</> ProtocolCodes
All Codes Comparisons Glossary Guides Tools
Debugging & Troubleshooting

Step-by-Step DNS Troubleshooting with dig and nslookup

A systematic approach to debugging DNS problems — resolution failures, propagation delays, NXDOMAIN errors, and DNSSEC issues.

DNS Debugging Toolkit

Two essential tools:

  • dig — The gold standard for DNS debugging (Linux/macOS)
  • nslookup — Simpler alternative, available on Windows

Step 1: Check Basic Resolution

# Resolve a domain
dig example.com A

# Short output
dig example.com +short

# nslookup equivalent
nslookup example.com

If you see NXDOMAIN, the domain doesn't exist in DNS. If you see SERVFAIL, the resolver encountered an error.

Step 2: Query Specific Resolvers

Your local resolver may have stale cache. Query authoritative servers directly:

# Query Google DNS
dig @8.8.8.8 example.com A

# Query Cloudflare DNS
dig @1.1.1.1 example.com A

# Query authoritative nameserver directly
dig @ns1.example.com example.com A

Step 3: Trace the Resolution Path

# Follow delegation from root servers
dig example.com +trace

This shows every step of the resolution process: root servers, TLD servers, and authoritative nameservers. Look for where the chain breaks.

Step 4: Check Record Types

dig example.com A         # IPv4 address
dig example.com AAAA      # IPv6 address
dig example.com CNAME     # Canonical name
dig example.com MX        # Mail servers
dig example.com TXT       # Text records (SPF, DKIM, etc.)
dig example.com NS        # Nameservers
dig example.com SOA       # Start of authority

Common Issues

Propagation Delay

After a DNS change, old records may be cached. Check the TTL value:

dig example.com A | grep -A1 'ANSWER SECTION'
# The number after the domain name is the TTL in seconds

Lower TTL before making changes (e.g., set to 300 seconds = 5 minutes). Wait for the old TTL to expire, then make the change.

CNAME at Zone Apex

You cannot have a CNAME record at the zone apex (bare domain). Use an ALIAS or ANAME record if your DNS provider supports it, or use A records.

Incorrect Nameserver Delegation

The registrar's NS records don't match the actual nameservers:

# Check registrar NS records
dig example.com NS +trace | grep NS

DNSSEC Validation Failure

# Check DNSSEC status
dig example.com +dnssec
# Look for 'ad' flag (authenticated data)

Quick Reference

SymptomLikely CauseCommand
NXDOMAINDomain not registered / typo`dig +trace`
SERVFAILDNSSEC failure / resolver issue`dig @8.8.8.8`
Old IP showingDNS cache / high TTLCheck TTL, flush cache
TimeoutNameserver unreachable`dig +trace`

Related Protocols

DNS

Related Glossary Terms

DNS Resolution DNS
DNS Record Types DNS
TTL (Time to Live) DNS

More in Debugging & Troubleshooting

Debugging 502 Bad Gateway Errors Debugging CORS Errors: A Developer's Guide Debugging Timeout Errors: 408 and 504 Debugging 503 Service Unavailable Errors in Production TLS/SSL Certificate Troubleshooting Guide
← Back to Guides