Document Details

Dns Traffic Log How To
Home / Scan 2 / Dns Traffic Log How To
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation page demonstrates a strong Windows bias. All automation and scripting examples are provided exclusively in PowerShell, with no equivalent Azure CLI, Bash, or Linux-native instructions. The PowerShell tab is the only programmatic method shown, and all command-line examples (including DNS query tests) use Windows paths and tools. There are no Linux-specific instructions, nor are Linux tools or workflows mentioned. The documentation assumes a Windows environment for scripting and management, leaving Linux users without clear guidance.
Recommendations:
  • Add Azure CLI and/or Bash examples for all resource creation, configuration, and management steps, ensuring parity with PowerShell instructions.
  • Include Linux-native command-line examples (e.g., using dig or nslookup from a Bash shell) for DNS query and testing sections.
  • When referencing file paths or environment variables, provide both Windows and Linux equivalents (e.g., C:\bin\PSRepo vs. ~/bin/PSRepo).
  • Explicitly mention that the instructions apply to both Windows and Linux environments, and provide guidance for each where workflows differ.
  • Consider adding a 'Linux' or 'Azure CLI' tab alongside the existing 'PowerShell' and 'Portal' tabs for all relevant sections.
  • Reference cross-platform tools and patterns (such as Azure Cloud Shell, which supports both Bash and PowerShell) earlier and more prominently.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-17 00:01 #83 in_progress ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-09 13:09 #3 cancelled ✅ Clean
2025-07-08 04:23 #2 cancelled ❌ Biased

Flagged Code Snippets

C:\>dig db.sec.contoso.com +short 10.0.1.2
C:\>dig db.sec.contoso.com ; <<>> DiG 9.9.2-P1 <<>> db.sec.contoso.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
################################ # Update DNS security policy ################################ Write-Host "Updating DNS resolver policy" $resolverPolicy = Update-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName -Tag @{"key0" = "value0"} Write-Host $resolverPolicy.ToJsonString() Write-Host "Updating DNS resolver policy virtual network link" $link = Update-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -Tag @{"key1" = "value1"} Write-Host $link.ToJsonString() $log = New-AzDiagnosticSettingLogSettingsObject -Enabled $false -Category DnsResponse Write-Host "Updating diagnostic setting by disabling log category" $diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Updating domain list" $domainList = Update-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName -Tag @{"key2" = "value2"} Write-Host $domainList.ToJsonString() Write-Host "Updating DNS security policy rule" $rule = Update-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsResolverPolicyName $resolverPolicyName Write-Host $rule.ToJsonString()
################################ # Get DNS security policy ################################ Write-Host "Getting DNS resolver policy" $resolverPolicy = Get-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName Write-Host $resolverPolicy.ToJsonString() Write-Host "Getting DNS resolver policy virtual network link" $link = Get-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName Write-Host $link.ToJsonString() Write-Host "Getting diagnostic setting" $diagnosticSetting = Get-AzDiagnosticSetting -ResourceId $resolverPolicy.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Getting domain list" $domainList = Get-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName Write-Host $rule.ToJsonString() Write-Host "Getting DNS security policy rule" $rule = Get-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverPolicyName $resolverPolicyName Write-Host $rule.ToJsonString()
Resolve-DnsName -Name contoso.com -Type NS
# Register the repository Register-PSRepository -Name LocalPSRepo -SourceLocation 'C:\bin\PSRepo' -ScriptSourceLocation 'C:\bin\PSRepo' -InstallationPolicy Trusted # Install the Az.DnsResolver module Install-Module -Name Az.DnsResolver -RequiredVersion 0.2.6 -SkipPublisherCheck # If you already installed Az.DnsResolver, update your version to 0.2.6 Update-Module -Name Az.DnsResolver # Confirm that the Az.DnsResolver module was installed properly Get-InstalledModule -Name Az.DnsResolver
# Connect PowerShell to Azure cloud Connect-AzAccount -Environment AzureCloud # Set your default subscription Select-AzSubscription -SubscriptionObject (Get-AzSubscription -SubscriptionId <your-sub-id>)
$ErrorActionPreference = "Stop" ################################################################ # Configure resource names and locations ################################################################ $resourceNumber = 1 # Customize this if needed $region = "centralus" # Change this region to your preference if ($env:username) {$name = "$($env:username)"} else {$name = "$($env:USER)"} # The environment variable is different in Cloud Shell vs local PowerShell $nameSuffix = "test-$($region)-$($name)-resolverpolicytest$($resourceNumber)-test" $resourceGroupName = "rg-$($nameSuffix)" $virtualNetworkName = "vnet-$($nameSuffix)" $resolverPolicyName = "dnsresolverpolicy-$($nameSuffix)" $domainListName = "domainlist-$($nameSuffix)" $securityRuleName = "securityrule-$($nameSuffix)" $resolverPolicyLinkName = "dnsresolverpolicylink" $storageAccountName = "stor$($name.ToLower())" # Customize this, taking care that the name is not too long $storageAccountName = $storageAccountName.Substring(0, [Math]::Min(24, $storageAccountName.Length)) # Storage account names must be 3-24 characters long $diagnosticSettingName = "diagnosticsetting-$($nameSuffix)" $vnetId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$virtualNetworkName" ################################################################ # Create resource group, virtual network, and storage account ################################################################ Write-Host "Creating resource group" $rg = New-AzResourceGroup -Name $resourceGroupName -Location $region Write-Host ($rg | ConvertTo-Json -Depth 64) Write-Host "Creating virtual network" $defaultSubnet = New-AzVirtualNetworkSubnetConfig -Name "default" -AddressPrefix "10.$resourceNumber.0.0/24" $vnet = New-AzVirtualNetwork -Name $virtualNetworkName -ResourceGroupName $resourceGroupName -Location $region -AddressPrefix "10.$resourceNumber.0.0/16" -Subnet $defaultSubnet Write-Host ($vnet | ConvertTo-Json -Depth 64) Write-Host "Creating storage account" $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $region -SkuName Standard_GRS Write-Host $storageAccount.ToString() ################################ # Create DNS security policy ################################ Write-Host "Creating DNS resolver policy" $resolverPolicy = New-AzDnsResolverPolicy -Location $region -ResourceGroupName $resourceGroupName -Name $resolverPolicyName Write-Host $resolverPolicy.ToJsonString() Write-Host "Creating DNS resolver policy virtual network link" $link = New-AzDnsResolverPolicyVirtualNetworkLink -Location $region -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -VirtualNetworkId $vnetId Write-Host $link.ToJsonString() $log = New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category DnsResponse Write-Host "Creating diagnostic setting" $diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Creating domain list" $domainList = New-AzDnsResolverDomainList -Location $region -ResourceGroupName $resourceGroupName -Name $domainListName -Domain @("contoso.com.", "adatum.com.") Write-Host $domainList.ToJsonString() Write-Host "Creating DNS security policy rule" $rule = New-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsSecurityRuleState "Enabled" -ActionType "Block" -ActionBlockResponseCode "SERVFAIL" -Priority 100 -DnsResolverPolicyName $resolverPolicyName -Location $region Write-Host $rule.ToJsonString()
Resolve-DnsName : contoso.com : DNS server failure At line:1 char:1 + Resolve-DnsName -Name contoso.com -Type NS + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (contoso.com:String) [Resolve-DnsName], Win32Exception + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName