DNS Troubleshooting
dns networking troubleshooting
Quick Commands
dig (Preferred)
# Basic lookup
dig example.com
# Specific record type
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com TXT
dig example.com CNAME
dig example.com NS
dig example.com SOA
dig example.com SRV
# Short output (just the answer)
dig +short example.com
# Query specific DNS server
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
# Trace resolution path
dig +trace example.com
# Reverse lookup
dig -x 192.168.1.1
# Show all records
dig example.com ANYnslookup
# Basic lookup
nslookup example.com
# Query specific server
nslookup example.com 8.8.8.8
# Specific record type
nslookup -type=MX example.com
nslookup -type=TXT example.com
# Reverse lookup
nslookup 192.168.1.1host (Simple Output)
host example.com
host -t MX example.com
host 192.168.1.1 # reverseRecord Types Reference
| Type | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:2800:220:1:... |
| CNAME | Alias to another name | www.example.com → example.com |
| MX | Mail server (with priority) | 10 mail.example.com |
| TXT | Text data (SPF, DKIM, verification) | "v=spf1 include:_spf.google.com ~all" |
| NS | Nameserver for zone | ns1.example.com |
| SOA | Start of Authority (zone info) | Serial, refresh, retry, expire |
| SRV | Service location | _sip._tcp.example.com |
| PTR | Reverse lookup (IP → name) | 34.216.184.93.in-addr.arpa → example.com |
| CAA | Certificate Authority Authorization | 0 issue "letsencrypt.org" |
Common Issues and Diagnosis
NXDOMAIN (Name Does Not Exist)
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN
Causes:
- Domain doesn’t exist or expired
- Typo in domain name
- DNS server doesn’t have the zone
Check:
# Verify domain exists
whois example.com | grep -i "expir"
# Try authoritative nameserver directly
dig NS example.com +short
dig @ns1.example.com example.comSERVFAIL
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
Causes:
- Authoritative server unreachable
- DNSSEC validation failure
- Recursive resolver issue
Check:
# Try different resolvers
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
# Check if DNSSEC issue (disable validation)
dig +cd example.com # cd = checking disabledREFUSED
;; ->>HEADER<<- opcode: QUERY, status: REFUSED
Causes:
- Server doesn’t allow queries from your IP
- Server not authoritative and recursion disabled
Check:
# Try public resolver
dig @8.8.8.8 example.comSlow Resolution / Timeout
Diagnosis:
# Time the query
time dig example.com
# Trace to find slow link
dig +trace example.com
# Check each nameserver
dig @ns1.example.com example.com +time=2Stale/Cached Records
Check TTL:
dig example.com | grep -A1 "ANSWER SECTION"
# TTL is the number before IN (e.g., 300 = 5 minutes)Flush local cache:
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Windows
ipconfig /flushdns
# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches
# Linux (nscd)
sudo systemctl restart nscdSplit-Horizon / Different Results
When internal vs external DNS returns different IPs:
# Compare internal vs external
dig @internal-dns.company.com app.company.com +short
dig @8.8.8.8 app.company.com +short
# Check which DNS your system uses
cat /etc/resolv.conf # Linux
scutil --dns # macOS
Get-DnsClientServerAddress # Windows PowerShellTTL Behavior
| TTL Value | Meaning | Use Case |
|---|---|---|
| 300 (5 min) | Short | Frequently changing, failover |
| 3600 (1 hr) | Medium | Normal operations |
| 86400 (1 day) | Long | Stable records |
| 0 | No caching | Testing only (not recommended) |
Before DNS changes:
- Lower TTL to 300 (wait for old TTL to expire)
- Make the change
- Verify propagation
- Raise TTL back to normal
Checking Propagation
# Query multiple public resolvers
for dns in 8.8.8.8 1.1.1.1 9.9.9.9 208.67.222.222; do
echo "=== $dns ==="
dig @$dns example.com +short
done
# Or use: https://www.whatsmydns.net/Common DNS Ports
| Port | Protocol | Use |
|---|---|---|
| 53 | UDP | Standard queries |
| 53 | TCP | Large responses, zone transfers |
| 853 | TCP | DNS over TLS (DoT) |
| 443 | TCP | DNS over HTTPS (DoH) |
Useful Public DNS Servers
| Provider | Primary | Secondary |
|---|---|---|
| 8.8.8.8 | 8.8.4.4 | |
| Cloudflare | 1.1.1.1 | 1.0.0.1 |
| Quad9 | 9.9.9.9 | 149.112.112.112 |
| OpenDNS | 208.67.222.222 | 208.67.220.220 |
Reverse DNS (PTR Records)
# Lookup
dig -x 192.168.1.1
nslookup 192.168.1.1
# The PTR record format
# 192.168.1.1 → 1.1.168.192.in-addr.arpa
# 2001:db8::1 → 1.0.0.0...8.b.d.0.1.0.0.2.ip6.arpaCommon issue: PTR doesn’t match forward lookup (A record). Many mail servers reject email if forward/reverse don’t match.
SRV Record Format
_service._proto.name TTL class SRV priority weight port target
Example:
dig _sip._tcp.example.com SRV
# Answer: 10 5 5060 sipserver.example.com
# ^ ^ ^ ^
# | | | └── target host
# | | └─────── port
# | └────────── weight (load balancing)
# └───────────── priority (lower = preferred)Related
- Wireshark - Filters - Capture DNS traffic
- Linux - Common Commands