Browse Admin Console
- Application categories (Zero Trust app management)
- Active Directory group policies
- Content categories
- Custom block pages
- Don't mix DNS providers
- Prevent DNS bypass
- Safe Search explained
- Safe Search supported search engines
- Security categories
- Working with policies
- Working with allow and block lists
- YouTube Restricted Mode explained
Tracking individual users
What visibility ScoutDNS offers at each deployment level: WAN forwarding shows only WAN IP, the Relay shows LAN IP, and the roaming agent is the only path to per-user reporting.
The level of user-level visibility ScoutDNS can provide depends on how queries reach the service. Each deployment method exposes different identifiers in the activity log.
| Deployment | Per-query identifier | Granularity |
|---|---|---|
| WAN forwarding | WAN IP only | Whole network, no way to distinguish users or devices behind the firewall |
| LAN Relay | LAN IP | Per-device, but not per-user (unless multiple users share a device, you’ll see them as one) |
| Roaming agent | Hostname + signed-in username | Per-user reporting, on and off the corporate network |
Per-user reporting requires the agent
If you need to identify which user generated which query, the only path is the ScoutDNS roaming agent. The agent reports the device hostname and the currently signed-in user with each query.
For role-based filtering (different policies per user/group), pair the agent with Active Directory or Entra ID Personas.
Why the Relay doesn’t track users
The Relay sees source IP at the LAN layer, not who’s logged into that device. Two users on the same workstation produce queries with the same LAN IP. The Relay does, however, give you per-device visibility, which is enough for most operational use cases (find the device responsible, then investigate locally).
Why WAN forwarding can’t track individual devices
In WAN-forwarding mode, every query arrives at ScoutDNS from your single egress WAN IP. By the time the query reaches us, NAT has hidden every LAN-side identifier. There’s no way to retroactively attribute queries to a specific user or device.