Zscaler App and NTP

Has anyone run into time drift issues with ZPA? Our domain controllers are our internal time source and a few computers are starting to see time drift. I’m trying to make sure I have NTP defined correctly. UDP 123 is available and I see that traffic in logs.

Basically, i have a computer using ZPA with the clock off by a few minutes. I have them disconnect from ZPA, and then connect to our legacy VPN and the clock instantly syncs to the correct time.

I came across this article referencing that kerberos and DNS are required in a domain environment. Kerberos (TCP 88) is also available to the domain controllers. But, I never configured UDP 53 for DNS.
https://support.microsoft.com/en-us/help/832017#method60

In fact it actually warns you when trying to add DNS to an app segment. Thoughts?
“Zscaler recommends excluding DNS traffic (port 53) from TCP and UDP port ranges”

I’ve not noticed any issues with NTP before.