Document Details
Dns Traffic Log How To
This page contains Windows bias
About This Page
This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
Bias Analysis
Detected Bias Types
powershell_heavy
windows_first
missing_linux_example
windows_tools
Summary
The documentation demonstrates a Windows bias by providing extensive PowerShell-based automation and scripting examples, referencing Windows file paths (e.g., C:\bin\PSRepo), and using Windows-specific tools (PowerShell cmdlets, Resolve-DnsName). There are no equivalent CLI, Bash, or Linux-native examples for creating or managing DNS security policies, nor are there instructions for using the Azure CLI or Linux shell environments. The only command-line DNS query example uses the Windows command prompt (C:\>dig), but does not clarify Linux usage or syntax differences.
Recommendations
- Add equivalent Azure CLI (az) examples for all resource creation, configuration, and management steps, including DNS security policy, domain lists, and diagnostic settings.
- Provide Bash shell scripts or Linux command-line examples alongside PowerShell, especially for resource automation.
- When showing DNS query examples, clarify that 'dig' is available on both Windows and Linux, and provide sample Linux shell prompts (e.g., $ dig ...).
- Reference Linux file paths and environment variables where appropriate, or provide cross-platform notes.
- Include instructions for installing and using required tools (e.g., dig, Azure CLI) on Linux.
- Balance the order of presentation: do not always present PowerShell/Windows first; consider parallel tabbed sections for PowerShell and CLI/Bash.
- Explicitly mention that all features are available cross-platform, or note any limitations.
Create Pull Request
Scan History
| Date | Scan | Status | Result |
|---|---|---|---|
| 2025-07-12 23:44 | #41 | cancelled |
Biased
|
| 2025-07-12 00:58 | #8 | cancelled |
 Clean
|
| 2025-07-10 05:06 | #7 | processing |
Clean
|
Flagged Code Snippets
C:\>dig db.sec.contoso.com +short 10.0.1.2
################################
# Update DNS security policy
################################
Write-Host "Updating DNS resolver policy"
$resolverPolicy = Update-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName -Tag @{"key0" = "value0"}
Write-Host $resolverPolicy.ToJsonString()
Write-Host "Updating DNS resolver policy virtual network link"
$link = Update-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -Tag @{"key1" = "value1"}
Write-Host $link.ToJsonString()
$log = New-AzDiagnosticSettingLogSettingsObject -Enabled $false -Category DnsResponse
Write-Host "Updating diagnostic setting by disabling log category"
$diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id
Write-Host $diagnosticSetting.ToJsonString()
Write-Host "Updating domain list"
$domainList = Update-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName -Tag @{"key2" = "value2"}
Write-Host $domainList.ToJsonString()
Write-Host "Updating DNS security policy rule"
$rule = Update-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsResolverPolicyName $resolverPolicyName
Write-Host $rule.ToJsonString()
################################
# Get DNS security policy
################################
Write-Host "Getting DNS resolver policy"
$resolverPolicy = Get-AzDnsResolverPolicy -ResourceGroupName $resourceGroupName -Name $resolverPolicyName
Write-Host $resolverPolicy.ToJsonString()
Write-Host "Getting DNS resolver policy virtual network link"
$link = Get-AzDnsResolverPolicyVirtualNetworkLink -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName
Write-Host $link.ToJsonString()
Write-Host "Getting diagnostic setting"
$diagnosticSetting = Get-AzDiagnosticSetting -ResourceId $resolverPolicy.id
Write-Host $diagnosticSetting.ToJsonString()
Write-Host "Getting domain list"
$domainList = Get-AzDnsResolverDomainList -ResourceGroupName $resourceGroupName -Name $domainListName
Write-Host $rule.ToJsonString()
Write-Host "Getting DNS security policy rule"
$rule = Get-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverPolicyName $resolverPolicyName
Write-Host $rule.ToJsonString()
Resolve-DnsName -Name contoso.com -Type NS
C:\>dig db.sec.contoso.com ; <<>> DiG 9.9.2-P1 <<>> db.sec.contoso.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
# Register the repository
Register-PSRepository -Name LocalPSRepo -SourceLocation 'C:\bin\PSRepo' -ScriptSourceLocation 'C:\bin\PSRepo' -InstallationPolicy Trusted
# Install the Az.DnsResolver module
Install-Module -Name Az.DnsResolver -RequiredVersion 0.2.6 -SkipPublisherCheck
# If you already installed Az.DnsResolver, update your version to 0.2.6
Update-Module -Name Az.DnsResolver
# Confirm that the Az.DnsResolver module was installed properly
Get-InstalledModule -Name Az.DnsResolver
# Connect PowerShell to Azure cloud
Connect-AzAccount -Environment AzureCloud
# Set your default subscription
Select-AzSubscription -SubscriptionObject (Get-AzSubscription -SubscriptionId <your-sub-id>)
$ErrorActionPreference = "Stop"
################################################################
# Configure resource names and locations
################################################################
$resourceNumber = 1 # Customize this if needed
$region = "centralus" # Change this region to your preference
if ($env:username) {$name = "$($env:username)"} else {$name = "$($env:USER)"} # The environment variable is different in Cloud Shell vs local PowerShell
$nameSuffix = "test-$($region)-$($name)-resolverpolicytest$($resourceNumber)-test"
$resourceGroupName = "rg-$($nameSuffix)"
$virtualNetworkName = "vnet-$($nameSuffix)"
$resolverPolicyName = "dnsresolverpolicy-$($nameSuffix)"
$domainListName = "domainlist-$($nameSuffix)"
$securityRuleName = "securityrule-$($nameSuffix)"
$resolverPolicyLinkName = "dnsresolverpolicylink"
$storageAccountName = "stor$($name.ToLower())" # Customize this, taking care that the name is not too long
$storageAccountName = $storageAccountName.Substring(0, [Math]::Min(24, $storageAccountName.Length)) # Storage account names must be 3-24 characters long
$diagnosticSettingName = "diagnosticsetting-$($nameSuffix)"
$vnetId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Network/virtualNetworks/$virtualNetworkName"
################################################################
# Create resource group, virtual network, and storage account
################################################################
Write-Host "Creating resource group"
$rg = New-AzResourceGroup -Name $resourceGroupName -Location $region
Write-Host ($rg | ConvertTo-Json -Depth 64)
Write-Host "Creating virtual network"
$defaultSubnet = New-AzVirtualNetworkSubnetConfig -Name "default" -AddressPrefix "10.$resourceNumber.0.0/24"
$vnet = New-AzVirtualNetwork -Name $virtualNetworkName -ResourceGroupName $resourceGroupName -Location $region -AddressPrefix "10.$resourceNumber.0.0/16" -Subnet $defaultSubnet
Write-Host ($vnet | ConvertTo-Json -Depth 64)
Write-Host "Creating storage account"
$storageAccount = New-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName -Location $region -SkuName Standard_GRS
Write-Host $storageAccount.ToString()
################################
# Create DNS security policy
################################
Write-Host "Creating DNS resolver policy"
$resolverPolicy = New-AzDnsResolverPolicy -Location $region -ResourceGroupName $resourceGroupName -Name $resolverPolicyName
Write-Host $resolverPolicy.ToJsonString()
Write-Host "Creating DNS resolver policy virtual network link"
$link = New-AzDnsResolverPolicyVirtualNetworkLink -Location $region -ResourceGroupName $resourceGroupName -DnsResolverPolicyName $resolverPolicyName -Name $resolverPolicyLinkName -VirtualNetworkId $vnetId
Write-Host $link.ToJsonString()
$log = New-AzDiagnosticSettingLogSettingsObject -Enabled $true -Category DnsResponse
Write-Host "Creating diagnostic setting"
$diagnosticSetting = New-AzDiagnosticSetting -Name $diagnosticSettingName -ResourceId $resolverPolicy.id -Log $log -StorageAccountId $storageAccount.id
Write-Host $diagnosticSetting.ToJsonString()
Write-Host "Creating domain list"
$domainList = New-AzDnsResolverDomainList -Location $region -ResourceGroupName $resourceGroupName -Name $domainListName -Domain @("contoso.com.", "adatum.com.")
Write-Host $domainList.ToJsonString()
Write-Host "Creating DNS security policy rule"
$rule = New-AzDnsResolverPolicyDnsSecurityRule -ResourceGroupName $resourceGroupName -Name $securityRuleName -DnsResolverDomainList @{id = $domainList.Id;} -DnsSecurityRuleState "Enabled" -ActionType "Block" -ActionBlockResponseCode "SERVFAIL" -Priority 100 -DnsResolverPolicyName $resolverPolicyName -Location $region
Write-Host $rule.ToJsonString()
Resolve-DnsName : contoso.com : DNS server failure
At line:1 char:1
+ Resolve-DnsName -Name contoso.com -Type NS
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (contoso.com:String) [Resolve-DnsName], Win32Exception
+ FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName