Document Details

Dns Traffic Log How To
Home / Scan 41 / Dns Traffic Log How To
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ powershell_heavy
⚠️ windows_first
⚠️ missing_linux_example
⚠️ windows_tools
Summary:
The documentation demonstrates a Windows bias by providing extensive PowerShell-based automation and scripting examples, referencing Windows file paths (e.g., C:\bin\PSRepo), and using Windows-specific tools (PowerShell cmdlets, Resolve-DnsName). There are no equivalent CLI, Bash, or Linux-native examples for creating or managing DNS security policies, nor are there instructions for using the Azure CLI or Linux shell environments. The only command-line DNS query example uses the Windows command prompt (C:\>dig), but does not clarify Linux usage or syntax differences.
Recommendations:
  • Add equivalent Azure CLI (az) examples for all resource creation, configuration, and management steps, including DNS security policy, domain lists, and diagnostic settings.
  • Provide Bash shell scripts or Linux command-line examples alongside PowerShell, especially for resource automation.
  • When showing DNS query examples, clarify that 'dig' is available on both Windows and Linux, and provide sample Linux shell prompts (e.g., $ dig ...).
  • Reference Linux file paths and environment variables where appropriate, or provide cross-platform notes.
  • Include instructions for installing and using required tools (e.g., dig, Azure CLI) on Linux.
  • Balance the order of presentation: do not always present PowerShell/Windows first; consider parallel tabbed sections for PowerShell and CLI/Bash.
  • Explicitly mention that all features are available cross-platform, or note any limitations.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-07-12 23:44 #41 in_progress ❌ Biased
2025-07-12 00:58 #8 cancelled ✅ Clean
2025-07-10 05:06 #7 processing ✅ Clean

Flagged Code Snippets

C:\>dig db.sec.contoso.com +short 10.0.1.2
################################ # Update DNS security policy ################################ Write-Host "Updating DNS resolver policy" $resolverPolicy = Update-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName -Tag @{"key0" = "value0"} Write-Host $resolverPolicy.ToJsonString() Write-Host "Updating DNS resolver policy virtual network link" $link = Update-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -Tag @{"key1" = "value1"} Write-Host $link.ToJsonString() $log = New-AzDiagnosticSettingLogSettingsObject -Enabled $false -Category DnsResponse Write-Host "Updating diagnostic setting by disabling log category" $diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Updating domain list" $domainList = Update-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName -Tag @{"key2" = "value2"} Write-Host $domainList.ToJsonString() Write-Host "Updating DNS security policy rule" $rule = Update-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsResolverPolicyName $resolverPolicyName Write-Host $rule.ToJsonString()
################################ # Get DNS security policy ################################ Write-Host "Getting DNS resolver policy" $resolverPolicy = Get-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName Write-Host $resolverPolicy.ToJsonString() Write-Host "Getting DNS resolver policy virtual network link" $link = Get-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName Write-Host $link.ToJsonString() Write-Host "Getting diagnostic setting" $diagnosticSetting = Get-AzDiagnosticSetting -ResourceId $resolverPolicy.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Getting domain list" $domainList = Get-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName Write-Host $rule.ToJsonString() Write-Host "Getting DNS security policy rule" $rule = Get-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverPolicyName $resolverPolicyName Write-Host $rule.ToJsonString()
Resolve-DnsName -Name contoso.com -Type NS
C:\>dig db.sec.contoso.com ; <<>> DiG 9.9.2-P1 <<>> db.sec.contoso.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
# Register the repository Register-PSRepository -Name LocalPSRepo -SourceLocation 'C:\bin\PSRepo' -ScriptSourceLocation 'C:\bin\PSRepo' -InstallationPolicy Trusted # Install the Az.DnsResolver module Install-Module -Name Az.DnsResolver -RequiredVersion 0.2.6 -SkipPublisherCheck # If you already installed Az.DnsResolver, update your version to 0.2.6 Update-Module -Name Az.DnsResolver # Confirm that the Az.DnsResolver module was installed properly Get-InstalledModule -Name Az.DnsResolver
# Connect PowerShell to Azure cloud Connect-AzAccount -Environment AzureCloud # Set your default subscription Select-AzSubscription -SubscriptionObject (Get-AzSubscription -SubscriptionId <your-sub-id>)
$ErrorActionPreference = "Stop" ################################################################ # Configure resource names and locations ################################################################ $resourceNumber = 1 # Customize this if needed $region = "centralus" # Change this region to your preference if ($env:username) {$name = "$($env:username)"} else {$name = "$($env:USER)"} # The environment variable is different in Cloud Shell vs local PowerShell $nameSuffix = "test-$($region)-$($name)-resolverpolicytest$($resourceNumber)-test" $resourceGroupName = "rg-$($nameSuffix)" $virtualNetworkName = "vnet-$($nameSuffix)" $resolverPolicyName = "dnsresolverpolicy-$($nameSuffix)" $domainListName = "domainlist-$($nameSuffix)" $securityRuleName = "securityrule-$($nameSuffix)" $resolverPolicyLinkName = "dnsresolverpolicylink" $storageAccountName = "stor$($name.ToLower())" # Customize this, taking care that the name is not too long $storageAccountName = $storageAccountName.Substring(0, [Math]::Min(24, $storageAccountName.Length)) # Storage account names must be 3-24 characters long $diagnosticSettingName = "diagnosticsetting-$($nameSuffix)" $vnetId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$virtualNetworkName" ################################################################ # Create resource group, virtual network, and storage account ################################################################ Write-Host "Creating resource group" $rg = New-AzResourceGroup -Name $resourceGroupName -Location $region Write-Host ($rg | ConvertTo-Json -Depth 64) Write-Host "Creating virtual network" $defaultSubnet = New-AzVirtualNetworkSubnetConfig -Name "default" -AddressPrefix "10.$resourceNumber.0.0/24" $vnet = New-AzVirtualNetwork -Name $virtualNetworkName -ResourceGroupName $resourceGroupName -Location $region -AddressPrefix "10.$resourceNumber.0.0/16" -Subnet $defaultSubnet Write-Host ($vnet | ConvertTo-Json -Depth 64) Write-Host "Creating storage account" $storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $region -SkuName Standard_GRS Write-Host $storageAccount.ToString() ################################ # Create DNS security policy ################################ Write-Host "Creating DNS resolver policy" $resolverPolicy = New-AzDnsResolverPolicy -Location $region -ResourceGroupName $resourceGroupName -Name $resolverPolicyName Write-Host $resolverPolicy.ToJsonString() Write-Host "Creating DNS resolver policy virtual network link" $link = New-AzDnsResolverPolicyVirtualNetworkLink -Location $region -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -VirtualNetworkId $vnetId Write-Host $link.ToJsonString() $log = New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category DnsResponse Write-Host "Creating diagnostic setting" $diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id Write-Host $diagnosticSetting.ToJsonString() Write-Host "Creating domain list" $domainList = New-AzDnsResolverDomainList -Location $region -ResourceGroupName $resourceGroupName -Name $domainListName -Domain @("contoso.com.", "adatum.com.") Write-Host $domainList.ToJsonString() Write-Host "Creating DNS security policy rule" $rule = New-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsSecurityRuleState "Enabled" -ActionType "Block" -ActionBlockResponseCode "SERVFAIL" -Priority 100 -DnsResolverPolicyName $resolverPolicyName -Location $region Write-Host $rule.ToJsonString()
Resolve-DnsName : contoso.com : DNS server failure At line:1 char:1 + Resolve-DnsName -Name contoso.com -Type NS + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (contoso.com:String) [Resolve-DnsName], Win32Exception + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName