1. Library
  2. Dns
  3. Troubleshooting

Common DNS Problems and How to Fix Them

Updated 2 hours ago

Your website won't load. Your email stopped working. Everyone's first instinct: blame DNS.

Sometimes they're right. DNS sits at the beginning of every connection—if it fails, nothing else matters. Your servers could be running perfectly, but if users can't translate your domain name into an IP address, they'll never reach those servers.

But DNS also gets blamed for problems it didn't cause. The challenge isn't just fixing DNS issues—it's figuring out whether DNS is actually the problem.

When Domains Won't Resolve at All

The most obvious DNS failure: complete resolution failure. Users see "DNS_PROBE_FINISHED_NXDOMAIN" or "Server not found." The domain simply doesn't exist as far as their computer is concerned.

This happens when:

  • The domain registration expired (more common than you'd think)
  • Nameserver records point to servers that no longer exist
  • Zone files contain syntax errors that break everything
  • Nameserver changes are mid-propagation

Start with the obvious: is the domain actually registered? Check your registrar's control panel. A domain in "expired" or "pending deletion" status won't resolve no matter what else you do.

Next, verify nameservers. The nameservers listed at your registrar must match your DNS hosting provider's servers. If your registrar points to ns1.olddnsprovider.com but your DNS records live at ns1.newdnsprovider.com, nothing works.

Now query your authoritative nameservers directly:

dig @ns1.yourdnsprovider.com yourdomain.com

This bypasses all caching and shows exactly what your nameservers are serving. If this query succeeds but queries to public DNS fail, you're mid-propagation—wait it out. If it fails here too, the problem is your authoritative servers or zone configuration.

Fixing it: Renew expired domains immediately—expect 24-48 hours for the registry to restore service. For nameserver mismatches, update records at your registrar, not your DNS host. For zone file errors, most providers keep change logs; rollback to your last known-good configuration while you debug.

When DNS Is Slow

Your site loads, but users complain it "takes forever." Sometimes the culprit is slow DNS resolution—every query adds latency before the browser downloads anything.

Measure it:

dig yourdomain.com +stats

The "Query time" value shows resolution time in milliseconds. Under 50ms is good. Over 100ms is worth investigating. Over 500ms is definitely a problem.

Test from different locations using online DNS testing tools. If resolution is fast from New York but slow from Singapore, you have a geographic distribution problem—your nameservers are too far from some users.

CNAME chains also add latency. If www.example.com points to example.com which points to lb.example.com which finally points to an IP address, that's three extra lookups. Each one costs time.

Fixing it: Switch to a globally distributed DNS provider with anycast routing (Cloudflare, AWS Route 53, Google Cloud DNS). Eliminate unnecessary CNAME chains—point directly to A records when possible. Raise TTL values for stable records so they stay cached longer.

When Changes Don't Propagate

You updated a DNS record. Some users see the new value. Others see the old one. This inconsistency can last anywhere from minutes to days.

This isn't a bug—it's how DNS caching works. Every DNS record has a TTL (Time To Live) that tells resolvers how long to cache it. When you change a record, resolvers holding the old value keep using it until their cache expires.

Here's what catches people: the previous TTL determines propagation time, not the new one.

If your A record had a TTL of 86400 seconds (24 hours) before you changed it, you wait up to 24 hours for all caches to expire. Changing the TTL to 300 (5 minutes) doesn't help—resolvers that already cached the old record will hold it for the remaining time of the old TTL.

Check what different resolvers currently see:

dig @8.8.8.8 yourdomain.com      # Google
dig @1.1.1.1 yourdomain.com      # Cloudflare
dig @208.67.222.222 yourdomain.com  # OpenDNS

Inconsistent responses mean propagation is ongoing.

Fixing it: Plan ahead. Lower TTLs to 300 seconds at least 24-48 hours before making critical changes. After the change propagates, raise them back to reduce query load.

For server migrations, keep both old and new servers running during the propagation window. Users will reach one or the other—as long as both work, nobody notices the transition.

When Records Are Wrong

Misconfigured records create symptoms from obvious (site completely broken) to subtle (email occasionally bounces, SSL warnings appear randomly).

Common mistakes:

MX records pointing to nothing. MX records must point to hostnames, not IP addresses. And those hostnames need their own A records. If your MX points to mail.example.com but there's no A record for mail.example.com, email delivery fails.

CNAME at the zone apex. You cannot make your bare domain (example.com) a CNAME—it violates DNS specifications and breaks in unpredictable ways. Use A/AAAA records, or provider-specific features like ALIAS or ANAME records.

Missing or malformed TXT records. SPF, DKIM, and domain verification records have complex syntax. A single misplaced character breaks them.

Stale records after migrations. A records still pointing to old server IPs after you've moved.

Query each record type individually:

dig yourdomain.com A      # IPv4 addresses
dig yourdomain.com AAAA   # IPv6 addresses  
dig yourdomain.com MX     # Mail servers
dig yourdomain.com TXT    # SPF, DKIM, verification
dig yourdomain.com NS     # Nameservers

Watch for trailing dots in zone files. example.com. (with dot) and example.com (without) mean different things. This trips up manual zone file edits constantly.

Fixing it: Document your DNS architecture. Write down what records exist, what they point to, and why. This prevents confusion during troubleshooting and helps team members understand dependencies.

When It's Not DNS at All

DNS gets blamed for many problems it didn't cause. Before diving deep into DNS troubleshooting, prove that DNS is actually the culprit.

The definitive test:

ping yourdomain.com
ping 203.0.113.1    # your server's IP address

If the domain ping fails with "unknown host" but the IP ping works, you have a DNS problem.

If both fail, DNS is innocent. Your problem is network connectivity, firewall rules, or the server being offline.

If the domain ping works (meaning DNS resolved correctly), but your website still doesn't load, DNS is also innocent. The resolution succeeded—something else failed. Check:

  • Firewall rules blocking HTTP/HTTPS traffic
  • Web server not configured for that domain name
  • SSL certificate not covering the requested domain
  • Application errors after successful connection
  • Network routing problems between client and server

You can also test by putting the IP address directly in your browser. If the site loads via IP but not via domain, DNS is the problem. If neither works, look elsewhere.

The Troubleshooting Mindset

DNS problems are detective work. The symptoms—site won't load, email bounces, intermittent failures—don't tell you the cause. You follow the chain:

Is the domain registered? → Are nameservers correct? → Is the zone loading? → Are records correct? → Is caching involved? → Is it even DNS?

Each question narrows the possibilities. Most DNS troubleshooting is actually about proving DNS innocent so you can focus on the real problem.

The tools are simple: dig, nslookup, and your registrar's control panel. The skill is knowing which questions to ask in which order.

Frequently Asked Questions About DNS Problems

Was this page helpful?

😔
🤨
😃