“It’s always DNS” is a meme because it’s usually true. When something network-related breaks, DNS is the first suspect. Here’s how to investigate.

The Essential Tools

dig - The DNS Swiss Army Knife

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Basic lookup
dig example.com

# Specific record type
dig example.com MX
dig example.com TXT
dig example.com CNAME

# Short output (just the answer)
dig +short example.com

# Query a specific nameserver
dig @8.8.8.8 example.com

# Trace the full resolution path
dig +trace example.com

nslookup - Quick and Simple

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Basic lookup
nslookup example.com

# Query specific server
nslookup example.com 8.8.8.8

# Interactive mode
nslookup
> set type=MX
> example.com

host - Even Simpler

1
2
3
4
5

# Basic lookup
host example.com

# Specific record type
host -t MX example.com

Common DNS Problems

Problem: Domain Not Resolving

Symptoms: NXDOMAIN or SERVFAIL errors

Debug steps:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# Check if the domain exists at all
dig example.com

# If NXDOMAIN, check the authoritative nameservers
dig NS example.com

# Query the authoritative server directly
dig @ns1.example.com example.com

# Check if it's a propagation issue (query multiple resolvers)
dig @8.8.8.8 example.com      # Google
dig @1.1.1.1 example.com      # Cloudflare
dig @9.9.9.9 example.com      # Quad9

Common causes:

  • Domain expired or not registered
  • Nameservers not configured
  • Zone file missing the record
  • Propagation still in progress

Problem: Wrong IP Address

Symptoms: Domain resolves but to the wrong IP

1
2
3
4
5
6
7
8
9

# Check current resolution
dig +short example.com

# Check TTL (Time To Live)
dig example.com | grep -A1 "ANSWER SECTION"

# Check what the authoritative server says
dig NS example.com +short
dig @ns1.example.com example.com

Common causes:

  • Old record cached (wait for TTL to expire)
  • Changed IP but forgot to update DNS
  • Multiple A records (load balancing)
  • CNAME pointing to wrong target

Problem: Email Not Delivered

Symptoms: Emails bouncing or going to spam

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Check MX records
dig MX example.com

# Verify MX targets resolve
dig mail.example.com

# Check SPF record
dig TXT example.com | grep spf

# Check DKIM record
dig TXT selector._domainkey.example.com

# Check DMARC record  
dig TXT _dmarc.example.com

Common causes:

  • Missing or misconfigured MX records
  • SPF record too restrictive or missing
  • DKIM not set up
  • DMARC policy rejecting mail

Problem: SSL Certificate Errors

Symptoms: Browser shows certificate mismatch

1
2
3
4
5
6
7
8

# Check what names the cert covers
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

# Check if CNAME is set up correctly
dig CNAME www.example.com

# Verify the target resolves
dig $(dig +short CNAME www.example.com)

Common causes:

  • Certificate doesn’t include the subdomain
  • CNAME pointing to wrong target
  • Mixed www/non-www configuration

Understanding DNS Resolution

The Resolution Path

1234567.......BOLRRTArSoeoLuoccoDtwrauthselrnoessnarroDiamilNvmetcvSeesaaesetcrsreriheervvecrsveeavoercelrsnhrvsaeem(r.ercsooeumrt,veerr/osIrSgP,)etc.)

Tracing Resolution

1
2
3
4
5

# See the full resolution path
dig +trace example.com

# Output shows:
# . (root) -> com. (TLD) -> example.com. (authoritative)

TTL and Caching

1
2
3
4
5

# Check current TTL
dig example.com | grep -E "^example.com"
# example.com.        300    IN    A    93.184.216.34
#                     ^^^
#                     TTL in seconds

TTL gotchas:

  • Changes won’t be visible until TTL expires
  • Different resolvers may have different cached values
  • Lower TTL = faster propagation but more DNS queries

Flush DNS Cache

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches

# Windows
ipconfig /flushdns

# Chrome browser
chrome://net-internals/#dns -> Clear host cache

Record Types Cheat Sheet

TypePurposeExample
AIPv4 addressexample.com. A 93.184.216.34
AAAAIPv6 addressexample.com. AAAA 2606:2800:220:1:...
CNAMEAlias to another namewww.example.com. CNAME example.com.
MXMail serverexample.com. MX 10 mail.example.com.
TXTText data (SPF, DKIM, etc.)example.com. TXT "v=spf1 ..."
NSNameserverexample.com. NS ns1.example.com.
SOAZone authority infoStart of Authority record
CAACertificate authority authorizationexample.com. CAA 0 issue "letsencrypt.org"
SRVService location_sip._tcp.example.com. SRV 10 5 5060 sip.example.com.

Debugging Workflow

Step 1: Verify the Problem

1
2
3
4
5
6
7
8

# Does it resolve at all?
dig +short example.com

# What does your local resolver see?
dig example.com

# What do public resolvers see?
dig @8.8.8.8 example.com

Step 2: Find the Authoritative Source

1
2
3
4
5

# Get nameservers
dig NS example.com +short

# Query authoritative directly
dig @ns1.example.com example.com

Step 3: Compare Authoritative vs Cached

1
2
3
4
5
6
7

# If authoritative is correct but resolvers are wrong,
# it's a propagation/caching issue

# Check TTL on the old record
dig example.com | grep TTL

# Wait for TTL to expire, or flush caches

Step 4: Verify the Fix

1
2
3
4
5

# After making changes, verify at authoritative
dig @ns1.example.com example.com

# Then check propagation
watch -n 30 'dig +short @8.8.8.8 example.com'

Useful Online Tools

When CLI isn’t enough:

Common Mistakes

  1. Forgetting the trailing dot: In zone files, example.com (no dot) is relative, example.com. (with dot) is absolute

  2. CNAME at apex: You can’t have a CNAME at the root domain (example.com), only at subdomains

  3. Conflicting records: A record and CNAME can’t coexist for the same name

  4. Low TTL after migration: Remember to increase TTL after changes are confirmed working

  5. Not checking all record types: An A record might be fine, but the AAAA record could be wrong

Next time something doesn’t work, start with dig. Nine times out of ten, you’ll find the problem is DNS. And the tenth time? Check DNS again — you probably missed something.