ad placeholder image ad placeholder image

DNS Issues: Common Problems and Solutions

DNS (Domain Name System) is critical for internet functionality, translating human-readable domain names into IP addresses. When DNS fails, websites become unreachable despite network connectivity being intact. This comprehensive guide covers common DNS problems, diagnostic techniques, and solutions.

Understanding DNS Problems

What is DNS?

DNS function: User types: www.example.com DNS translates: 203.0.113.1 Browser connects: To IP address Result: Website loads

Learn more about DNS servers and how they work.

DNS hierarchy: Root servers (.) ↓ Top-level domain (.com, .org, .net) ↓ Authoritative nameservers (example.com) ↓ Your computer (cached result)

Common DNS Symptoms

Cannot resolve hostnames: Error: "Server not found" Error: "DNS_PROBE_FINISHED_NXDOMAIN" Error: "This site can't be reached" Ping by IP: Works Ping by name: Fails

Slow resolution: Websites load slowly Initial connection delay Subsequent pages fast DNS timeout messages

Intermittent failures: Some sites work, others don't Works sometimes, fails others Different results on retry Inconsistent behavior

Common DNS Problems

DNS Server Not Responding

Symptoms: All hostname resolution fails "DNS server not responding" Timeout errors Works with IP addresses

Causes: DNS server down Network connectivity to DNS server Firewall blocking DNS (port 53) Incorrect DNS server configuration

Diagnosis: ```bash

Check DNS configuration

Linux

cat /etc/resolv.conf

Windows

ipconfig /all | findstr DNS

macOS

scutil --dns

Test DNS server reachability

ping 8.8.8.8

Test DNS query

nslookup google.com dig google.com ```

Solution: ```bash

Try alternative DNS servers

Google DNS

8.8.8.8 8.8.4.4

Cloudflare DNS

1.1.1.1 1.0.0.1

Quad9 DNS

9.9.9.9 149.112.112.112

Configure DNS (Linux)

echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf echo "nameserver 8.8.4.4" | sudo tee -a /etc/resolv.conf

Windows

netsh interface ip set dns "Ethernet" static 8.8.8.8 netsh interface ip add dns "Ethernet" 8.8.4.4 index=2

macOS

networksetup -setdnsservers Wi-Fi 8.8.8.8 8.8.4.4 ```

NXDOMAIN (Non-Existent Domain)

Symptoms: "Server not found" "DNS_PROBE_FINISHED_NXDOMAIN" Domain doesn't exist Typo in domain name

Causes: Domain doesn't exist Typo in URL Domain expired DNS propagation delay

Diagnosis: ```bash

Check domain exists

nslookup example.com

Check with different DNS

nslookup example.com 8.8.8.8

WHOIS lookup

whois example.com

Check DNS propagation

Use: whatsmydns.net

```

Solution: Verify domain spelling Check domain registration Wait for DNS propagation (up to 48 hours) Clear DNS cache Try different DNS server

DNS Cache Poisoning/Corruption

Symptoms: Wrong IP address returned Redirected to wrong site Inconsistent results Works on other devices

Causes: Corrupted local cache Malware/adware DNS hijacking Stale cache entries

Diagnosis: ```bash

Check cached entries

Windows

ipconfig /displaydns | findstr example.com

Compare with authoritative

nslookup example.com dig example.com

Check hosts file

Linux/macOS

cat /etc/hosts

Windows

type C:\Windows\System32\drivers\etc\hosts ```

Solution: ```bash

Flush DNS cache

Windows

ipconfig /flushdns

macOS

sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder

Linux (systemd-resolved)

sudo systemd-resolve --flush-caches

Linux (nscd)

sudo /etc/init.d/nscd restart

Linux (dnsmasq)

sudo /etc/init.d/dnsmasq restart

Chrome browser cache

chrome://net-internals/#dns Click "Clear host cache" ```

Slow DNS Resolution

Symptoms: Websites slow to load initially Long delay before connection Fast once connected Timeout on first attempt

Causes: Slow DNS server Network latency to DNS server DNS server overloaded Too many DNS queries

Diagnosis: ```bash

Measure DNS query time

time nslookup google.com

Or with dig

dig google.com | grep "Query time"

Test multiple DNS servers

for dns in 8.8.8.8 1.1.1.1 9.9.9.9; do echo "Testing $dns:" dig @$dns google.com | grep "Query time" done

Monitor DNS queries

Linux

sudo tcpdump -i any port 53

Windows

Use Wireshark filter: dns

```

Solution: Use faster DNS servers Use local DNS cache (dnsmasq) Reduce DNS queries Use DNS prefetching Configure DNS caching

Local DNS caching (dnsmasq): ```bash

Install dnsmasq

sudo apt install dnsmasq

Configure

sudo nano /etc/dnsmasq.conf

Add:

cache-size=1000 no-resolv server=8.8.8.8 server=8.8.4.4

Start service

sudo systemctl start dnsmasq sudo systemctl enable dnsmasq

Configure system to use local cache

echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf ```

DNS Propagation Delays

Symptoms: New domain not resolving Recent DNS change not visible Works in some locations, not others Inconsistent results

Causes: DNS changes not propagated TTL (Time To Live) not expired Cached old records Different DNS servers

Diagnosis: ```bash

Check authoritative nameserver

dig example.com NS dig @authoritative-ns.com example.com

Check TTL

dig example.com | grep -i ttl

Check from different locations

Use: whatsmydns.net

Or: dnschecker.org

```

Solution: Wait for TTL to expire Flush local DNS cache Use authoritative nameserver Lower TTL before changes (plan ahead) Verify changes at registrar

TTL planning: Before change: 1. Lower TTL to 300 seconds (5 minutes) 2. Wait for old TTL to expire 3. Make DNS changes 4. Wait for propagation 5. Increase TTL back to normal (3600-86400)

DNS Hijacking/Redirection

Symptoms: Redirected to unexpected sites Search results instead of error Ads on error pages Different results than expected

Causes: ISP DNS hijacking Router compromise Malware DNS server manipulation

Diagnosis: ```bash

Test with known non-existent domain

nslookup thisdomaindoesnotexist12345.com

Should return NXDOMAIN

If returns IP: DNS hijacking

Check DNS servers

Linux

cat /etc/resolv.conf

Windows

ipconfig /all

Verify not using ISP DNS

Compare with configured DNS

```

Solution: Use trusted DNS servers (8.8.8.8, 1.1.1.1) Scan for malware Check router configuration Reset router to defaults Use DNS over HTTPS (DoH) Use DNS over TLS (DoT)

DNS over HTTPS (DoH): ``` Firefox: Settings → Network Settings → Enable DNS over HTTPS Provider: Cloudflare or NextDNS

Chrome: Settings → Privacy and security → Security → Use secure DNS → Choose provider

systemd-resolved: /etc/systemd/resolved.conf [Resolve] DNS=1.1.1.1 DNSOverTLS=yes ```

Diagnostic Tools

nslookup

Basic usage: ```bash

Simple query

nslookup example.com

Specific DNS server

nslookup example.com 8.8.8.8

Reverse lookup

nslookup 8.8.8.8

Interactive mode

nslookup

server 8.8.8.8 set type=MX example.com exit ```

Query types: ```bash

A record (IPv4)

nslookup -type=A example.com

AAAA record (IPv6)

nslookup -type=AAAA example.com

MX record (mail)

nslookup -type=MX example.com

NS record (nameservers)

nslookup -type=NS example.com

TXT record

nslookup -type=TXT example.com

SOA record

nslookup -type=SOA example.com ```

dig

Basic usage: ```bash

Simple query

dig example.com

Short answer

dig +short example.com

Specific DNS server

dig @8.8.8.8 example.com

Trace DNS resolution

dig +trace example.com

Reverse lookup

dig -x 8.8.8.8 ```

Query types: ```bash

A record

dig example.com A

AAAA record

dig example.com AAAA

MX record

dig example.com MX

NS record

dig example.com NS

TXT record

dig example.com TXT

ANY (all records)

dig example.com ANY ```

Useful options: ```bash

Show query time

dig example.com | grep "Query time"

No comments

dig +nocomments example.com

No statistics

dig +nostats example.com

Minimal output

dig +short example.com

TCP instead of UDP

dig +tcp example.com ```

host

Basic usage: ```bash

Simple query

host example.com

Reverse lookup

host 8.8.8.8

Specific DNS server

host example.com 8.8.8.8

All records

host -a example.com

Verbose

host -v example.com ```

Testing DNS Performance

Measure query time: ```bash

Using dig

dig example.com | grep "Query time"

Using time

time nslookup example.com

Multiple queries

for i in {1..10}; do dig example.com | grep "Query time" done ```

Compare DNS servers: ```bash

!/bin/bash

dns_benchmark.sh

DOMAIN="google.com" DNS_SERVERS=("8.8.8.8" "1.1.1.1" "9.9.9.9" "208.67.222.222")

for dns in "${DNS_SERVERS[@]}"; do echo "Testing $dns:" avg=$(for i in {1..5}; do dig @$dns $DOMAIN | grep "Query time" | awk '{print $4}' done | awk '{sum+=$1} END {print sum/NR}') echo "Average: ${avg}ms" echo done ```

Advanced Troubleshooting

DNS Resolution Path

Trace DNS query: ```bash

Full trace

dig +trace example.com

Shows:

1. Root servers

2. TLD servers (.com)

3. Authoritative nameservers

4. Final answer

Example output:

. 518400 IN NS a.root-servers.net. com. 172800 IN NS a.gtld-servers.net. example.com. 172800 IN NS ns1.example.com. example.com. 300 IN A 203.0.113.1 ```

Check Authoritative Nameservers

Find authoritative NS: ```bash

Get nameservers

dig example.com NS +short

Query authoritative directly

dig @ns1.example.com example.com

Compare with public DNS

dig @8.8.8.8 example.com

Should match if propagated

```

DNSSEC Validation

Check DNSSEC: ```bash

Query with DNSSEC

dig example.com +dnssec

Look for:

- RRSIG records (signatures)

- AD flag (authenticated data)

Validate DNSSEC chain

dig +dnssec +multi example.com

Check DNSSEC status

delv example.com ```

DNS Packet Analysis

Capture DNS traffic: ```bash

tcpdump

sudo tcpdump -i any port 53 -w dns.pcap

Wireshark filter

dns

Analyze:

- Query/response times

- Failed queries

- Unusual patterns

- Error codes

```

DNS response codes: NOERROR (0): Success FORMERR (1): Format error SERVFAIL (2): Server failure NXDOMAIN (3): Non-existent domain NOTIMP (4): Not implemented REFUSED (5): Query refused

Platform-Specific Issues

Windows

Common issues: DNS Client service stopped Incorrect adapter DNS settings IPv6 DNS issues Network adapter problems

Troubleshooting: ```cmd

Check DNS Client service

sc query Dnscache

Start if stopped

net start Dnscache

Reset network stack

netsh winsock reset netsh int ip reset ipconfig /flushdns

Reset adapter

netsh interface ip reset netsh interface ipv6 reset

Disable IPv6 (if causing issues)

netsh interface ipv6 set global randomizeidentifiers=disabled ```

macOS

Common issues: mDNSResponder issues Network location problems VPN DNS conflicts

Troubleshooting: ```bash

Restart mDNSResponder

sudo killall -HUP mDNSResponder

Flush DNS

sudo dscacheutil -flushcache

Reset network

sudo ifconfig en0 down sudo ifconfig en0 up

Check DNS settings

scutil --dns

Network location

networksetup -listallnetworkservices networksetup -getdnsservers Wi-Fi ```

Linux

Common issues: systemd-resolved conflicts NetworkManager DNS /etc/resolv.conf overwritten dnsmasq conflicts

Troubleshooting: ```bash

Check DNS resolution service

systemctl status systemd-resolved

Check resolv.conf

cat /etc/resolv.conf

If symlink to systemd-resolved

ls -l /etc/resolv.conf

Restart NetworkManager

sudo systemctl restart NetworkManager

Disable systemd-resolved (if needed)

sudo systemctl disable systemd-resolved sudo systemctl stop systemd-resolved

Manual resolv.conf

sudo rm /etc/resolv.conf echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf ```

Best Practices

Configuration

1. Use reliable DNS servers: ``` Primary: 8.8.8.8 (Google) Secondary: 1.1.1.1 (Cloudflare) Tertiary: 9.9.9.9 (Quad9)

Or use ISP DNS if reliable ```

2. Configure multiple DNS servers: At least 2 DNS servers Different providers Automatic failover Redundancy

3. Use DNS caching: Local DNS cache (dnsmasq) Browser DNS cache OS DNS cache Reduces queries Improves performance

Security

1. Use DNS over HTTPS (DoH): Encrypts DNS queries Prevents eavesdropping Prevents manipulation Privacy protection

2. Use DNS over TLS (DoT): Encrypted DNS Port 853 systemd-resolved support Privacy and security

3. Verify DNSSEC: Cryptographic validation Prevents DNS spoofing Ensures authenticity Enable when available

4. Monitor DNS: Watch for unusual queries Detect DNS tunneling Identify malware Log DNS traffic

Maintenance

1. Regular testing: Test DNS resolution Measure query times Verify redundancy Check for issues

2. Keep records updated: Document DNS servers Track changes Maintain TTL strategy Update promptly

3. Plan DNS changes: Lower TTL before changes Test in staging Verify propagation Monitor after changes

Conclusion

DNS issues are common but usually straightforward to diagnose and resolve. Understanding DNS fundamentals, using proper diagnostic tools, and following best practices for configuration and security ensure reliable name resolution. When problems occur, systematic troubleshooting starting with basic connectivity and progressing to detailed analysis quickly identifies the root cause.

Related Articles

DNS Fundamentals

Troubleshooting

Network Configuration

Explore More

Key takeaways: - DNS translates names to IP addresses - Common issues: Server not responding, NXDOMAIN, cache corruption, slow resolution - Diagnostic tools: nslookup, dig, host - Flush DNS cache: First troubleshooting step - Use reliable DNS: 8.8.8.8, 1.1.1.1, 9.9.9.9 - Multiple DNS servers: Redundancy essential - DNS propagation: Can take up to 48 hours - Security: Use DoH/DoT, enable DNSSEC - Local caching: Improves performance - Monitor and test: Regular DNS health checks

Bottom line: Most DNS issues can be resolved by flushing the DNS cache and switching to reliable public DNS servers like Google (8.8.8.8) or Cloudflare (1.1.1.1). For persistent issues, use diagnostic tools like dig and nslookup to trace the problem, check authoritative nameservers, and verify DNS propagation. Implement DNS over HTTPS for security and use local DNS caching for performance.

ad placeholder image ad placeholder image
Three funny piglies - an illustration ippigly.com