Diagnosing DNS Problems

October 24, 2013

In part I of this series, we covered DNS Fundamentals. If you missed it, you should probably start there for an introduction to how DNS works.  There's one big detail about DNS we glossed over in Part I, for the sake of simplicity, though: intermediary caching.

Click to enlarge.

Intermediary DNS Caching

When your computer calls DNS to find a domain's number it actually calls your Internet Service Provider's DNS service first to ask, "Do you know the number for [domain.com]?" If it does know the number, and it hasn't expired, it will tell you. Otherwise, it will look it up for you and it, too, will cache the result for a period of time (specified by the same time-to-live, or TTL, information covered in Part I). The reason your ISP caches this for you, rather than your computer going straight to your authoritative DNS server, is that it reduces the stress placed on your authoritative DNS server and can respond more quickly to you. 

Debugging DNS Problems

Most DNS problems can be resolved by finding an answer to a simple question: where is my DNS going wrong?

Based on what we've learned in Part I, about the authoritative DNS server and your computer caching results, as well as just above with intermediary DNS caching, there are three likely suspects:

  1. Authoritative DNS Server
  2. DNS Cache Intermediary
  3. Your Computer's Cache

We'll start checking correctness at the source, your domain's authoritative DNS server. From there, we can trace our way back down to your device to identify any problems in the intermediary cache or on your computer.

The Command Line

To run these diagnostic tests, we'll need to open a command line or terminal on your machine. This may look scary, like old computers or a DOS machine, but you have nothing to fear.

On Windows, open your start menu, type 'cmd.exe', press Enter.

On Mac OSX, press command+space to open Finder, type 'Terminal', press Enter.

You should see a command line.

Finding your authoritative 'NS Server'

Before we can call your authoritative DNS server, we must first find out its domain. We can do this with a tool called nslookup. At your terminal, type:

nslookup -type=ns [domain.com]

Replace [domain.com] with your server's. You should see a response that looks similar to below. If you look at the first "nameserver = ..." line, what follows after "nameserver =" is your authoritative DNS server. This should be your registrar's address, or one that you've entered. Got it? We'll call this your "NS server".

Checking your authoritative 'NS Server'

Now, we can call up your authoritative NS Server directly to get the information it has on file about your domain name with the following command:

nslookup [domain.com] [ns server]

By placing the NS server last, the nslookup command will call it directly, bypassing your intermediary cache.

This will give you your domain's number (IP address). Is this the correct number? If not, your problem exists at your domain's DNS host and must be fixed there. If so, your problem exists is likely due to caching.

If you need to check any other type of record, besides an A record, like a CNAME or MX record, just type the flag "-type=[cname or mx or txt or ...]" right after nslookup, before [domain.com].

Checking your intermediary cache

Checking your ISPs intermediary cache is the default operating mode of nslookup, so we can just drop the [ns server] from the command above to check the intermediary cache:

nslookup [domain.com]

What we are usually after in checking the intermediary cache, though, is to figure out *how long* the record will be cached for? You can get the TTL remaining on your intermediary cache by using the -debug flag:

nslookup -debug [domain.com]

The extra debug information will tell you how many seconds are left in the cache, just look for the 'TTL' line. If you run this command again you will see that it counts down.

If your intermediary cache still has incorrect, old information, you will have to wait until this TTL reaches 0 before it attempts to call your authoritative NS server for the new, correct records.

Clearing your local cache

If your authoritative records are correct, and your intermediary cache is correct, but your local machine still doesn't seem to be getting the new information your best bet is to take two actions:

  1. Completely close out your internet browser. Browsers can peskily cache DNS records more aggressively than you'd like in these situations.
  2. Clear your operating system's DNS cache. If you are on Windows, run ipconfig /flushdns. If you are on OSX, run sudo killall -HUP mDNSResponder


With some additional knowledge of how DNS intermediary cache works, and a strategy for using nslookup to inspect DNS servers, you have the understanding and tools to diagnose and fix the majority of DNS issues.

To try and bring this all together visually, we've put together a chart that illustrates both how DNS operates between your computer, intermediary caches, and your authoritative NS server, as well as how to diagnose and correct problems at each of these layers.

Leave the first comment