Troubleshooting Zero Trust DNS

 

By adopting Zero Trust DNS (ZTDNS), organizations can strengthen their Zero Trust deployments, ensuring that Windows 11 devices only communicate with trusted network destinations. This blog post will help ZTDNS Public Preview selfhosters retrieve and update ZTDNS configuration, find ZTDNS logs, debug ZTDNS, share feedback, and report bugs to the team. Some known issues are also listed.

 

Retrieving ZTDNS configuration

You can find information on the commands to retrieve trusted server information, manually allowed exceptions, state of ZTDNS, and more by running the following in command prompt:

netsh ztdns show help

 

Updating ZTDNS configuration

You can add new exceptions or servers while ZTDNS is running on your device using the same commands from ZTDNS deployment process. You can run the following in command prompt to get more information:

netsh ztdns add help

You can find information on the commands to delete certain configurations like trusted servers, manually allowed exceptions, and more by running the following in command prompt:

netsh ztdns delete help

 

Finding ZTDNS logs

When you have ZTDNS running your device, you can check Event Viewer to see logs for all attempted connections from the device.

• Search for ‘Event Viewer’ in Start menu and open it.
• In the left panel, go under ‘Applications and Service Logs’ -> ‘Microsoft’ -> ‘Windows’ -> ‘ZTDNS’.
• You should see three logs under this folder:
  • BlockedConnections – contains logs about connections blocked by ZTDNS. Each blocked connection log contains information about the time of the blocked connection, source IP address, source port, destination IP address, destination port, and name of initiating process.
  • Operational – contains logs about ZTDNS configuration and service state changes.
  • PermittedConnections – contains logs about connections allowed by ZTDNS. Each permitted connection log contains information about the time of the permitted connection, source IP address, source port, destination IP address, destination port, and name of initiating process. (Note: this log is disabled by default and can be enabled by right clicking on ‘PermittedConnections’ in the left panel and selecting ‘Enable Log’.)

 

Debugging ZTDNS

If you experience connectivity issues after enabling ZTDNS, verify that ZTDNS has at least one trusted DNS server set. To see all trusted DNS servers set for ZTDNS, run the following in command prompt:

netsh ztdns show server

Check connectivity to the trusted DNS server using ping and try resolving an allowed domain name using the trusted DNS server with Resolve-DnsName. After this, ping to the resolved IP address should succeed.

Alternatively, you can ping an allowed domain name directly which should use the Windows DNS client and trusted DNS server for name resolution. This will check connectivity to the trusted DNS server as well as the resolved endpoint.

If your issue still persists, please file a bug. You can restore network connectivity by disabling ZTDNS. In an administrator command prompt, run:

netsh ztdns set state enable=no audit=no

 

Reporting feedback and bugs

We value your feedback! Your feedback from testing ZTDNS in preview is crucial for us as we get ready for GA. To share your feedback or report a bug:

• Search for ‘Feedback Hub’ in Start Menu and open it.
• In the left panel, click ‘Feedback’.
• Click ‘+ Give new feedback’ button to enter new feedback or upvote an existing entry that matches your feedback.
• In section 1. ‘Summarize your feedback’ text box, enter ‘[ZTDNS]’ and then your feedback.
• In section 2. ‘Choose a category’, select ‘Problem’ if you want to report a bug and ‘Suggestion’ if you want to give feedback.
• For the left dropdown box, choose ‘Network and Internet’ and for the right dropdown box, choose ‘DNS’.
• Fill out Section 3. and 4.
• Click ‘Submit’.

 

Known issues

Chromium-based WebView2 applications (including new Outlook and Teams) use their own encrypted DNS clients instead of using the Windows DNS client. On a Windows 11 device with ZTDNS enabled, based on the DNS server being contacted by the WebView2 DNS client, these applications will fail to send traffic to any resolved IP addresses. We are actively working to solve this for all applications using Chromium under the hood, including our own. You can track the linked Chromium issue for the latest updates.