Update troubleshoot-zero-trust-dns-guidance.md

przlplx · web-flow · commit d7d4d1b2bdd2 · 2025-11-12T14:20:16.000-08:00
Edit review per CI 8098
diff --git a/support/windows-client/windows-security/troubleshoot-zero-trust-dns-guidance.md b/support/windows-client/windows-security/troubleshoot-zero-trust-dns-guidance.md
@@ -15,15 +15,15 @@ appliesto:
 ---
 # Zero Trust DNS troubleshooting guidance
 
+This article shows you how to diagnose common connectivity and configuration issues that affect Zero Trust Domain Name System (ZTDNS) services, and how to use ZTDNS logs. The troubleshooting steps in this article help you maintain network security while making sure that legitimate applications and services continue to work correctly.
+
 After you deploy Zero Trust Domain Name System (ZTDNS) services, use this guidance if you experience any of the following symptoms:
 
 - Application connectivity failures
 - DNS resolution errors or timeouts
 - Unexpected network blocks or service disruptions
 - Network access and ZTDNS configuration issues
 
-This article shows you how to diagnose common connectivity and configuration issues, and how to use ZTDNS logs. The troubleshooting steps in this article help you maintain network security while ensuring that legitimate applications and services continue to work properly.
-
 ## Best practices to avoid ZTDNS issues
 
 - **Before you deploy and enforce ZTDNS organization-wide**
@@ -33,11 +33,11 @@ This article shows you how to diagnose common connectivity and configuration iss
 - **Maintaining the ZTDNS deployment**
   - When you add IP exceptions, document what exception was made and why.
   - To understand traffic patterns and identify issues early, monitor the Event Viewer logs.
-  - To to optimize ZTDNS deployment, conduct periodical reviews of the cofiguration and logs.
+  - To optimize ZTDNS deployment, conduct periodical reviews of the cofiguration and logs.
 
 ## Troubleshooting checklist
 
-If you experience connectivity issues after you deploy and enforce ZTDNS, follow these steps:
+If you experience connectivity issues after you deploy and enforce ZTDNS, follow these steps.
 
 ### Step 1: Verify that the trusted DNS servers are configured correctly
 
@@ -47,7 +47,7 @@ Make sure that at least one trusted DNS server uses ZTDNS. Open a Windows Comman
 netsh ztdns show server
 ```
 
-This command displays all the trusted DNS servers that use Zero Trust DNS (ZTDNS), including their protocol (DoH or DoT), IP address, and priority settings.
+This command displays all the trusted DNS servers that use Zero Trust DNS, including their protocol (DoH or DoT), IP address, and priority settings.
 
 ### Step 2: Test the connectivity to the trusted DNS servers
 
@@ -65,11 +65,11 @@ Resolve-DnsName -Name <domain-name> -Server <dns-server-ip>
 
 If these commands don't succeed, see [DNS troubleshooting guidance](../../windows-server/networking/troubleshoot-dns-guidance.md).
 
-When these commands resolve successfully, check end-to-end connectivity by pinging the resolved IP address.
+After these commands resolve successfully, check the end-to-end connectivity by pinging the resolved IP address.
 
 ### Step 3: Test domain name resolution
 
-To use the Windows DNS client to test DNS resolution, on a client computer, run the following command at a Windows command prompt:
+To use the Windows DNS client to test DNS resolution, go to a client computer, and run the following command at a Windows command prompt:
 
 ```console
 ping <allowed-domain-name>
@@ -108,9 +108,9 @@ netsh ztdns show trustedca
 
 Resolve any issues that you find.
 
-### Step 5 (Advanced) Test connectivity in audit mode
+### Step 5 (Advanced): Test connectivity in audit mode
 
-If you suspect configuration issues, temporarily enable audit mode and then test connectivity when ZTDNS isn't enforced. In audit mode, Windows logs instances where ZTDNS would block connections if it were fully enforced. To enable audit mode for ZTDNS, run the following command:
+If you suspect configuration issues, temporarily enable audit mode, and then test connectivity when ZTDNS isn't enforced. In audit mode, Windows logs instances in which ZTDNS is expected to block connections if it's fully enforced. To enable audit mode for ZTDNS, run the following command:
 
 ```console
 netsh ztdns set state enable=yes audit=yes
@@ -139,9 +139,9 @@ After you enforce ZTDNS, users experience the following symptoms:
 To troubleshoot these issues, follow these steps:
 
 1. Check the BlockedConnections log for recent blocked attempts. For more information about this log, see [How to find ZTDNS logs](#how-to-find-ztdns-logs).
-1. Identify the blocked IP addresses that the application and the destination use.
+1. Identify the blocked IP addresses that the application and destination use.
 1. Check whether the application requires IP exceptions (for example, WebRTC applications require exceptions).
-1. To add an exception (if needed), run `netsh ztdns add exception`.
+1. To add an exception (if it's necessary), run `netsh ztdns add exception`.
 
 ### DNS resolution failures
 
@@ -170,4 +170,4 @@ The ZTDNS folder lists three log categories. The following table describes the t
 | - | - | - | - |
 | BlockedConnections | Contains entries that document the connections that ZTDNS blocks. | <ul><li>Time of the blocked connection</li><li>Source IP address and port</li><li>Destination IP address and port</li><li>Name of the initiating process</li></ul> | Review this log to identify applications or services that might need exceptions. |
 | Operational | Contains entries that document changes in the ZTDNS configuration and service state. | <ul><li>ZTDNS service status changes</li><li>Configuration changes</li><li>System events that relate to ZTDNS operations</li></ul> | Review this log to monitor the health and configuration of ZTDNS. |
-| PermittedConnections | Contains entries that document any connections that ZTDNS allows. | <ul><li>Time of the allowed connection</li><li>Source IP address and port</li><li>Destination IP address and port</li><li>Name of the initiating process</li></ul> | Review this log to verify that ZTDNS allows the expected connections.<br/><br/>**Note:** By default, this category is disabled. To use it, in the left panel, right-click **PermittedConnections**, and then select **Enable Log**. |
+| PermittedConnections | Contains entries that document any connections that ZTDNS allows. | <ul><li>Time of the allowed connection</li><li>Source IP address and port</li><li>Destination IP address and port</li><li>Name of the initiating process</li></ul> | Review this log to verify that ZTDNS allows the expected connections.<br/><br/>**Note:** By default, this category is disabled. To use it, go to the left panel, right-click **PermittedConnections**, and then select **Enable Log**. |
