Des del 2000 compartiendo sobre…

Implementing Per-Domain DNS Configuration in Windows Using PowerShell

Reading time: 3 – 5 minutes

The subtitle could be something like: Mastering DNS Client NRPT Rules with PowerShell

In today’s post, we will be looking at a compact, but powerful, the chunk of PowerShell code that allows us to interact with DNS Client Name Resolution Policy Table (NRPT) rules on a Windows machine. The commands in this code allow us to add, review, and remove rules, giving us control over the direction of our DNS traffic.

Adding a DNS Client NRPT Rule

Let’s take a look at the first command:

# add a Windows rule for ymbihq.local domain
Add-DnsClientNrptRule -Namespace ".ymbihq.local" -NameServers ""

This command uses the Add-DnsClientNrptRule cmdlet to add a new rule for the “.ymbihq.local” namespace. The -Namespace parameter specifies the domain name for the rule, and the -NameServers parameter specifies the IP address of the DNS server that should be used for queries within this namespace.

In this instance, we’re setting a rule for any DNS queries under the “.ymbihq.local” domain to be resolved by the DNS server at the IP address This can be especially useful in an enterprise environment where you have custom internal domains to be resolved by specific DNS servers.

Reviewing DNS Client NRPT Rules

After adding a rule, it’s essential to verify it. We can do this using the Get-DnsClientNrptRule command:

# get the list of rulesGet-DnsClientNrptRule

This command lists all the NRPT rules currently set on the machine. It will output the unique identifiers, names, namespaces, and other details for each rule. Here’s a sample output:

# Sample output:
Name                             : {A7CCF814-7492-4019-9FB1-27F61327AE93}
Version                          : 2
Namespace                        : {.ymbihq.local}
IPsecCARestriction               :
DirectAccessDnsServers           :
DirectAccessEnabled              : False
DirectAccessProxyType            :
DirectAccessProxyName            :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   :
NameServers                      :
DnsSecEnabled                    : False
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         :
DnsSecValidationRequired         :
NameEncoding                     : Disable
DisplayName                      :
Comment                          :

From this output, you can see various properties of the rule we’ve just added for the “.ymbihq.local” namespace, such as its unique identifier (Name) and the nameserver it’s associated with (NameServers).

Removing a DNS Client NRPT Rule

The final part of this block of code is dedicated to rule removal:

# remove the rule
Remove-DnsClientNrptRule -Name "{A7CCF814-7492-4019-9FB1-27F61327AE93}"

Here, we use the Remove-DnsClientNrptRule cmdlet with the -Name parameter followed by the unique identifier of the rule we wish to remove. After running this command, PowerShell will prompt you for confirmation before deleting the rule.

The process looks like this:

Removing NRPT rule for namespace .ymbihq.local with
 DAEnable: Disabled,
 DnsSecValidationRequired: Disabled,
 NameEncoding: Disable
 Do you want to continue?
[Y] Yes  [N] No

Comments are closed.

Últimas entradas

Enhancing SSH Security with StealthSSHAccess

Reading time: 4 – 7 minutes In today’s interconnected world, maintaining the security of your server infrastructure is paramount. One critical point of vulnerability is the SSH (Secure Shell) service, which allows remote administration of servers. Despite using a non-default

Leer más »