Systematic DNS Troubleshooting
DNS resolution failures have clear symptoms (nothing loads) but multiple possible causes. Systematic troubleshooting isolates the problem and identifies solutions. This guide walks through diagnostic steps to resolve DNS issues quickly.
Common DNS Failure Symptoms
Symptom 1: "Domain Not Found" (NXDOMAIN)
Browser shows: Error message "Server not found" or "The server does not have a DNS record"
Command line shows:
$ nslookup example.com
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find example.com: NXDOMAIN
Possible causes:
- Domain doesn't exist
- Domain expired and wasn't renewed
- Wrong domain name
- Nameserver not configured correctly
- Nameserver doesn't have record
Symptom 2: Timeouts ("The server took too long to respond")
Symptoms:
- Long delay before error appears
- Eventually gives up with timeout error
- Different behavior than NXDOMAIN
Possible causes:
- DNS server not responding
- Network connectivity issue
- Firewall blocking DNS (port 53)
- DNS server down
- Slow DNS server
Symptom 3: Intermittent Failures
Symptoms:
- Sometimes works, sometimes doesn't
- Works from WiFi but not cell network
- Works in morning, fails at night
Possible causes:
- Multiple DNS servers, some down
- Network routing issues
- ISP DNS server problems
- Specific locations/networks experiencing issues
Step 1: Verify Basic Network Connectivity
Check Internet Connection
# Can you ping external servers?
ping 8.8.8.8
# If fails: No internet, troubleshoot network first
# Can you reach DNS servers?
ping 8.8.8.8 # Google DNS
ping 1.1.1.1 # Cloudflare DNS
If basic connectivity fails:
- Check network cable/WiFi connection
- Restart router
- Check with ISP for outages
- Don't proceed further until connectivity restored
Step 2: Test with Different DNS Servers
Test with Public DNS Services
# Google DNS
nslookup example.com 8.8.8.8
dig @8.8.8.8 example.com
# Cloudflare DNS
nslookup example.com 1.1.1.1
dig @1.1.1.1 example.com
# OpenDNS
nslookup example.com 208.67.222.222
dig @208.67.222.222 example.com
Interpretation:
- All fail: Problem is likely with domain or authoritative nameserver
- Some work, some fail: Problem with specific resolver
- All work: Problem with your ISP's DNS or local caching
Test with Authoritative Nameserver
# Find authoritative nameserver
dig example.com NS
# Query authoritative nameserver directly
dig @ns1.example.com example.com
dig @ns2.example.com example.com
Interpretation:
- Authoritative works: Problem is with recursive resolver
- Authoritative fails: Problem is with domain configuration
Step 3: Clear DNS Cache
Windows
ipconfig /flushdns
Mac
sudo dscacheutil -flushcache
Linux
# If using systemd-resolved
sudo systemctl restart systemd-resolved
# If using BIND
sudo rndc flush
# Manual (no cache service)
# No system cache to flush
Browser Cache
Chrome: Settings → Privacy → Clear Browsing Data → Cookies and cached images
Firefox: Settings → Privacy → Clear Data → Cached Web Content
Edge: Settings → Privacy → Clear browsing data
Step 4: Check DNS Configuration
Verify Your ISP's DNS Servers
Windows:
ipconfig /all
Look for "DNS Servers" entry
Mac/Linux:
cat /etc/resolv.conf
# or
nmcli dev show
Change DNS if needed:
Windows Settings → Network → Change adapter options → Properties → IPv4 Properties
Set to:
- Google: 8.8.8.8 and 8.8.4.4
- Cloudflare: 1.1.1.1 and 1.0.0.1
- OpenDNS: 208.67.222.222 and 208.67.220.220
Step 5: Verify Domain and Nameserver Configuration
Check Nameserver Records
# From root nameservers
dig +trace example.com
# Check nameserver chain
dig example.com NS # Get your nameservers
dig @ns1.example.com example.com # Query them directly
Output should show:
example.com. 3600 IN NS ns1.example.com.
example.com. 3600 IN NS ns2.example.com.
Verify Domain Registration
# WHOIS information
whois example.com
# Check:
# - Domain is registered
# - Domain hasn't expired
# - Nameservers listed in WHOIS match your actual nameservers
Step 6: Query Record Directly
Check if Record Exists
# A record
dig example.com A
# CNAME record
dig example.com CNAME
# MX record
dig example.com MX
# All records
dig example.com ANY
Expected response:
example.com. 3600 IN A 192.0.2.1
Problem response:
; <<>> DiG 9.10.6 <<>> example.com
;; Got SERVFAIL
Step 7: Check for Common Misconfigurations
Problem: CNAME at Zone Apex
Invalid:
example.com CNAME example.com.target.com
# Can't have CNAME at zone apex
Fix:
# Use A record instead
example.com A 192.0.2.1
# Or use ALIAS (if supported)
example.com ALIAS example.com.target.com
Problem: Too Many Nameservers
# Having too many nameservers can cause issues
# Keep to 2-4 nameservers
# Check:
dig example.com NS | grep "example.com"
# If more than 4: Consider consolidating
Problem: Mismatched Nameservers
At Registrar:
Nameservers registered: ns1.example.com, ns2.example.com
Actually using:
zone file on: ns1.different.com, ns2.different.com
Fix:
- Update registrar to match actual nameservers
- Or update zone to use registered nameservers
Problem: Authoritative Nameserver Can't Find Record
dig @ns1.example.com example.com
# Returns NXDOMAIN
# But zone file has the record!
# Possible causes:
# - Zone file not reloaded
# - Syntax error in zone file
# - Wrong zone file loaded
Solutions:
# Reload zone
rndc reload example.com
# Verify zone syntax
named-checkzone example.com example.com.zone
# Restart nameserver
systemctl restart named
Step 8: Network-Level Troubleshooting
Check Port 53 (DNS Port)
# Can you reach DNS server on port 53?
telnet 8.8.8.8 53
# or with nc
nc -zv 8.8.8.8 53
# If blocked: Firewall is blocking DNS
# Fix: Whitelist port 53 (UDP and TCP)
Check Firewall Rules
On DNS server:
sudo iptables -L -n | grep 53
# Should show port 53 allowed
# If blocked, add rule:
sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT
On client:
# If corporate network: Contact IT
# Firewall may be blocking external DNS queries
# Solution: Use corporate DNS server
Diagnostic Commands Reference
Essential Tools
# Query DNS
nslookup example.com
dig example.com
host example.com
# Show DNS server being used
nslookup
# Shows default server
# Specific DNS server
dig @8.8.8.8 example.com
# Trace DNS path
dig +trace example.com
# Show all records
dig example.com ANY
# Reverse DNS
dig -x 192.0.2.1
# Query specific type
dig example.com MX
dig example.com NS
dig example.com TXT
# Check SOA record
dig example.com SOA
Common Issues and Solutions
Issue 1: "SERVFAIL" Error
; <<>> DiG 9.10.6 <<>> example.com
; (1 server found)
;; Got SERVFAIL
Causes:
- Authoritative nameserver error
- Zone file problem
- Nameserver configuration issue
Solutions:
# Query authoritative directly
dig @ns1.example.com example.com
# Check nameserver logs
tail -f /var/log/named.log
# Verify zone file syntax
named-checkzone example.com example.com.zone
Issue 2: "REFUSED" Error
Cause: Nameserver refuses query (not configured for this domain)
Solution:
# Verify nameserver has zone
# Check zone configuration on server
# Verify zone file exists
# Restart nameserver
Issue 3: Inconsistent Results from Different Resolvers
Cause: Propagation in progress, or resolver caches diverged
Solutions:
# Wait for propagation (up to 48 hours)
# Clear resolver cache
# Verify change at authoritative nameserver
# Monitor with propagation checker
Prevention Best Practices
- Maintain backup nameservers
- Monitor DNS health regularly
- Test DNS before making changes
- Document all DNS records
- Set up alerts for DNS failures
- Regular backups of zone files
- Use monitoring services to check DNS globally
Automated Monitoring
#!/bin/bash
# Simple DNS monitoring script
while true; do
if ! dig example.com +short | grep -q .; then
echo "DNS failure detected at $(date)"
# Send alert
mail -s "DNS Alert" [email protected]
fi
sleep 300 # Check every 5 minutes
done
When to Escalate
Contact your DNS provider if:
- Problem persists across multiple resolvers
- Authoritative nameserver returns errors
- Nameserver appears to be down
- Zone file changes aren't taking effect
- You can't access the DNS control panel
Conclusion
DNS troubleshooting follows a logical sequence: verify connectivity, test alternate DNS servers, check configuration, validate records, and investigate network issues. Most DNS failures are caused by misconfiguration rather than system failure.
By following this systematic approach and using diagnostic tools effectively, you can resolve most DNS issues quickly. When problems persist, this troubleshooting data helps DNS providers identify the root cause more efficiently.
Remember: DNS failures affect everything that depends on domain resolution. Investing time in DNS stability and monitoring pays dividends in prevented outages and faster incident resolution.
