Revisit Invoke-RobustDnsTxt error handling

[adhilto]

💡 Summary

An exception thrown while resolving one domain shouldn't prevent the other domains from being tested. There are some cases where that can happen with the current implementation of Invoke-RobustDnsTxt.

Motivation and context

Invoke-RobustDnsTxt handles the following cases:

• Non-existent domain names (NXDOMAIN)
• Empty answer sections
• One-time network failures
• Split DNS scenarios where a domain isn't accessible locally but can be resolved on the public Internet (assuming DoH isn't blocked).

But if an exception occurs outside of that scope, Invoke-RobustDnsTxt will throw an exception. For example, if both Resolve-DnsName and Invoke-WebRequest both repeatedly timeout (e.g., due to a firewall), an exception will be thrown. For example, a misconfigured authoritative server might return a SERVFAIL for one domain, but that wouldn't imply that other domains would fail, so that shouldn't prevent ScubaGear from querying the other domains.

Resulting issues:

• throw preventing all Accepted Domains DNS records from being evaluated #1477
• Warning: Failed to lookup DMARC even when Organizational domain policy found #1478

Implementation notes

Invoke-RobustDnsTxt ends with an if/elseif/else.

• if: We got our answer, no change needed for this case.
• elseif: We got an empty answer section, experience has shown that this might be due to a split DNS setup. A warning is printed by the calling function in this case.
• else: This is the case that needs to be changed. Simplest thing would be to convert that throw to Write-Warning, then have the function return @{"Answers" = $Answers; "HighConfidence" = $true; "LogEntries" = $LogEntries}. Main problem with that strategy is that does introduce the possibility of a log of long warnings to be printed. Maybe that's ok?

Acceptance criteria

An error resolving one domain name doesn't prevent the rest of the domains from being attempted.