|
| 1 | +--- |
| 2 | +title: Guidance for Troubleshooting Zero Trust DNS |
| 3 | +description: Learn how to troubleshoot Zero Trust DNS (ZTDNS) issues. Get step-by-step guidance for troubleshooting connectivity and configuration issues, and for finding log data. |
| 4 | +ms.service: windows-client |
| 5 | +ms.reviewer: kaushika, adpatang, v-appelgatet |
| 6 | +manager: dcscontentpm |
| 7 | +audience: itpro |
| 8 | +ms.topic: troubleshooting |
| 9 | +ms.date: 11/17/2025 |
| 10 | +ms.custom: |
| 11 | +- sap:network connectivity and file sharing\dns |
| 12 | +- pcy:WinComm Networking |
| 13 | +appliesto: |
| 14 | + - <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Supported versions of Windows Client</a> |
| 15 | +--- |
| 16 | +# Zero Trust DNS troubleshooting guidance |
| 17 | + |
| 18 | +This article shows you how to diagnose common connectivity and configuration issues that affect Zero Trust Domain Name System (ZTDNS) services, and how to use ZTDNS logs. The troubleshooting steps in this article help you maintain network security while making sure that legitimate applications and services continue to work correctly. |
| 19 | + |
| 20 | +After you deploy Zero Trust Domain Name System (ZTDNS) services, use this guidance if you experience any of the following symptoms: |
| 21 | + |
| 22 | +- Application connectivity failures |
| 23 | +- DNS resolution errors or timeouts |
| 24 | +- Unexpected network blocks or service disruptions |
| 25 | +- Network access and ZTDNS configuration issues |
| 26 | + |
| 27 | +## Best practices to avoid ZTDNS issues |
| 28 | + |
| 29 | +- **Before you deploy and enforce ZTDNS organization-wide** |
| 30 | + - Test the configuration in audit mode. |
| 31 | + - Deploy and test ZTDNS on pilot devices. |
| 32 | + |
| 33 | +- **Maintaining the ZTDNS deployment** |
| 34 | + - When you add an IP exception, document what exception was made and why. |
| 35 | + - To understand traffic patterns and identify issues early, monitor the Event Viewer logs. |
| 36 | + - To optimize ZTDNS deployment, conduct periodical reviews of the cofiguration and logs. |
| 37 | + |
| 38 | +## Troubleshooting checklist |
| 39 | + |
| 40 | +If you experience connectivity issues after you deploy and enforce ZTDNS, follow these steps. |
| 41 | + |
| 42 | +### Step 1: Verify that the trusted DNS servers are configured correctly |
| 43 | + |
| 44 | +Make sure that at least one trusted DNS server is configured for ZTDNS. Open a Windows Command Prompt window, and then run the following command: |
| 45 | + |
| 46 | +```console |
| 47 | +netsh ztdns show server |
| 48 | +``` |
| 49 | + |
| 50 | +This command displays all the trusted DNS servers that are configured for Zero Trust DNS, including their protocol (DoH or DoT), IP address, and priority settings. |
| 51 | + |
| 52 | +### Step 2: Test the connectivity to the trusted DNS servers |
| 53 | + |
| 54 | +Make sure that client computers can connect to your trusted DNS server. Open a Windows PowerShell window, and then run the following commands: |
| 55 | + |
| 56 | +```powershell |
| 57 | +# Test basic connectivity to the DNS server |
| 58 | +ping <dns-server-ip> |
| 59 | +``` |
| 60 | + |
| 61 | +```powershell |
| 62 | +# Test DNS resolution using the trusted server |
| 63 | +Resolve-DnsName -Name <domain-name> -Server <dns-server-ip> |
| 64 | +``` |
| 65 | + |
| 66 | +If these commands don't succeed, see [DNS troubleshooting guidance](../../windows-server/networking/troubleshoot-dns-guidance.md). |
| 67 | + |
| 68 | +After these commands run successfully, check the end-to-end connectivity by pinging the resolved IP address. |
| 69 | + |
| 70 | +### Step 3: Test domain name resolution |
| 71 | + |
| 72 | +To use the Windows DNS client to test DNS resolution, go to a client computer, and run the following command at a Windows command prompt: |
| 73 | + |
| 74 | +```console |
| 75 | +ping <allowed-domain-name> |
| 76 | +``` |
| 77 | + |
| 78 | +This command uses the Windows DNS client and trusted DNS server for name resolution, testing both DNS server connectivity and endpoint reachability. Resolve any DNS issues that you find, and then check whether these changes resolve your primary issue. If the issue remains, continue to the more advanced troubleshooting steps. |
| 79 | + |
| 80 | +### Step 4 (Advanced): Review the ZTDNS configuration |
| 81 | + |
| 82 | +To verify your current configuration, run the following commands at a Windows command prompt: |
| 83 | + |
| 84 | +```console |
| 85 | +# Check ZTDNS service state |
| 86 | +netsh ztdns show state |
| 87 | +``` |
| 88 | + |
| 89 | +```console |
| 90 | +# View all ZTDNS settings in JSON format |
| 91 | +netsh ztdns show settings |
| 92 | +``` |
| 93 | + |
| 94 | +```console |
| 95 | +# List configured IP exceptions |
| 96 | +netsh ztdns show exception |
| 97 | +``` |
| 98 | + |
| 99 | +```console |
| 100 | +# Display client certificate configuration |
| 101 | +netsh ztdns show clientcert |
| 102 | +``` |
| 103 | + |
| 104 | +```console |
| 105 | +# Show trusted certificate authorities |
| 106 | +netsh ztdns show trustedca |
| 107 | +``` |
| 108 | + |
| 109 | +Resolve any issues that you find. |
| 110 | + |
| 111 | +### Step 5 (Advanced): Test connectivity in audit mode |
| 112 | + |
| 113 | +If you suspect configuration issues, temporarily enable audit mode, and then test connectivity when ZTDNS isn't enforced. In audit mode, Windows logs instances in which ZTDNS is expected to block connections if it's fully enforced. To enable audit mode for ZTDNS, run the following command: |
| 114 | + |
| 115 | +```console |
| 116 | +netsh ztdns set state enable=yes audit=yes |
| 117 | +``` |
| 118 | + |
| 119 | +To identify services that need exceptions, review the BlockedConnections log. For more information about how to use this log, see [How to find ZTDNS logs](#how-to-find-ztdns-logs) later in this article. |
| 120 | + |
| 121 | +### Step 6 (Advanced): Disable ZTDNS |
| 122 | + |
| 123 | +If you still can't resolve your primary issue, disable ZTDNS. To disable ZTDNS enforcement and restore normal network connectivity, run the following command: |
| 124 | + |
| 125 | +```console |
| 126 | +netsh ztdns set state enable=no audit=no |
| 127 | +``` |
| 128 | + |
| 129 | +## Common issues and solutions |
| 130 | + |
| 131 | +### Applications can't connect |
| 132 | + |
| 133 | +After you enforce ZTDNS, users experience the following symptoms: |
| 134 | + |
| 135 | +- Applications can't reach external services. |
| 136 | +- Network connections time out or destinations refuse connections. |
| 137 | +- Normal web browsing works but specific applications fail. |
| 138 | + |
| 139 | +To troubleshoot these issues, follow these steps: |
| 140 | + |
| 141 | +1. Check the BlockedConnections log for recent blocked attempts. For more information about this log, see [How to find ZTDNS logs](#how-to-find-ztdns-logs). |
| 142 | +1. Identify the blocked IP addresses that the application and destination use. |
| 143 | +1. Check whether the application requires IP exceptions (for example, WebRTC applications require exceptions). |
| 144 | +1. To add an exception (if it's necessary), run `netsh ztdns add exception`. |
| 145 | + |
| 146 | +### DNS resolution failures |
| 147 | + |
| 148 | +After you enforce ZTDNS, users experience the following symptoms: |
| 149 | + |
| 150 | +- Applications can't resolve domain names. |
| 151 | +- DNS lookup operations time out. |
| 152 | +- Applications report DNS errors. |
| 153 | + |
| 154 | +To troubleshoot these issues, follow these steps: |
| 155 | + |
| 156 | +1. To review the trusted DNS server configuration, run `netsh ztdns show server`. |
| 157 | +1. To test connectivity to the trusted DNS server, run `ping <dns-server-ip>`. |
| 158 | +1. Make sure that the trusted DNS server responds to encrypted queries. |
| 159 | + |
| 160 | +## How to find ZTDNS logs |
| 161 | + |
| 162 | +On Windows devices that're configured to use ZTDNS, you can use Event Viewer to monitor all attempted connections and configuration changes. To locate the ZTDNS logs in Event Viewer, follow these steps: |
| 163 | + |
| 164 | +1. In the Search bar, enter **Event Viewer**, and then select it from the search results. |
| 165 | +1. In the left panel of Event Viewer, navigate to **Applications and Service Logs** > **Microsoft** > **Windows** > **ZTDNS**. |
| 166 | + |
| 167 | +The ZTDNS folder lists three log categories. The following table describes the three categories, and how you can use the log information. |
| 168 | + |
| 169 | +| Category | Purpose | Information included | Usage | |
| 170 | +| - | - | - | - | |
| 171 | +| BlockedConnections | Contains entries that document the connections that ZTDNS blocks. | <ul><li>Time of the blocked connection</li><li>Source IP address and port</li><li>Destination IP address and port</li><li>Name of the initiating process</li></ul> | Review this log to identify applications or services that might need exceptions. | |
| 172 | +| Operational | Contains entries that document changes in the ZTDNS configuration and service state. | <ul><li>ZTDNS service status changes</li><li>Configuration changes</li><li>System events that relate to ZTDNS operations</li></ul> | Review this log to monitor the health and configuration of ZTDNS. | |
| 173 | +| PermittedConnections | Contains entries that document any connections that ZTDNS allows. | <ul><li>Time of the allowed connection</li><li>Source IP address and port</li><li>Destination IP address and port</li><li>Name of the initiating process</li></ul> | Review this log to verify that ZTDNS allows the expected connections.<br/><br/>**Note:** By default, this category is disabled. To use it, go to the left panel, right-click **PermittedConnections**, and then select **Enable Log**. | |
0 commit comments