ctrld/scripts/nrpt-diag.ps1

#Requires -RunAsAdministrator
<#
.SYNOPSIS
    NRPT diagnostic script for ctrld DNS intercept troubleshooting.
.DESCRIPTION
    Captures the full NRPT state: registry keys (both GP and direct paths),
    effective policy, active rules, DNS Client service status, and resolver
    config. Run as Administrator.
.EXAMPLE
    .\nrpt-diag.ps1
    .\nrpt-diag.ps1 | Out-File nrpt-diag-output.txt
#>

$ErrorActionPreference = 'SilentlyContinue'

Write-Host "=== NRPT Diagnostic Report ===" -ForegroundColor Cyan
Write-Host "Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host "Computer: $env:COMPUTERNAME"
Write-Host "OS: $((Get-CimInstance Win32_OperatingSystem).Caption) $((Get-CimInstance Win32_OperatingSystem).BuildNumber)"
Write-Host ""

# --- 1. DNS Client Service ---
Write-Host "=== 1. DNS Client (Dnscache) Service ===" -ForegroundColor Yellow
$svc = Get-Service Dnscache
Write-Host "Status: $($svc.Status)  StartType: $($svc.StartType)"
Write-Host ""

# --- 2. GP Path (Policy store) ---
$gpPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig"
Write-Host "=== 2. GP Path: $gpPath ===" -ForegroundColor Yellow
$gpKey = Get-Item $gpPath 2>$null
if ($gpKey) {
    Write-Host "Key EXISTS"
    $subkeys = Get-ChildItem $gpPath 2>$null
    if ($subkeys) {
        foreach ($sk in $subkeys) {
            Write-Host ""
            Write-Host "  Subkey: $($sk.PSChildName)" -ForegroundColor Green
            foreach ($prop in $sk.Property) {
                $val = $sk.GetValue($prop)
                $kind = $sk.GetValueKind($prop)
                Write-Host "    $prop ($kind) = $val"
            }
        }
    } else {
        Write-Host "  ** EMPTY (no subkeys) — this blocks NRPT activation! **" -ForegroundColor Red
    }
} else {
    Write-Host "Key does NOT exist (clean state)"
}
Write-Host ""

# --- 3. Direct Path (Service store) ---
$directPath = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig"
Write-Host "=== 3. Direct Path: $directPath ===" -ForegroundColor Yellow
$directKey = Get-Item $directPath 2>$null
if ($directKey) {
    Write-Host "Key EXISTS"
    $subkeys = Get-ChildItem $directPath 2>$null
    if ($subkeys) {
        foreach ($sk in $subkeys) {
            Write-Host ""
            Write-Host "  Subkey: $($sk.PSChildName)" -ForegroundColor Green
            foreach ($prop in $sk.Property) {
                $val = $sk.GetValue($prop)
                $kind = $sk.GetValueKind($prop)
                Write-Host "    $prop ($kind) = $val"
            }
        }
    } else {
        Write-Host "  ** EMPTY (no subkeys) **" -ForegroundColor Red
    }
} else {
    Write-Host "Key does NOT exist"
}
Write-Host ""

# --- 4. Effective NRPT Rules (what Windows sees) ---
Write-Host "=== 4. Get-DnsClientNrptRule ===" -ForegroundColor Yellow
$rules = Get-DnsClientNrptRule 2>$null
if ($rules) {
    $rules | Format-List Name, Version, Namespace, NameServers, NameEncoding, DnsSecEnabled
} else {
    Write-Host "(none)"
}
Write-Host ""

# --- 5. Effective NRPT Policy (what DNS Client actually applies) ---
Write-Host "=== 5. Get-DnsClientNrptPolicy ===" -ForegroundColor Yellow
$policy = Get-DnsClientNrptPolicy 2>$null
if ($policy) {
    $policy | Format-List Namespace, NameServers, NameEncoding, QueryPolicy
} else {
    Write-Host "(none — DNS Client is NOT honoring any NRPT rules)" -ForegroundColor Red
}
Write-Host ""

# --- 6. Interface DNS servers ---
Write-Host "=== 6. Interface DNS Configuration ===" -ForegroundColor Yellow
Get-DnsClientServerAddress -AddressFamily IPv4 | Where-Object { $_.ServerAddresses } |
    Format-Table InterfaceAlias, InterfaceIndex, ServerAddresses -AutoSize
Write-Host ""

# --- 7. DNS resolution test ---
Write-Host "=== 7. DNS Resolution Test ===" -ForegroundColor Yellow
Write-Host "Resolve-DnsName example.com (uses DNS Client / NRPT):"
try {
    $result = Resolve-DnsName example.com -Type A -DnsOnly -ErrorAction Stop
    $result | Format-Table Name, Type, IPAddress -AutoSize
} catch {
    Write-Host "  FAILED: $_" -ForegroundColor Red
}
Write-Host ""
Write-Host "nslookup example.com 127.0.0.1 (direct to ctrld, bypasses NRPT):"
$ns = nslookup example.com 127.0.0.1 2>&1
$ns | ForEach-Object { Write-Host "  $_" }
Write-Host ""

# --- 8. Domain join status ---
Write-Host "=== 8. Domain Status ===" -ForegroundColor Yellow
$cs = Get-CimInstance Win32_ComputerSystem
Write-Host "Domain: $($cs.Domain)  PartOfDomain: $($cs.PartOfDomain)"
Write-Host ""

# --- 9. Group Policy NRPT ---
Write-Host "=== 9. GP Result (NRPT section) ===" -ForegroundColor Yellow
Write-Host "(Running gpresult — may take a few seconds...)"
$gp = gpresult /r 2>&1
$gp | Select-String -Pattern "DNS|NRPT|Policy" | ForEach-Object { Write-Host "  $_" }
Write-Host ""

Write-Host "=== End of Diagnostic Report ===" -ForegroundColor Cyan