Updated 2 hours ago
DNS troubleshooting is detective work. Something asked a question and didn't get an answer. Your job is to follow the query's path and find where it died.
The path has several links: your machine → your configured resolver → recursive resolvers → authoritative nameservers. A break anywhere kills the whole chain. Test each link in order.
Step 1: Is Your Network Even Working?
DNS runs over the network. No network, no DNS. Rule this out first.
If these fail, stop. You have a network problem, not a DNS problem. Check your cables, Wi-Fi, IP configuration.
If pings work, continue.
Step 2: Is Your Configured Resolver Responding?
Your system has a default DNS resolver. Find it and test it.
A working resolver returns an answer in milliseconds. A broken one times out or returns SERVFAIL.
If your resolver fails: Try public resolvers (Step 3). If your resolver works but specific domains fail: Skip to Step 5.
Step 3: Do Public Resolvers Work?
Test whether the problem is your resolver specifically or all DNS from your location.
Public resolvers work, yours doesn't: Your resolver is broken. Use public DNS or contact your network admin.
Nothing works: Something is blocking DNS traffic. Continue to Step 4.
Everything fails for one specific domain: The domain itself has problems. Skip to Step 5.
Step 4: Is Someone Blocking Your DNS?
Some networks intercept or block DNS queries. Corporate networks, hotels, and some ISPs do this.
The whoami.akamai.net query is clever: it returns the IP address that reached Akamai's server. If you queried Google but Akamai sees your ISP's resolver IP, your DNS traffic is being intercepted and redirected to a different server.
If DNS is blocked or redirected: You're hitting network policy. Options: DNS over HTTPS (DoH), DNS over TLS (DoT), or talk to your network administrator.
Step 5: Is the Domain's Nameserver Working?
When general DNS works but one domain fails, the problem is usually with that domain's authoritative nameservers.
What the responses mean:
- NXDOMAIN: The domain doesn't exist. Typo? Expired registration? It's simply not there.
- SERVFAIL: The nameserver broke trying to answer. Often caused by misconfigured DNSSEC or circular dependencies.
- Timeout: The nameserver is unreachable or down. The domain operator has a problem.
- NOERROR with empty answer: The domain exists but doesn't have the record type you asked for (maybe no AAAA record for IPv6).
Step 6: Is It Just Cached Stale Data?
DNS caches aggressively. If records changed recently, old data might still be circulating.
If authoritative servers return new data but your resolver returns old data, wait. Caches expire. Check the TTL value—that's how many seconds until the cache refreshes.
Common Patterns
Intermittent failures: Some nameservers in a load-balanced set are broken. Query each one individually to find the bad actor.
Works externally, fails locally: Check /etc/hosts for overrides. Check corporate DNS policies. Something local is interfering.
DNSSEC failures: Validating resolvers return SERVFAIL when signatures don't check out. Test with validation disabled:
If this works but normal queries don't, the domain has broken DNSSEC.
Failure persists after fix: Negative responses get cached too. Even after fixing the root cause, resolvers remember "this didn't exist" for a while. Flush caches or wait.
The Diagnostic Decision Tree
- Network working? → No → Fix network first
- Configured resolver responding? → No → Try public resolvers
- Public resolvers working? → No → Check for DNS blocking
- Specific domain failing? → Yes → Query authoritative servers directly
- Recent DNS changes? → Yes → Check caching and propagation
Most DNS failures land in one of four buckets: network is broken, resolver is broken, authoritative server is broken, or someone is blocking DNS. Follow the path, test each link, find where the query died.
Frequently Asked Questions About DNS Troubleshooting
Was this page helpful?