maester365 · moorereason · Feb 20, 2025
@@ -76,6 +76,11 @@ Invoke-Maester -PesterConfiguration $configuration
 ```
 Runs all the Pester tests in the EIDSCA folder.
 
+.EXAMPLE
+Invoke-Maester -DnsServerIpAddress '8.8.8.8'
+
+Run all the tests while using a custom server IP address for DNS lookups.
+
 .LINK
     https://maester.dev/docs/commands/Invoke-Maester
 #>
@@ -164,7 +169,10 @@ function Invoke-Maester {
 `
         # Skip the version check.
         # If set, the version check will not be performed.
-        [switch] $SkipVersionCheck
+        [switch] $SkipVersionCheck,
+
+        # Optional. The DNS server IP address used for DNS lookups.
+        [string] $DnsServerIpAddress = '1.1.1.1'
     )
 
     function GetDefaultFileName() {
@@ -215,18 +223,18 @@ function Invoke-Maester {
         return $result
     }
 
-    function GetPesterConfiguration($Path, $Tag, $ExcludeTag, $PesterConfiguration) {
+    function GetPesterConfiguration($Path, $Tag, $ExcludeTag, $PesterConfiguration, $Data) {
         if (!$PesterConfiguration) {
             $PesterConfiguration = New-PesterConfiguration
         }
 
         $PesterConfiguration.Run.PassThru = $true
         $PesterConfiguration.Output.Verbosity = $Verbosity
-        if ($Path) { $PesterConfiguration.Run.Path = $Path }
+        if ($Path) { $PesterConfiguration.Run.Container = New-PesterContainer -Path $Path -Data $Data }
         else {
             if (Test-Path -Path "./powershell/tests/pester.ps1") {
                 # Internal dev, exclude Maester's core tests
-                $PesterConfiguration.Run.Path = "./tests"
+                $PesterConfiguration.Run.Container = New-PesterContainer -Path './tests' -Data $Data
             }
         }
         if ($Tag) { $PesterConfiguration.Filter.Tag = $Tag }
@@ -303,7 +311,7 @@ function Invoke-Maester {
         $Tag += "All"
     }
 
-    $pesterConfig = GetPesterConfiguration -Path $Path -Tag $Tag -ExcludeTag $ExcludeTag -PesterConfiguration $PesterConfiguration
+    $pesterConfig = GetPesterConfiguration -Path $Path -Tag $Tag -ExcludeTag $ExcludeTag -PesterConfiguration $PesterConfiguration -Data @{ DnsServerIpAddress = $DnsServerIpAddress }
     $Path = $pesterConfig.Run.Path.value
     Write-Verbose "Merged configuration: $($pesterConfig | ConvertTo-Json -Depth 5 -Compress)"
 

@@ -17,6 +17,9 @@ function Test-MtCisaDkim {
     [CmdletBinding()]
     [OutputType([bool])]
     param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress,
+
         # Selector-name for the DKIM record to test..
         [string]$Selector = "selector1"
     )
@@ -51,7 +54,7 @@ function Test-MtCisaDkim {
             $selector = $config.SelectorBeforeRotateOnDate
         }
 
-        $dkimRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -DkimSelector $Selector -Records DKIM
+        $dkimRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -DkimSelector $Selector -Records DKIM -DnsServerIpAddress $DnsServerIpAddress
         $dkimRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $dkimRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -22,6 +22,9 @@ function Test-MtCisaDmarcAggregateCisa {
     [CmdletBinding()]
     [OutputType([bool])]
     param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress,
+
         # Check all domains, not only .gov domains.
         [switch]$Force,
 
@@ -69,7 +72,7 @@ function Test-MtCisaDmarcAggregateCisa {
 
     $dmarcRecords = @()
     foreach($domain in $expandedDomains){
-        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domain -Records DMARC
+        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domain -Records DMARC -DnsServerIpAddress $DnsServerIpAddress
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -17,6 +17,9 @@ function Test-MtCisaDmarcRecordExist {
     [CmdletBinding()]
     [OutputType([bool])]
     param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress,
+
         # Check 2nd Level Domains Explicitly per CISA
         [switch]$Strict
     )
@@ -45,7 +48,7 @@ function Test-MtCisaDmarcRecordExist {
             $domainName = $domain.domainname
         }
 
-        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domainName -Records DMARC
+        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domainName -Records DMARC -DnsServerIpAddress $DnsServerIpAddress
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -17,6 +17,9 @@ function Test-MtCisaDmarcRecordReject {
     [CmdletBinding()]
     [OutputType([bool])]
     param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress,
+
         # Check 2nd Level Domains Explicitly per CISA
         [switch]$Strict
     )
@@ -50,7 +53,7 @@ function Test-MtCisaDmarcRecordReject {
 
     $dmarcRecords = @()
     foreach($domain in $expandedDomains){
-        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domain -Records DMARC
+        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $domain -Records DMARC -DnsServerIpAddress $DnsServerIpAddress
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -20,6 +20,9 @@ function Test-MtCisaDmarcReport {
     [CmdletBinding()]
     [OutputType([bool])]
     param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress,
+
         # Check 2nd Level Domains Explicitly per CISA
         [switch]$Strict
     )
@@ -53,7 +56,7 @@ function Test-MtCisaDmarcReport {
 
     $dmarcRecords = @()
     foreach($expandedDomain in $expandedDomains){
-        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $expandedDomain -Records DMARC
+        $dmarcRecord = Get-MailAuthenticationRecord -DomainName $expandedDomain -Records DMARC -DnsServerIpAddress $DnsServerIpAddress
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $dmarcRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -16,7 +16,10 @@
 function Test-MtCisaSpfDirective {
     [CmdletBinding()]
     [OutputType([bool])]
-    param()
+    param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress
+    )
 
     if(!(Test-MtConnection ExchangeOnline)){
         Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
@@ -30,7 +33,7 @@ function Test-MtCisaSpfDirective {
 
     $spfRecords = @()
     foreach($domain in $sendingDomains){
-        $spfRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -Records SPF
+        $spfRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -Records SPF -DnsServerIpAddress $DnsServerIpAddress
         $spfRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $spfRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -16,7 +16,10 @@
 function Test-MtCisaSpfRestriction {
     [CmdletBinding()]
     [OutputType([bool])]
-    param()
+    param(
+        # DNS-server to use for lookup.
+        [string]$DnsServerIpAddress
+    )
 
     if(!(Test-MtConnection ExchangeOnline)){
         Add-MtTestResultDetail -SkippedBecause NotConnectedExchange
@@ -32,7 +35,7 @@ function Test-MtCisaSpfRestriction {
 
     $spfRecords = @()
     foreach($domain in $acceptedDomains){
-        $spfRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -Records SPF
+        $spfRecord = Get-MailAuthenticationRecord -DomainName $domain.DomainName -Records SPF -DnsServerIpAddress $DnsServerIpAddress
         $spfRecord | Add-Member -MemberType NoteProperty -Name "pass" -Value "Failed"
         $spfRecord | Add-Member -MemberType NoteProperty -Name "reason" -Value ""
 

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.3.1", "CISA", "Security", "All" {
     It "MS.EXO.03.1: DKIM SHOULD be enabled for all domains." {
-        $cisaDkim = Test-MtCisaDkim
+        $cisaDkim = Test-MtCisaDkim -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaDkim) {
             $cisaDkim | Should -Be $true -Because "DKIM record should exist and be configured."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.4.3", "CISA", "Security", "All" {
     It "MS.EXO.04.3: The DMARC point of contact for aggregate reports SHALL include [email protected]." {
-        $cisaDmarcAggregateCisa = Test-MtCisaDmarcAggregateCisa
+        $cisaDmarcAggregateCisa = Test-MtCisaDmarcAggregateCisa -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaDmarcAggregateCisa) {
             $cisaDmarcAggregateCisa | Should -Be $true -Because "DMARC record includes proper aggregate target."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.4.1", "CISA", "Security", "All" {
     It "MS.EXO.04.1: A DMARC policy SHALL be published for every second-level domain." {
-        $cisaDmarcRecordExist = Test-MtCisaDmarcRecordExist
+        $cisaDmarcRecordExist = Test-MtCisaDmarcRecordExist -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaDmarcRecordExist) {
             $cisaDmarcRecordExist | Should -Be $true -Because "DMARC record should exist."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.4.2", "CISA", "Security", "All" {
     It "MS.EXO.04.2: The DMARC message rejection option SHALL be p=reject." {
-        $cisaDmarcRecordReject = Test-MtCisaDmarcRecordReject
+        $cisaDmarcRecordReject = Test-MtCisaDmarcRecordReject -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaDmarcRecordReject) {
             $cisaDmarcRecordReject | Should -Be $true -Because "DMARC record policy should be reject."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.4.4", "CISA", "Security", "All" {
     It "MS.EXO.04.4: An agency point of contact SHOULD be included for aggregate and failure reports." {
-        $cisaDmarcReport = Test-MtCisaDmarcReport
+        $cisaDmarcReport = Test-MtCisaDmarcReport -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaDmarcReport) {
             $cisaDmarcReport | Should -Be $true -Because "DMARC report targets should exist."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.2.2", "CISA", "Security", "All" {
     It "MS.EXO.02.2: An SPF policy SHALL be published for each domain, designating only these addresses as approved senders." {
-        $cisaSpfDirective = Test-MtCisaSpfDirective
+        $cisaSpfDirective = Test-MtCisaSpfDirective -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaSpfDirective) {
             $cisaSpfDirective | Should -Be $true -Because "SPF record should restrict authorized senders."

@@ -1,6 +1,10 @@
+param(
+    [string]$DnsServerIpAddress
+)
+
 Describe "CISA SCuBA" -Tag "MS.EXO", "MS.EXO.2.1", "CISA", "Security", "All" {
     It "MS.EXO.02.1: A list of approved IP addresses for sending mail SHALL be maintained." {
-        $cisaSpfRestriction = Test-MtCisaSpfRestriction
+        $cisaSpfRestriction = Test-MtCisaSpfRestriction -DnsServerIpAddress $DnsServerIpAddress
 
         if ($null -ne $cisaSpfRestriction) {
             $cisaSpfRestriction | Should -Be $true -Because "SPF record should restrict authorized senders."