostname.
Host Name: The hostname assigned to the device.
Full Host Name: The fully qualified hostname, including the network domain if the device is a member of one.
Profile: Displays the current profile. You can move the device into a new profile here.
Policy: Shows the current policy. Operators can select a device-level policy that overrides the profile policy settings.
Last Sync: The last date and time the device was seen by ScoutDNS.
Status: Displays the current device status.
WAN IP: Last known WAN IP.
LAN IP: Last known LAN IP.
Username: Last logged-in user of the device.
Site: Last known site of the device.
Domain: The network domain the device is registered on.