<\/p>\n
Summary:<\/b> Learn how to use a free Windows PowerShell module to ease administration of Windows DNS.<\/p>\n
<\/p>\n
Microsoft Scripting Guy Ed Wilson here. I have been talking to Chris Dent for several months now, and I finally convinced him to write a guest blog for me. <\/p>\n
Guest blogger, Chris Dent, is with us today. Chris works as a systems and network engineer for a software developer in London. Chris is a PowerShell fanatic and a network and directory service specialist. Chris can often be found on the Virtual PowerShell Group<\/a> or Experts-Exchange. Chris is the author of DnsShell<\/a>. <\/p>\n <\/p>\n The majority of the cmdlets in DnsShell are wrappers around the WMI interface. The WMI interface tends to be fairly difficult to work with, or at least more difficult than it needs to be. For the most part this is due to the infamous Generic Error it returns whenever something goes wrong.<\/p>\n In addition to the WMI wrappers, DnsShell contains an interface for working with DNS via LDAP with decoders for the dnsProperty<\/b> and dnsRecord<\/b> attributes. <\/p>\n The final cmdlet, Get-Dns<\/b>, is a DNS resolver, designed to exceed the capabilities of nslookup<\/b> and to be comparable with Dig.<\/p>\n This post aims to explore some of the capabilities for DnsShell, based on the tasks I use it for on a regular basis.<\/p>\n <\/p>\n Get-DnsZone<\/b> can be used to return information about zones configured on a server. This cmdlet uses WMI to grab details of the zone. The parameters used with this cmdlet are used to build a WQL filter.<\/p>\n Zone<\/b> information can be returned from Active Directory<\/b> using Get-ADDnsZone<\/b>. By default, Get-ADDnsZone<\/b> targets the DomainDnsZones<\/b> application partition.<\/p>\n The information returned by this cmdlet differs slightly from Get-DnsRecord<\/b>, only showing detail stored in the dnsProperty<\/b> attribute.<\/p>\n The following examples demonstrate how Get-DnsRecord<\/b> can be used to pick up records configured on a server.<\/p>\n Get-ADDnsRecord<\/b> may also be used to retrieve record information. By its nature Get-ADDnsRecord<\/b> is limited to querying records stored in Active Directory-integrated zones.<\/p>\n Unlike Get-DnsRecord<\/b>, which offers a parameter to filter on RecordType<\/b>, Get-ADDnsRecord<\/b> is reliant on Where-Object<\/b>. This is used because there is no way to construct an LDAP Filter<\/b> to limit a search to specific record types as the record type is encoded as part of the dnsRecord<\/b> attribute. Wildcards or partial matches are not permissible for DnsRecord<\/b> as it is a Binary Large Object (BLOB).<\/p>\n The RecordType<\/b> field used above is defined in an Enumeration. The possible values can be seen with:<\/p>\n Using the following filter for Where-Object returns the same results, it is equivalent to the filter above:<\/p>\n Returning a DNS servers configuration is a simple task. The Get-DnsServer<\/b> cmdlets returns each of the configuration options available to MS DNS server.<\/p>\n New-DnsZone<\/b> uses the CreateZone<\/a> method from WMI, checking for a few potential errors along the way.<\/p>\n New-DnsRecord<\/b> is one of the most complex cmdlets in the module. It provides an abstract interface to the CreateInstanceFromPropertyData<\/b> method on each of the record classes. Many of the parameters accept pipeline input to further simplify usage.<\/p>\n On occasion it is nice to be able to create secondary zones for every Primary zone on another server.<\/p>\n A ForEach<\/b> (either ForEach<\/b> or ForEach-Object<\/b>) loop is not necessary to accomplish this, however it may be added if greater control over the process is required.<\/p>\n Strictly speaking, the ForEach-Object<\/b> loop is still not an absolute requirement in this example. Where-Object<\/b> can be used to filter down to zones that only do not exist on the Primary.<\/p>\n One common task is the addition of A and corresponding PTR records. To demonstrate this script a simple CSV file can be used.<\/p>\n The tricky part is adding the PTR records without having to manually define the Reverse Lookup Zone name. One possible way to deal with this is to send a DNS query; an approach is similar to that used by dynamic update, a query which attempts to find a server willing to accept an update.<\/p>\n In the example below, Get-Dns<\/b> is used to execute a query for the PTR record. The expected response is NXDOMAIN<\/b> (doesn’t exist), but that response will contain an Authority section including the server and zone name. That zone name can be used to make the new record.<\/p>\n Debugging name resolution under Microsoft Windows is typically limited to either nslookup or the client resolver (normally via ping). Get-Dns<\/b> is more comprehensive, capable of both simple and complex queries.<\/p>\n Note:<\/b> The examples below make extensive use of domain.example<\/b>. This should be replaced with a valid domain name, many of the examples will return nothing if taken literally.<\/p><\/blockquote>\n The following command performs a Zone Transfer, used when a Secondary server picks up a copy of the zone from a Primary Server. This operation should not be confused with replication of zone data when Active Directory-integrated zones are in use. This command requires access to TCP Port 53 on the server holding the zone (most DNS traffic uses UDP Port 53).<\/p>\n Tracing a request from root using an iterative query; used to verify the delegation chain, to test that DNS requests are directed to the correct servers. The initial servers (Root Hints) are taken from the locally configured DNS service.<\/p>\n NsSearch<\/b> can be used to check that all DNS servers for a domain name reply with the same (or intended) answer. If the answers are different clients may experience problems accessing a resource.<\/p>\n Get-Dns<\/b> returns all of the fields from a DNS packet by default; this makes the return value a complex nested object. Specific parts of the return value can be selected as demonstrated in the following examples.<\/p>\n <\/p>\n Chris, thank you for that interesting overview of how to use DnsShell. It is a cool module that illustrates a great way to leverage WMI functionality in Windows PowerShell.<\/p>\n I invite you to follow me on Twitter<\/a> or Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a> or post them on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n <\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Learn how to use a free Windows PowerShell module to ease administration of Windows DNS. Microsoft Scripting Guy Ed Wilson here. I have been talking to Chris Dent for several months now, and I finally convinced him to write a guest blog for me. Guest blogger, Chris Dent, is with us today. […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[196,188,56,37,3,61,45],"class_list":["post-16721","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-chris-dent","tag-dns-server","tag-guest-blogger","tag-networking","tag-scripting-guy","tag-weekend-scripter","tag-windows-powershell"],"acf":[],"blog_post_summary":" Summary: Learn how to use a free Windows PowerShell module to ease administration of Windows DNS. Microsoft Scripting Guy Ed Wilson here. I have been talking to Chris Dent for several months now, and I finally convinced him to write a guest blog for me. Guest blogger, Chris Dent, is with us today. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=16721"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/16721\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=16721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=16721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=16721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}What is DnsShell?<\/h2>\n
Basic tasks<\/h2>\n
Listing zones<\/h3>\n
\n
# All zones
Get-DnsZone
# Primary zones
Get-DnsZone -ZoneType Primary | Format-List<\/span><\/pre>\n<\/blockquote>\n\n
# Returning all zones in DomainDnsZoness (for the current domain)
Get-ADDnsZone
# Returning all zones from all partitions
Get-ADDnsPartition | Get-ADDnsZone<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Listing records<\/h3>\n
\n
# Listing all records on the current server
Get-DnsRecord
# List A records in domain.example only
Get-DnsRecord -RecordType A -Zone domain.example
# List all static records on the server
Get-DnsRecord -Filter \"TimeStamp=0\"
# Name is a regular expression and can be used for simple or complex filters
Get-DnsRecord -Name '_tcp' -RecordType SRV<\/span><\/pre>\n<\/blockquote>\n\n
# All records in the DomainDnsZones partition
Get-ADDnsRecord
# All Service (SRV) records in all partitions
Get-ADDnsPartition | Get-ADDnsRecord | Where-Object { $_.RecordType -eq \"SRV\" }
# Name supports wildcards (used to build an LDAP filter)
Get-ADDnsRecord -Name \"_gc*\"
# List all records in a specific zone
Get-ADDnsZone domain.example | Get-ADDnsRecord<\/span><\/pre>\n<\/blockquote>\n\n
[Enum]::GetNames([DnsShell.RecordType])<\/span><\/pre>\n<\/blockquote>\n\n
# Get all records from AD (DomainDnsZones). Filter to Service Records
Get-ADDnsRecord | Where-Object { $_.RecordType -eq [DnsShell.RecordType]::SRV }<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Returning server configuration<\/h3>\n
\n
# Ask for DNS Server settings from $ServerName
Get-DnsServer $ServerName<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Creating zones<\/h3>\n
\n
# A new standard Primary forward lookup zone. Returns an object representing
# the new zone
New-DnsZone domain.example -ZoneType Primary -PassThru<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Creating records<\/h3>\n
\n
# A new Host (A) record
New-DnsRecord -Name mail -RecordType A -Zone domain.example -IPAddress 1.2.3.4
# A new Mail Exchanger (MX) record
New-DnsRecord -RecordType MX -Zone domain.example '
-TargetName mail.domain.example -Preference 10<\/span><\/pre>\n<\/blockquote>\n <\/h2>\n
Advanced tasks<\/h2>\n
Automating secondary zone setup<\/h3>\n
\n
# Alternate credentials for this operation
$Credential = Get-Credential
# The Primary server name (used to access WMI) and the
# IP address $SecondaryServer will use to access the Primary
$PrimaryServer = \"ThePrimaryServer\"; $PrimaryIP = \"1.2.3.4\"
# A secondary server name (used to access WMI)
$SecondaryServer = \"TheSecondaryServer\"
# Get all Primary Forward Lookup Zones from $PrimaryServer and create a
# corresponding Secondary zone on $SecondaryServer
Get-DnsZone -ZoneType Primary -Filter \"Reverse=$False\" '
-Server $PrimaryServer -Credential $Credential |
New-DnsZone -ZoneType Secondary -MasterServer $PrimaryIP '
-Server $SecondaryServer -PassThru<\/span><\/pre>\n<\/blockquote>\n\n
Get-DnsZone -ZoneType Primary -Filter \"Reverse=$False\" '
\n -Server $PrimaryServer -Credential $Credential |\n\tForEach-Object {
\n\t
\n # See if the zone exists on $SecondaryServer first
\n If (!(Get-DnsZone $_.Name -Server $SecondaryServer)) {
\n # If it does not (!), create the zone
\n New-DnsZone $_.Name -ZoneType Secondary -MasterServer\n\t$PrimaryIP '
\n -Server $SecondaryServer -PassThru
\n }
\n\t}<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Adding A and PTR records from a CSV file<\/h3>\n
\n
Name,IPAddress
www,192.168.1.1
ftp,192.168.1.2
mail,192.168.1.3<\/span><\/pre>\n<\/blockquote>\n\n
$ServerName = \"TheServer\"
$ForwardLookupZone = \"domain.example\"
Import-Csv Records.csv | ForEach-Object {
# Create the record in the Forward Lookup Zone
New-DnsRecord -Name $_.Name -IPAddress $_.IPAddress '
-Zone $ForwardLookupZone -Type A -Server $ServerName
# Find the name of the reverse lookup zone
$ReverseLookupZone = (Get-Dns $_.IPAddress -RecordType PTR '
-Server $ServerName).Authority[0].Name
# Create the record in the Reverse Lookup Zone
New-DnsRecord -Name $_.IPAddress -Hostname \"$($_.Name).$ForwardLookupZone\" '
-Zone $ReverseLookupZone -Type PTR -Server $ServerName
}<\/span><\/pre>\n<\/blockquote>\n <\/h3>\n
Debugging name resolution with Get-Dns<\/h3>\n
\n
# Equivalent of nslookup using ls -d domain.example
Get-Dns domain.example -Transfer
# Or
Get-Dns domain.example axfr<\/span><\/pre>\n<\/blockquote>\n\n
# Performs a search for the record from the Root DNS servers (display all hops)
# Equivalent of dig domain.example +trace
Get-Dns domain.example -Iterative<\/span><\/pre>\n<\/blockquote>\n\n
# Returns the A record for domain.example from all authoritative name servers
# Equivalent for dig domain.example a +nssearch
Get-Dns domain.example -RecordType A -NsSearch<\/span><\/pre>\n<\/blockquote>\n\n
# Expanding the answer
Get-Dns www.domain.example a -NsSearch | Select-Object -ExpandProperty Answer
# If only one response is returned
(Get-Dns www.domain.example a).Answer
# Just the Header
Get-Dns domain.example | Select-Object -ExpandProperty Header
# Question, Answer, Authority and Additional are always arrays. An element number
# must be used when accessing fields even if only one item exists.
(Get-Dns www.domain.example a).Question[0].Name
(Get-Dns www.domain.example a).Question.Count
(Get-Dns www.domain.example a).Question.GetType()
# Answer and Flags
Get-Dns domain.example | Select-Object Answer, @{n='Flags';e={ $_.Header.Flags }}
# The server, status code (RCode) and time taken (in milliseconds) for
# an Iterative query
Get-Dns domain.exmaple -Iterative | Select-Object Server, TimeTaken,
@{n='RCode';e={ $_.Header.RCode }}<\/span><\/pre>\n<\/blockquote>\n