Add location-aware DNS suffix auto-switch for LBOOK

LBOOK is domain-joined to intern.beletage.ro, so the AD suffix was searched first for every single-label name. Off the office LAN, home names like home-ws were tried as home-ws.intern.beletage.ro, routed by NRPT to the AD DNS over VPN, stalling ~11s on timeout before falling back to .lan — slow RDP to home hosts.

scripts/dns-location-suffix.ps1 sets the global suffix search order from the physical NIC subnet (Sophos TAP excluded): intern-first on the office LAN (10.10.10.x / 10.10.40.x), lan-first everywhere else. install-dns-location-task.ps1 registers it as a SYSTEM scheduled task triggered on network-connect (NetworkProfile 10000) and logon; verify-dns-location-task.ps1 reads it back (the task is not queryable unelevated). Also adds .claude/settings.json allowlisting read-only network diagnostics.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

scripts/install-dns-location-task.ps1

@@ -0,0 +1,64 @@
+<#
+.SYNOPSIS
+  One-time elevated installer for the location-aware DNS suffix task.
+
+.DESCRIPTION
+  Copies dns-location-suffix.ps1 to C:\ProgramData\Beletage and registers a SYSTEM
+  scheduled task that runs it on every network-connect event and at logon. Re-runnable
+  (idempotent) and device-independent (locates the payload via $PSScriptRoot), so the
+  same script installs the automation on any machine where this repo is cloned.
+
+  Run elevated:
+    Start-Process powershell -Verb RunAs -ArgumentList '-NoProfile','-ExecutionPolicy','Bypass','-File','<path>\install-dns-location-task.ps1'
+#>
+
+$ErrorActionPreference = 'Stop'
+
+$taskName = 'Beletage-DNS-Location-Suffix'
+$dst      = 'C:\ProgramData\Beletage'
+$payload  = Join-Path $dst 'dns-location-suffix.ps1'
+$log      = Join-Path $dst 'install.log'
+
+New-Item -ItemType Directory -Force -Path $dst | Out-Null
+Start-Transcript -Path $log -Append | Out-Null
+
+try {
+    # 1. Deploy the detection script next to where SYSTEM will run it.
+    Copy-Item (Join-Path $PSScriptRoot 'dns-location-suffix.ps1') $payload -Force
+    Write-Host "Copied payload -> $payload"
+
+    # 2. Action: run the detection script hidden, policy-bypassed.
+    $action = New-ScheduledTaskAction -Execute 'powershell.exe' `
+        -Argument "-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File `"$payload`""
+
+    # 3a. Trigger: NetworkProfile "network connected" event (ID 10000).
+    $evtTrigger = New-CimInstance -ClientOnly `
+        -CimClass (Get-CimClass -ClassName MSFT_TaskEventTrigger -Namespace Root/Microsoft/Windows/TaskScheduler)
+    $evtTrigger.Enabled = $true
+    $evtTrigger.Subscription = '<QueryList><Query Id="0" Path="Microsoft-Windows-NetworkProfile/Operational"><Select Path="Microsoft-Windows-NetworkProfile/Operational">*[System[(EventID=10000)]]</Select></Query></QueryList>'
+
+    # 3b. Trigger: at any user logon (covers boot / resume).
+    $logonTrigger = New-ScheduledTaskTrigger -AtLogOn
+
+    # 4. Run as SYSTEM, highest privileges.
+    $principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
+
+    $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries `
+        -StartWhenAvailable -ExecutionTimeLimit (New-TimeSpan -Minutes 5)
+
+    Register-ScheduledTask -TaskName $taskName -Force `
+        -Action $action -Trigger $evtTrigger, $logonTrigger -Principal $principal -Settings $settings | Out-Null
+    Write-Host "Registered task: $taskName"
+
+    # 5. Run once now to apply the correct order immediately.
+    Start-ScheduledTask -TaskName $taskName
+    Start-Sleep -Seconds 2
+    Write-Host "Triggered initial run. Current suffix order: [$((Get-DnsClientGlobalSetting).SuffixSearchList -join ', ')]"
+}
+catch {
+    Write-Host "INSTALL FAILED: $($_.Exception.Message)"
+    throw
+}
+finally {
+    Stop-Transcript | Out-Null
+}