DNS Issues: Common Problems and Solutions

DNS (Domain Name System) is critical for internet functionality, translating human-readable domain names into IP addresses. When DNS fails, websites become unreachable despite network connectivity being intact. This comprehensive guide covers common DNS problems, diagnostic techniques, and solutions.

Understanding DNS Problems

What is DNS?

DNS function:

User types: www.example.com
DNS translates: 203.0.113.1
Browser connects: To IP address
Result: Website loads

Learn more about DNS servers and how they work.

DNS hierarchy:

Root servers (.)
  ↓
Top-level domain (.com, .org, .net)
  ↓
Authoritative nameservers (example.com)
  ↓
Your computer (cached result)

Common DNS Symptoms

Cannot resolve hostnames:

Error: "Server not found"
Error: "DNS_PROBE_FINISHED_NXDOMAIN"
Error: "This site can't be reached"
Ping by IP: Works
Ping by name: Fails

Slow resolution:

Websites load slowly
Initial connection delay
Subsequent pages fast
DNS timeout messages

Intermittent failures:

Some sites work, others don't
Works sometimes, fails others
Different results on retry
Inconsistent behavior

Common DNS Problems

DNS Server Not Responding

Symptoms:

All hostname resolution fails
"DNS server not responding"
Timeout errors
Works with IP addresses

Causes:

DNS server down
Network connectivity to DNS server
Firewall blocking DNS (port 53)
Incorrect DNS server configuration

Diagnosis:

# Check DNS configuration
# Linux
cat /etc/resolv.conf

# Windows
ipconfig /all | findstr DNS

# macOS
scutil --dns

# Test DNS server reachability
ping 8.8.8.8

# Test DNS query
nslookup google.com
dig google.com

Solution:

# Try alternative DNS servers
# Google DNS
8.8.8.8
8.8.4.4

# Cloudflare DNS
1.1.1.1
1.0.0.1

# Quad9 DNS
9.9.9.9
149.112.112.112

# Configure DNS (Linux)
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf

# Windows
netsh interface ip set dns "Ethernet" static 8.8.8.8
netsh interface ip add dns "Ethernet" 8.8.4.4 index=2

# macOS
networksetup -setdnsservers Wi-Fi 8.8.8.8 8.8.4.4

NXDOMAIN (Non-Existent Domain)

Symptoms:

"Server not found"
"DNS_PROBE_FINISHED_NXDOMAIN"
Domain doesn't exist
Typo in domain name

Causes:

Domain doesn't exist
Typo in URL
Domain expired
DNS propagation delay

Diagnosis:

# Check domain exists
nslookup example.com

# Check with different DNS
nslookup example.com 8.8.8.8

# WHOIS lookup
whois example.com

# Check DNS propagation
# Use: whatsmydns.net

Solution:

Verify domain spelling
Check domain registration
Wait for DNS propagation (up to 48 hours)
Clear DNS cache
Try different DNS server

DNS Cache Poisoning/Corruption

Symptoms:

Wrong IP address returned
Redirected to wrong site
Inconsistent results
Works on other devices

Causes:

Corrupted local cache
Malware/adware
DNS hijacking
Stale cache entries

Diagnosis:

# Check cached entries
# Windows
ipconfig /displaydns | findstr example.com

# Compare with authoritative
nslookup example.com
dig example.com

# Check hosts file
# Linux/macOS
cat /etc/hosts

# Windows
type C:\Windows\System32\drivers\etc\hosts

Solution:

# Flush DNS cache
# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches

# Linux (nscd)
sudo /etc/init.d/nscd restart

# Linux (dnsmasq)
sudo /etc/init.d/dnsmasq restart

# Chrome browser cache
chrome://net-internals/#dns
Click "Clear host cache"

Slow DNS Resolution

Symptoms:

Websites slow to load initially
Long delay before connection
Fast once connected
Timeout on first attempt

Causes:

Slow DNS server
Network latency to DNS server
DNS server overloaded
Too many DNS queries

Diagnosis:

# Measure DNS query time
time nslookup google.com

# Or with dig
dig google.com | grep "Query time"

# Test multiple DNS servers
for dns in 8.8.8.8 1.1.1.1 9.9.9.9; do
    echo "Testing $dns:"
    dig @$dns google.com | grep "Query time"
done

# Monitor DNS queries
# Linux
sudo tcpdump -i any port 53

# Windows
# Use Wireshark filter: dns

Solution:

Use faster DNS servers
Use local DNS cache (dnsmasq)
Reduce DNS queries
Use DNS prefetching
Configure DNS caching

Local DNS caching (dnsmasq):

# Install dnsmasq
sudo apt install dnsmasq

# Configure
sudo nano /etc/dnsmasq.conf
# Add:
cache-size=1000
no-resolv
server=8.8.8.8
server=8.8.4.4

# Start service
sudo systemctl start dnsmasq
sudo systemctl enable dnsmasq

# Configure system to use local cache
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf

DNS Propagation Delays

Symptoms:

New domain not resolving
Recent DNS change not visible
Works in some locations, not others
Inconsistent results

Causes:

DNS changes not propagated
TTL (Time To Live) not expired
Cached old records
Different DNS servers

Diagnosis:

# Check authoritative nameserver
dig example.com NS
dig @authoritative-ns.com example.com

# Check TTL
dig example.com | grep -i ttl

# Check from different locations
# Use: whatsmydns.net
# Or: dnschecker.org

Solution:

Wait for TTL to expire
Flush local DNS cache
Use authoritative nameserver
Lower TTL before changes (plan ahead)
Verify changes at registrar

TTL planning:

Before change:
1. Lower TTL to 300 seconds (5 minutes)
2. Wait for old TTL to expire
3. Make DNS changes
4. Wait for propagation
5. Increase TTL back to normal (3600-86400)

DNS Hijacking/Redirection

Symptoms:

Redirected to unexpected sites
Search results instead of error
Ads on error pages
Different results than expected

Causes:

ISP DNS hijacking
Router compromise
Malware
DNS server manipulation

Diagnosis:

# Test with known non-existent domain
nslookup thisdomaindoesnotexist12345.com

# Should return NXDOMAIN
# If returns IP: DNS hijacking

# Check DNS servers
# Linux
cat /etc/resolv.conf

# Windows
ipconfig /all

# Verify not using ISP DNS
# Compare with configured DNS

Solution:

Use trusted DNS servers (8.8.8.8, 1.1.1.1)
Scan for malware
Check router configuration
Reset router to defaults
Use DNS over HTTPS (DoH)
Use DNS over TLS (DoT)

DNS over HTTPS (DoH):

Firefox:
Settings → Network Settings → Enable DNS over HTTPS
Provider: Cloudflare or NextDNS

Chrome:
Settings → Privacy and security → Security
→ Use secure DNS → Choose provider

systemd-resolved:
/etc/systemd/resolved.conf
[Resolve]
DNS=1.1.1.1
DNSOverTLS=yes

Diagnostic Tools

nslookup

Basic usage:

# Simple query
nslookup example.com

# Specific DNS server
nslookup example.com 8.8.8.8

# Reverse lookup
nslookup 8.8.8.8

# Interactive mode
nslookup
> server 8.8.8.8
> set type=MX
> example.com
> exit

Query types:

# A record (IPv4)
nslookup -type=A example.com

# AAAA record (IPv6)
nslookup -type=AAAA example.com

# MX record (mail)
nslookup -type=MX example.com

# NS record (nameservers)
nslookup -type=NS example.com

# TXT record
nslookup -type=TXT example.com

# SOA record
nslookup -type=SOA example.com

dig

Basic usage:

# Simple query
dig example.com

# Short answer
dig +short example.com

# Specific DNS server
dig @8.8.8.8 example.com

# Trace DNS resolution
dig +trace example.com

# Reverse lookup
dig -x 8.8.8.8

Query types:

# A record
dig example.com A

# AAAA record
dig example.com AAAA

# MX record
dig example.com MX

# NS record
dig example.com NS

# TXT record
dig example.com TXT

# ANY (all records)
dig example.com ANY

Useful options:

# Show query time
dig example.com | grep "Query time"

# No comments
dig +nocomments example.com

# No statistics
dig +nostats example.com

# Minimal output
dig +short example.com

# TCP instead of UDP
dig +tcp example.com

host

Basic usage:

# Simple query
host example.com

# Reverse lookup
host 8.8.8.8

# Specific DNS server
host example.com 8.8.8.8

# All records
host -a example.com

# Verbose
host -v example.com

Testing DNS Performance

Measure query time:

# Using dig
dig example.com | grep "Query time"

# Using time
time nslookup example.com

# Multiple queries
for i in {1..10}; do
    dig example.com | grep "Query time"
done

Compare DNS servers:

#!/bin/bash
# dns_benchmark.sh

DOMAIN="google.com"
DNS_SERVERS=("8.8.8.8" "1.1.1.1" "9.9.9.9" "208.67.222.222")

for dns in "${DNS_SERVERS[@]}"; do
    echo "Testing $dns:"
    avg=$(for i in {1..5}; do
        dig @$dns $DOMAIN | grep "Query time" | awk '{print $4}'
    done | awk '{sum+=$1} END {print sum/NR}')
    echo "Average: ${avg}ms"
    echo
done

Advanced Troubleshooting

DNS Resolution Path

Trace DNS query:

# Full trace
dig +trace example.com

# Shows:
# 1. Root servers
# 2. TLD servers (.com)
# 3. Authoritative nameservers
# 4. Final answer

# Example output:
.                       518400  IN      NS      a.root-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
example.com.            172800  IN      NS      ns1.example.com.
example.com.            300     IN      A       203.0.113.1

Check Authoritative Nameservers

Find authoritative NS:

# Get nameservers
dig example.com NS +short

# Query authoritative directly
dig @ns1.example.com example.com

# Compare with public DNS
dig @8.8.8.8 example.com

# Should match if propagated

DNSSEC Validation

Check DNSSEC:

# Query with DNSSEC
dig example.com +dnssec

# Look for:
# - RRSIG records (signatures)
# - AD flag (authenticated data)

# Validate DNSSEC chain
dig +dnssec +multi example.com

# Check DNSSEC status
delv example.com

DNS Packet Analysis

Capture DNS traffic:

# tcpdump
sudo tcpdump -i any port 53 -w dns.pcap

# Wireshark filter
dns

# Analyze:
# - Query/response times
# - Failed queries
# - Unusual patterns
# - Error codes

DNS response codes:

NOERROR (0): Success
FORMERR (1): Format error
SERVFAIL (2): Server failure
NXDOMAIN (3): Non-existent domain
NOTIMP (4): Not implemented
REFUSED (5): Query refused

Platform-Specific Issues

Windows

Common issues:

DNS Client service stopped
Incorrect adapter DNS settings
IPv6 DNS issues
Network adapter problems

Troubleshooting:

# Check DNS Client service
sc query Dnscache

# Start if stopped
net start Dnscache

# Reset network stack
netsh winsock reset
netsh int ip reset
ipconfig /flushdns

# Reset adapter
netsh interface ip reset
netsh interface ipv6 reset

# Disable IPv6 (if causing issues)
netsh interface ipv6 set global randomizeidentifiers=disabled

macOS

Common issues:

mDNSResponder issues
Network location problems
VPN DNS conflicts

Troubleshooting:

# Restart mDNSResponder
sudo killall -HUP mDNSResponder

# Flush DNS
sudo dscacheutil -flushcache

# Reset network
sudo ifconfig en0 down
sudo ifconfig en0 up

# Check DNS settings
scutil --dns

# Network location
networksetup -listallnetworkservices
networksetup -getdnsservers Wi-Fi

Linux

Common issues:

systemd-resolved conflicts
NetworkManager DNS
/etc/resolv.conf overwritten
dnsmasq conflicts

Troubleshooting:

# Check DNS resolution service
systemctl status systemd-resolved

# Check resolv.conf
cat /etc/resolv.conf

# If symlink to systemd-resolved
ls -l /etc/resolv.conf

# Restart NetworkManager
sudo systemctl restart NetworkManager

# Disable systemd-resolved (if needed)
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved

# Manual resolv.conf
sudo rm /etc/resolv.conf
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Best Practices

Configuration

1. Use reliable DNS servers:

Primary: 8.8.8.8 (Google)
Secondary: 1.1.1.1 (Cloudflare)
Tertiary: 9.9.9.9 (Quad9)

Or use ISP DNS if reliable

2. Configure multiple DNS servers:

At least 2 DNS servers
Different providers
Automatic failover
Redundancy

3. Use DNS caching:

Local DNS cache (dnsmasq)
Browser DNS cache
OS DNS cache
Reduces queries
Improves performance

Security

1. Use DNS over HTTPS (DoH):

Encrypts DNS queries
Prevents eavesdropping
Prevents manipulation
Privacy protection

2. Use DNS over TLS (DoT):

Encrypted DNS
Port 853
systemd-resolved support
Privacy and security

3. Verify DNSSEC:

Cryptographic validation
Prevents DNS spoofing
Ensures authenticity
Enable when available

4. Monitor DNS:

Watch for unusual queries
Detect DNS tunneling
Identify malware
Log DNS traffic

Maintenance

1. Regular testing:

Test DNS resolution
Measure query times
Verify redundancy
Check for issues

2. Keep records updated:

Document DNS servers
Track changes
Maintain TTL strategy
Update promptly

3. Plan DNS changes:

Lower TTL before changes
Test in staging
Verify propagation
Monitor after changes

Conclusion

DNS issues are common but usually straightforward to diagnose and resolve. Understanding DNS fundamentals, using proper diagnostic tools, and following best practices for configuration and security ensure reliable name resolution. When problems occur, systematic troubleshooting starting with basic connectivity and progressing to detailed analysis quickly identifies the root cause.

Related Articles

DNS Fundamentals

• DNS Servers - How DNS works
• Reverse DNS - PTR records
• WHOIS Lookup - Domain research

Troubleshooting

• Network Troubleshooting - Systematic approach
• Connection Problems - Connectivity issues
• Ping and Traceroute - Testing tools

Network Configuration

• DHCP - DNS via DHCP
• Default Gateway - Network routing
• Static vs Dynamic IP - IP configuration

Explore More

• Troubleshooting - Problem-solving hub
• Tools & Utilities - Diagnostic tools

Key takeaways: - DNS translates names to IP addresses - Common issues: Server not responding, NXDOMAIN, cache corruption, slow resolution - Diagnostic tools: nslookup, dig, host - Flush DNS cache: First troubleshooting step - Use reliable DNS: 8.8.8.8, 1.1.1.1, 9.9.9.9 - Multiple DNS servers: Redundancy essential - DNS propagation: Can take up to 48 hours - Security: Use DoH/DoT, enable DNSSEC - Local caching: Improves performance - Monitor and test: Regular DNS health checks

Most DNS issues can be resolved by flushing the DNS cache and switching to reliable public DNS servers like Google (8.8.8.8) or Cloudflare (1.1.1.1). For persistent issues, use diagnostic tools like dig and nslookup to trace the problem, check authoritative nameservers, and verify DNS propagation. Implement DNS over HTTPS for security and use local DNS caching for performance.