gitadmin/claude-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5b2e2aa417f821d4fda1b922457eb859268e0bae
claude-launcher/scripts/dns-location-suffix.ps1
T
gitadmin 5b2e2aa417 Add location-aware DNS suffix auto-switch for LBOOK 
LBOOK is domain-joined to intern.beletage.ro, so the AD suffix was searched first for every single-label name. Off the office LAN, home names like home-ws were tried as home-ws.intern.beletage.ro, routed by NRPT to the AD DNS over VPN, stalling ~11s on timeout before falling back to .lan — slow RDP to home hosts.

scripts/dns-location-suffix.ps1 sets the global suffix search order from the physical NIC subnet (Sophos TAP excluded): intern-first on the office LAN (10.10.10.x / 10.10.40.x), lan-first everywhere else. install-dns-location-task.ps1 registers it as a SYSTEM scheduled task triggered on network-connect (NetworkProfile 10000) and logon; verify-dns-location-task.ps1 reads it back (the task is not queryable unelevated). Also adds .claude/settings.json allowlisting read-only network diagnostics.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 22:19:16 +03:00

73 lines
2.9 KiB
PowerShell
Raw Blame History

<#
.SYNOPSIS
Auto-switch the global DNS suffix search order based on network location.
.DESCRIPTION
Office LAN (physical NIC in 10.10.10.x / 10.10.40.x) -> intern.beletage.ro first.
Home / remote / VPN-from-anywhere -> lan first.
Rationale: LBOOK is domain-joined to intern.beletage.ro. When the AD suffix is
searched first, every single-label home name (e.g. "home-ws") is first tried as
<name>.intern.beletage.ro, which the NRPT rule routes to the AD DNS 10.10.10.2.
Off the office LAN that server is only reachable over VPN (and not at all when the
VPN is down), so the query stalls on a timeout before falling back to <name>.lan.
Putting "lan" first makes home names resolve locally (~3 ms); work names still
resolve via the NRPT rule after a fast local .lan NXDOMAIN.
The Sophos TAP adapter is excluded from detection so that starting the VPN from
home (which may assign a 10.10.x address on the tunnel) does not flip us to the
"office" ordering.
Installed as a SYSTEM scheduled task (see install-dns-location-task.ps1), triggered
on network-connect events and at logon. Idempotent: only writes when the order
actually needs to change.
#>
$ErrorActionPreference = 'Stop'
$log = 'C:\ProgramData\Beletage\dns-location.log'
$dir = Split-Path $log
if (-not (Test-Path $dir)) { New-Item -ItemType Directory -Force -Path $dir | Out-Null }
function Write-Log($msg) {
$line = '{0} {1}' -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $msg
Add-Content -Path $log -Value $line -Encoding UTF8
}
try {
$officePrefixes = @('10.10.10.', '10.10.40.')
# Indices of VPN/tunnel adapters to ignore (Sophos SSL VPN TAP).
$vpnIdx = (Get-NetAdapter -ErrorAction SilentlyContinue |
Where-Object { $_.InterfaceDescription -like '*Sophos*' }).ifIndex
$ips = (Get-NetIPAddress -AddressFamily IPv4 -ErrorAction SilentlyContinue |
Where-Object {
$_.IPAddress -notlike '169.254.*' -and
$_.IPAddress -ne '127.0.0.1' -and
($vpnIdx -notcontains $_.InterfaceIndex)
}).IPAddress
$atOffice = $false
foreach ($ip in $ips) {
foreach ($p in $officePrefixes) {
if ($ip.StartsWith($p)) { $atOffice = $true }
}
}
$desired = if ($atOffice) { @('intern.beletage.ro', 'lan') } else { @('lan', 'intern.beletage.ro') }
$current = (Get-DnsClientGlobalSetting).SuffixSearchList
if (($current -join ',') -ne ($desired -join ',')) {
Set-DnsClientGlobalSetting -SuffixSearchList $desired
Clear-DnsClientCache
Write-Log ('CHANGED ips=[{0}] office={1} [{2}] -> [{3}]' -f ($ips -join ' '), $atOffice, ($current -join ','), ($desired -join ','))
}
else {
Write-Log ('OK ips=[{0}] office={1} already [{2}]' -f ($ips -join ' '), $atOffice, ($desired -join ','))
}
}
catch {
Write-Log ('ERROR {0}' -f $_.Exception.Message)
}
Reference in New Issue View Git Blame Copy Permalink