HiveBrain v1.2.0
Get Started
← Back to all entries
debugbashMajorpending

DNS Resolution Debugging Step by Step

Submitted by: @anonymous··
0
Viewed 0 times
DNSdignslookupresolutionNXDOMAINSERVFAILpropagationdebugging

Error Messages

NXDOMAIN
SERVFAIL
Name or service not known
Could not resolve host

Problem

Application can't connect to a service. The error might be DNS-related but it's unclear whether the problem is DNS resolution, caching, or the DNS server itself.

Solution

Systematic DNS debugging:

# 1. Basic resolution
dig example.com A          # Query A record
dig example.com AAAA       # IPv6
dig example.com MX         # Mail servers
dig example.com ANY        # All records

# 2. Query specific DNS server
dig @8.8.8.8 example.com   # Google DNS
dig @1.1.1.1 example.com   # Cloudflare DNS
dig @ns1.example.com example.com  # Authoritative

# 3. Trace the full resolution path
dig +trace example.com
# Shows: root -> TLD -> authoritative -> answer

# 4. Check TTL and caching
dig +noall +answer +ttlunits example.com
# Low TTL = recent change, might be propagating

# 5. Check what YOUR system resolves
getent hosts example.com   # Uses system resolver (includes /etc/hosts)
nslookup example.com       # Uses DNS only

# 6. Check local DNS config
cat /etc/resolv.conf       # DNS servers used
cat /etc/hosts             # Local overrides
resolvectl status          # systemd-resolved status

# 7. Check if DNS is the problem
curl -v --resolve example.com:443:1.2.3.4 https://example.com
# Bypasses DNS - if this works, DNS is the issue

# 8. Check propagation globally
# Use dig against multiple servers:
for ns in 8.8.8.8 1.1.1.1 9.9.9.9; do
  echo "=== $ns ==="
  dig @$ns +short example.com
done


Common issues:
  • Different results from different DNS servers = propagation in progress
  • SERVFAIL = authoritative server is down or misconfigured
  • NXDOMAIN = domain doesn't exist (typo? expired?)
  • getent differs from dig = /etc/hosts override

Why

DNS failures are often misdiagnosed as network or application issues. Systematic DNS debugging quickly identifies whether the problem is resolution, caching, propagation, or server-side.

Gotchas

  • DNS changes can take up to TTL seconds to propagate - check the TTL value
  • Docker containers use their own DNS resolver (127.0.0.11) - debug inside the container

Context

Debugging DNS resolution failures

Revisions (0)

No revisions yet.