Introduction

DNSDB Scout is a Graphical User Interface (GUI) for the DNSDB API that runs in a web browser. DNSDB Scout implements all of the features exposed by the DNSDB API and provides a dashboard-like experience that will be recognizable to most users. DNSDB Scout Export is a version of Scout intended for installation and use locally by DNSDB Export customers.

This installation guide is a supplement to the README file provided with a DNSDB Scout Export tarball (“package”). It will help you configure a DNSDB Scout deployment for use with an existing DNSDB Export instance; it will help you make requests to your private DNSDB API. It will provide step-by-step instructions for configuring a customized installation and webserver to make the tool accessible to a network on a Red Hat Enterprise Edition (RHEL) 7.9 or CentOS 7.9 system.

DNSDB Scout Export is implemented as a self-hosted website served by an NGINX webserver. The package contains the necessary HTML, minified Javascript and CSS files, and a shell script that can customize Export-specific variables in the Javascript. A deployed DNSDB Scout will issue DNSDB API queries to the DNSDB API server you will configure below in the “Customizations” section.

Audience

This document is intended for system administrators responsible for the administration of a DNSDB Scout installation for use with a DNSDB Export instance. Unless otherwise specified, all commands are run as root. Please contact support@farsightsecurity.com if you have any issues installing and configuring DNSDB Scout.

Preparation for installing DNSDB Scout

You will need to aquire the DNSDB Scout Export package provided directly by Farsight. DNSDB Scout Export is not publicly published, and is proprietary software. Use of DNSDB Scout is governed by the License Agreement between you, your organization, and Farsight.

Server configuration and setup

These instructions have been written for use on RHEL/CentOS 7.9. The specific installation package used for our testing was: CentOS-7-x86_64-DVD-2009.iso. The file name includes the major version number of the release, which is 7. Please make sure you’re using this major version release for this installation.

These instructions assume your server has access to a package repository to load necessary software and updates via rpm or yum.

Server accounts

These instructions assume the ownership of web content under the default NGINX user; nginx is normally the default and is usually available on RHEL/CentOS systems when NGINX is installed. If your server and NGINX configuration is different then supplement the nginx account for your preferred user and group.

A Note About Shells

The bash shell is the default shell and the installation scripts assume its use. If you are using an alternative shell, such as csh or sh, some of the commands might fail, so we recommend installing (if needed) and using bash for the installation.

This installation is written assuming the commands are run as the root user (via su root or logging in as root) as designated by the # prompt.

Enable other repositories

Install and enable the epel repository so yum can find additional components past what are in the base RHEL and CentOS repositories:

# yum install -y epel-release

Choose a hostname

Please carefully consider what hostname you would like to use for accessing your DNSDB Scout deployment. As an example, Farsight has https://scout.dnsdb.info/.

It is strongly recommended that you generate an SSL certificate for your host.

You may need to configure DNS or /etc/hosts on your client systems to point them at your server depending on whether or not you selectively publish access to this server outside your network.

Further instructions will use the $HOSTNAME environment variable as part of their configuration.

# export HOSTNAME=scout.mydomain.com

Installing NGINX

We’ll use yum to download and install NGINX and its dependencies.

# yum install -y nginx

Configuring NGINX

The NGINX server configuration is stored in /etc/nginx and starts with nginx.conf. There’s a subdirectory called conf.d in which additional servers can be added. We’ll create a new NGINX configuration for a DNSDB Scout deployment in /etc/nginx/conf.d/dnsdb_scout.conf.

# cat >/etc/nginx/conf.d/dnsdb_scout.conf << EOF
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$HOSTNAME\$request_uri;
}
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name $HOSTNAME;

    #NGINX logs use /var/log/nginx by default; can be changed.
    access_log /var/log/nginx/access.scout.log;
    error_log /var/log/nginx/error.scout.log;

    #This can be changed; be sure it reflects later steps.
    root /usr/share/nginx/dnsdb_scout;

    index dashboard.html; #The top level page of DNSDB Scout, "Dashboard".

    try_files \$uri/index.html \$uri.html \$uri/ \$uri =404;

    location ~* \.(html|jpg|jpeg|png|gif|ico|css|js)\$ {
      expires 1d;
    }

    location / {
      if (\$request_method = 'OPTIONS') {
        add_header Content-Length 0;
        add_header Content-Type text/plain;
        return 200;
      }
    }

    #Very simple SSL configuration. More modern features
    #can be enabled/changed depending on your NGINX version.
    ssl_certificate /etc/ssl/certs/nginx-cert.crt;
    ssl_certificate_key /etc/ssl/private/nginx-key.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
EOF

Note: If you create the above file without using the cat command, the file on disk must not contain the backslashes near the $’s. The backslashes are to keep your shell from substituting $VARIABLE during the cat.

Important: This NGINX configuration uses TLS, you must install a valid TLS certificate or create a self-signed TLS certificate for NGINX to start properly. If you need a self-signed cert, use /etc/ssl/certs/Makefile.

Recommended: Remove or comment out the default server block declaration in /etc/nginx/nginx.conf to prevent a duplicate server_name declarations and warnings. The server block to modify is located on lines 38 to 57, like so:

# less -N /etc/nginx/nginx.conf:
...
38 #    server {
39 #        listen       80 default_server;
40 #        listen       [::]:80 default_server;
41 #        server_name  _;
42 #        root         /usr/share/nginx/html;
43 #
44 #        # Load configuration files for the default server block.
45 #        include /etc/nginx/default.d/*.conf;
46 #
47 #        location / {
48 #        }
49 #
50 #        error_page 404 /404.html;
51 #        location = /404.html {
52 #        }
53 #
54 #        error_page 500 502 503 504 /50x.html;
55 #        location = /50x.html {
56 #        }
57 #    }
...

Considering that you are about to start the web server, now is an excellent time to consider how to modify the system firewall to allow access to your server. A reminder that Farsight requires that you not make your system widely available on the Internet. At least disallow public access and allow access from your own network only. Look at packages like ferm or iptables-persistent for long-term management of firewall rules. For testing, you’ll be using your localhost access which permits everything. If you have a client on a nearby network (for example, 10.10.10.2) that you want to test with, you’ll need to add a temporary firewall rule.

# iptables -I INPUT -s 10.10.10.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT -s 10.10.10.0/24 -p tcp -m tcp --dport 443 -j ACCEPT

Starting NGINX

Start the nginx server and see if it works:

# systemctl daemon-reload
# systemctl start nginx
# systemctl status nginx

If nginx was already started then you should reload the current configuration:

# systemctl reload nginx

If the status of nginx appears ok then enable it to start upon boot:

# systemctl enable nginx

Server Security

Farsight requires that you not make your system widely available on the Internet. Please consult with Farsight’s sales and support teams on how to properly configure your access and firewall systems for this server. DNSDB systems are often online but with limited access to their ports (for instance: ssh or https) to localhost or their organization’s networks only, or placed behind firewalls.

Installing DNSDB Scout

Typically, the installation of NGINX creates /usr/share/nginx, which is an acceptable location for web assets. /srv or /var/www are also acceptable locations. This guide will be using /usr/share/nginx since it’s a known default and it reflects the “root” directory of the NGINX configuration, above.

Extract the contents of the DNSDB Scout package acquired from Farsight.

# tar -xzf dnsdb_scout_export_v2.1.4.tar.gz

At this point you may customize your DNSDB Scout Deployment. Refer to the “Customizing a DNSDB Scout Deployment” section, below, for details.

Copy the extracted (or customized) dnsdb_scout directory to /usr/share/nginx. This directory should correspond with the NGINX server “root” directory.

# cp -r dnsdb_scout_export_v2.1.4/dnsdb_scout/ /usr/share/nginx/

Finally, change the user/group of the dnsdb_scout directory to the one used by NGINX. By default, this is nginx.

# chown -R nginx:nginx /usr/share/nginx/dnsdb_scout

Customizing a DNSDB Scout Deployment

Within the DNSDB Scout package provided by Farsight is a customization script. Run the script to add the following customizations to your DNSDB Scout deployment and to overwrite an existing customization file.

# cd dnsdb_scout_export_v2.1.4
# chmod +x customize.sh
# ./customize.sh

Upon running the script you will be prompted for the following customizations, all of which are optional and are visible to anyone with access to the DNSDB Scout deployment:

https://www.farsightsecurity.com/about-farsight-security/contacts/?referrer=Scout

https://www.farsightsecurity.com/assets/media/download/dnsdb-scout-introductory-guide.pdf?referrer=Scout

<div class='ui header'>Welcome to DNSDB Export and DNSDB Scout!</div>
<p>It looks like this is your first time using DNSDB Scout and you don't have
an API Key set yet.</p><p>You'll want to set an API Key on the
<a href='options.html'>Settings</a> page before making DNSDB Queries.</p>
<p>This instance of DNSDB Scout may be pre-configured with settings to use a
specific DNSDB Export server - please consult the operator for details.</p>

Default MOTD

Running the customization script from an extracted DNSDB Scout Export tarball directory will save changes to ./dnsdb_scout/export_customizations.json. You can use your text editor of choice to modify the customizations file, however, running the customization script again will overwrite the file entirely. Please ensure futher modifications to the export_customizations.json file follow standard JSON formatting and syntax otherwise the customizations will be ignored.

Testing NGINX and DNSDB Scout

You will need to use the SSL server name you used in the /etc/nginx/conf.d/dnsdb_scout.conf file. If you don’t have a public address for it yet, consider adding your HOSTNAME to the /etc/hosts file:

# echo 127.0.0.1 $HOSTNAME >>/etc/hosts

You’ll see an NGINX process listening to port 80 and 443 and can access it from the server itself. Tools like telnet may be useful for debugging.

# ps awwx | grep nginx
# ss -antp | grep nginx

Let’s try accessing the server via HTTPS using its server name:

# curl -sk https://$HOSTNAME/ | head -7

If successful you should see the top of the DNSDB Scout Dashboard HTML page, like so:

<!DOCTYPE html>
<!--
	Description: Farsight DNSDB Scout® Dashboard
	Author: Farsight Security, Inc.
	Copyright: 2021 Farsight Security. All Rights Reserved.
	License: Unlicensed, Proprietary
-->

If not, check systemctl status nginx and see if there were any typos or other configuration issues.

If everything to this point is working correctly, you should now be able to open DNSDB Scout in a web browser from a computer with access to this host and perform DNSDB queries against your DNSDB API installation.

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.