This is somewhat related to a similar issue I posted about a few days ago here.

I have DENY policies in place for two subdomains and I'm able to get them to ping successfully with no issues.
I had these set to IGNORE before, but due to me still being able to ping between resources in both prod and qa, I removed those two policies and recreated them using DENY instead
I looked in the dns debug log and as expected, there are no "refused" messages anywhere in it.
How do I go about troubleshooting this, when, from what I see, the subnets were defined correctly, and the syntax of the commands are correct (at least I think they are)?

