Chapter 9

Troubleshooting DNS

dig, symptom → cause, reusable checklist.

Learning objectives

  • Use dig and online tools to inspect live DNS
  • Diagnose common failure patterns
  • Build a troubleshooting checklist you can reuse on support calls

Your toolkit

ToolCommand / linkUse for
digdig www.workshopco.ca A +shortQuick A lookup
dig tracedig +trace workshopco.caDelegation chain
dig specific NSdig @ns1.example.com www.workshopco.caBypass cache — authoritative answer
OnlineDNSChecker.orgGlobal propagation view
OnlineMXToolboxMX / blacklist / SMTP diag

Symptom → likely cause

Site works for you, not client

Stale cache or client using different resolver. Compare dig from both networks.

Site down everywhere

Wrong A record, expired domain, or web server down — check authoritative DNS first.

Mail stopped after DNS change

Missing MX/SPF at new DNS host. Compare old zone export.

SSL error but DNS “correct”

Certificate doesn’t cover hostname, or CNAME points to host without valid cert.

Subdomain NXDOMAIN

No record — wildcard not set and no explicit A/CNAME.

Intermittent wrong content

Split views during propagation, or load balancer with mixed backends.

Worked example — “www works, apex doesn’t”

  1. dig www.workshopco.ca A +short → returns IP
  2. dig workshopco.ca A +short → empty
  3. Fix: add A (or ALIAS) at apex, or redirect apex at registrar web forwarding (less ideal for HTTPS)

Lab — break and fix (on paper)

A colleague says “email works but the new booking subdomain shows old site.” Records:

book  CNAME  old-platform.vendor.com.  ; TTL 86400
www   A      203.0.113.50             ; new site
  1. What should book CNAME become?
  2. After fixing, why might some users still see the old booking page for 24 hours?
  3. What TTL strategy would you use before the fix?
Answers
  1. Update to new vendor hostname from the booking provider’s docs.
  2. 86400 TTL on old CNAME — caches hold old target up to 24h.
  3. Lower TTL to 300, wait one old cycle, then change value.

Reusable checklist

  1. Confirm domain registration not expired (WHOIS)
  2. dig NS domain — expected nameservers?
  3. dig @authoritative-ns hostname A — correct IP?
  4. Compare public resolvers (1.1.1.1, 8.8.8.8)
  5. For mail: MX, SPF, DKIM, DMARC in one pass
  6. Test from external network / phone LTE