Implementing Per-Domain DNS Configuration in Windows Using PowerShell

The subtitle could be something like: Mastering DNS Client NRPT Rules with PowerShell

In today’s post, we will be looking at a compact, but powerful, the chunk of PowerShell code that allows us to interact with DNS Client Name Resolution Policy Table (NRPT) rules on a Windows machine. The commands in this code allow us to add, review, and remove rules, giving us control over the direction of our DNS traffic.

Adding a DNS Client NRPT Rule

Let’s take a look at the first command:

# add a Windows rule for ymbihq.local domain
Add-DnsClientNrptRule -Namespace ".ymbihq.local" -NameServers "10.0.0.1"

This command uses the Add-DnsClientNrptRule cmdlet to add a new rule for the “.ymbihq.local” namespace. The -Namespace parameter specifies the domain name for the rule, and the -NameServers parameter specifies the IP address of the DNS server that should be used for queries within this namespace.

In this instance, we’re setting a rule for any DNS queries under the “.ymbihq.local” domain to be resolved by the DNS server at the IP address 10.0.0.1. This can be especially useful in an enterprise environment where you have custom internal domains to be resolved by specific DNS servers.

Reviewing DNS Client NRPT Rules

After adding a rule, it’s essential to verify it. We can do this using the Get-DnsClientNrptRule command:

# get the list of rules
Get-DnsClientNrptRule

This command lists all the NRPT rules currently set on the machine. It will output the unique identifiers, names, namespaces, and other details for each rule. Here’s a sample output:

# Sample output:
Name                             : {A7CCF814-7492-4019-9FB1-27F61327AE93}
Version                          : 2
Namespace                        : {.ymbihq.local}
IPsecCARestriction               :
DirectAccessDnsServers           :
DirectAccessEnabled              : False
DirectAccessProxyType            :
DirectAccessProxyName            :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   :
NameServers                      : 10.0.0.1
DnsSecEnabled                    : False
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         :
DnsSecValidationRequired         :
NameEncoding                     : Disable
DisplayName                      :
Comment                          :

From this output, you can see various properties of the rule we’ve just added for the “.ymbihq.local” namespace, such as its unique identifier (Name) and the nameserver it’s associated with (NameServers).

Removing a DNS Client NRPT Rule

The final part of this block of code is dedicated to rule removal:

# remove the rule
Remove-DnsClientNrptRule -Name "{A7CCF814-7492-4019-9FB1-27F61327AE93}"

Here, we use the Remove-DnsClientNrptRule cmdlet with the -Name parameter followed by the unique identifier of the rule we wish to remove. After running this command, PowerShell will prompt you for confirmation before deleting the rule.

The process looks like this:

Confirm
Removing NRPT rule for namespace .ymbihq.local with
 DAEnable: Disabled,
 DnsSecValidationRequired: Disabled,
 NameEncoding: Disable
 NameServers: 10.0.0.1
 Do you want to continue?
[Y] Yes  [N] No