When websites won't load or email disappears into the void, DNS problems are often the culprit. Fortunately, you don't need to be a networking expert to diagnose DNS issues - just a few powerful command-line tools and the knowledge of how to use them.

In this topic on DNS server, we'll explore the three most important DNS troubleshooting tools: dig, nslookup, and host. Each has its strengths, and together they form a complete toolkit for diagnosing DNS problems.

1. Introduction to DNS Troubleshooting

Why DNS Fails

DNS failures can happen for many reasons:

• Typos in domain names
• Incorrect DNS records
• Server downtime
• Network connectivity issues
• Cached bad information
• Firewall blocking DNS traffic
• DNSSEC validation failures
• Configuration errors
• Propagation delays

How to Diagnose

Good DNS troubleshooting follows a logical path:

1. Check if the problem is local to your computer
2. Verify the domain name is correct
3. Test DNS resolution step by step
4. Check specific DNS servers if needed
5. Clear caches and test again
6. Examine network connectivity
7. Review firewall and security settings

Troubleshooting Mindset

Approach DNS troubleshooting systematically:

• Start simple and increase complexity
• Eliminate possibilities one by one
• Document findings at each step
• Test changes incrementally
• Verify fixes work from multiple locations

2. Comprehensive Guide to Using dig

Dig (Domain Information Groper) is the most powerful DNS troubleshooting tool. It provides detailed information about DNS lookups.

Basic Queries

Simple domain lookup:

dig example.com

Specify record type:

dig example.com MX
dig example.com TXT
dig example.com AAAA
dig example.com CNAME

Query specific DNS server:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

Understanding dig Output

A typical dig response has five sections:

1. Header: Technical information about the query
2. QUESTION SECTION: What you asked for
3. ANSWER SECTION: The actual DNS records
4. AUTHORITY SECTION: Authoritative nameservers
5. ADDITIONAL SECTION: Additional information (like IP addresses of nameservers)

Example output breakdown:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		86400	IN	A	93.184.216.34

;; AUTHORITY SECTION:
example.com.		86400	IN	NS	a.iana-servers.net.
example.com.		86400	IN	NS	b.iana-servers.net.

;; ADDITIONAL SECTION:
a.iana-servers.net.	86400	IN	A	199.43.135.53
b.iana-servers.net.	86400	IN	A	199.43.132.53

Trace Mode

Trace the entire DNS lookup process:

dig +trace example.com

This shows each step as the query moves from root servers to your final answer, helping identify exactly where problems occur.

Advanced trace options:

dig +trace +nodnssec example.com
dig +trace +short example.com

Query Specific Servers

Test your authoritative nameservers:

dig @ns1.example.com example.com

Compare responses from different servers to spot inconsistencies:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
dig @ns1.example.com example.com

Advanced dig Options

Short output (just the answer):

dig +short example.com

All record types:

dig example.com ANY

Reverse DNS lookup:

dig -x 93.184.216.34

Disable recursion:

dig +norecurse example.com

Show query times:

dig +ttlid example.com

Debugging with dig

Verbose output for detailed analysis:

dig +verbose example.com

Show DNSSEC information:

dig +dnssec example.com

Check EDNS support:

dig +edns=0 example.com

3. Mastering nslookup

Nslookup is simpler than dig but still very useful, especially on Windows systems.

Interactive Mode

Launch interactive mode:

nslookup

Then type domain names to look up:

> example.com
> set type=MX
> example.com
> server 8.8.8.8
> example.com
> exit

Interactive mode commands:

• server <IP>: Change DNS server
• set type=<record_type>: Set record type
• set debug: Enable debug mode
• set recurse: Toggle recursion

Non-Interactive Mode

Quick queries without entering interactive mode:

nslookup example.com
nslookup -type=MX example.com
nslookup -type=TXT example.com

Specify DNS server:

nslookup example.com 8.8.8.8

Advanced nslookup Features

Debug mode for detailed information:

nslookup -debug example.com

Query class (for non-INternet records):

nslookup -class=CHAOS version.bind ns1.example.com

Port specification:

nslookup -port=5353 example.com

4. Using host Command Effectively

Host is the simplest DNS troubleshooting tool, perfect for quick checks.

Quick Lookups

Basic lookup:

host example.com

Specific record type:

host -t MX example.com
host -t TXT example.com
host -t AAAA example.com
host -t CNAME example.com

Reverse lookup:

host 93.184.216.34

Advanced host Options

Verbose output:

host -v example.com

Specify DNS server:

host example.com 8.8.8.8

IPv6 queries:

host -6 example.com

All records:

host -a example.com

5. Cross-Platform DNS Troubleshooting

Windows-Specific Tools

Windows has additional DNS troubleshooting tools:

# Flush DNS cache
ipconfig /flushdns

# Display DNS cache
ipconfig /displaydns

# Renew DHCP lease
ipconfig /renew

# Release DHCP lease
ipconfig /release

macOS-Specific Commands

macOS DNS cache management:

# Flush DNS cache (varies by version)
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# View DNS configuration
scutil --dns

Linux DNS Tools

Linux DNS troubleshooting:

# Flush DNS cache (systemd-resolved)
sudo systemd-resolve --flush-caches

# View DNS configuration
cat /etc/resolv.conf

# Check systemd-resolved status
systemd-resolve --status

6. Real Troubleshooting Examples

Domain Not Resolving

When a website won't load:

1. Check basic connectivity:

ping example.com

2. Test DNS resolution:

dig example.com
host example.com
nslookup example.com

3. If that fails, try a different DNS server:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

4. If the external server works but yours doesn't, the problem is local.
5. Check local DNS configuration:

cat /etc/resolv.conf  # Linux/macOS
ipconfig /all         # Windows

Wrong IP Returned

When you get sent to the wrong place:

1. Check what IP you're getting:

dig example.com

2. Verify with the authoritative server:

dig @ns1.example.com example.com

3. If they differ, you may have cached bad information.
4. Clear DNS cache and test again:

# Clear cache (platform-specific)
dig example.com  # Test after clearing

MX Lookup Failures

When email won't send:

1. Check MX records:

dig example.com MX
host -t MX example.com

2. Verify the mail servers resolve:

dig mail.example.com

3. Test connectivity to mail server ports:

telnet mail.example.com 25
nc -zv mail.example.com 25

4. Check for SPF/DKIM/DMARC issues:

dig example.com TXT

Intermittent DNS Issues

For sporadic resolution problems:

1. Monitor continuously:

watch -n 5 'dig example.com'

2. Test from multiple locations:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

3. Check network connectivity:

traceroute ns1.example.com
mtr example.com

7. Advanced Troubleshooting Techniques

Checking DNS Cache

Clear your local DNS cache:

# Windows
ipconfig /flushdns

# macOS
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder

# Linux (Ubuntu/Debian)
sudo systemd-resolve --flush-caches

# Linux (older systems)
sudo /etc/init.d/nscd restart

Monitoring DNS Traffic

Watch DNS queries in real-time:

sudo tcpdump -i any port 53
sudo tcpdump -i eth0 port 53 and host example.com

Filter for specific record types:

sudo tcpdump -i any 'udp port 53 and udp[10:2] & 0x8000 = 0'

Testing DNSSEC

Check if DNSSEC is working:

dig +dnssec example.com
dig +multiline example.com

Verify DNSSEC signatures:

dig +dnssec +multiline +sigchase example.com

Performance Testing

Measure DNS resolution times:

dig example.com | grep "Query time"

Benchmark multiple DNS servers:

for server in 8.8.8.8 1.1.1.1 9.9.9.9; do
    echo "Testing $server:"
    dig @$server example.com | grep "Query time"
done

Zone Transfer Testing

Test zone transfer capabilities (authorized servers only):

dig axfr @ns1.example.com example.com

Check for incremental zone transfers:

dig ixfr=0 @ns1.example.com example.com

8. Security and Validation Testing

DNS Spoofing Detection

Test for DNS cache poisoning vulnerabilities:

dig +short example.com
# Compare results from multiple sources

Firewall and Filtering Testing

Check if DNS queries are being filtered:

# Test standard DNS
dig example.com

# Test DNS over TCP (firewall bypass)
dig +tcp example.com

# Test non-standard ports
dig -p 5353 example.com @custom-server

Malware and Blackhole Testing

Check if domains are blocked:

dig malware-domain.com
# Compare with known good domains

9. Automation and Scripting

Batch DNS Testing

Script to test multiple domains:

#!/bin/bash
domains=("example.com" "google.com" "github.com")
for domain in "${domains[@]}"; do
    echo "Testing $domain:"
    dig +short "$domain" | head -1
done

Continuous Monitoring

Monitor DNS resolution continuously:

while true; do
    echo "$(date): $(dig +short example.com)"
    sleep 60
done

Log Analysis Scripts

Parse DNS query logs:

# Count most queried domains
awk '{print $6}' /var/log/named/query.log | sort | uniq -c | sort -nr | head -10

10. Troubleshooting Checklist

Systematic Approach

When troubleshooting DNS issues, follow this checklist:

1. Verify the problem
   • Can you reproduce the issue?
   • Is it happening to everyone or just you?
2. Check basic connectivity
   • Is the network working?
   • Can you ping other domains?
3. Test local DNS resolution
   • Use dig, host, or nslookup
   • Check what IP address is returned
4. Test external DNS servers
   • Try Google DNS (8.8.8.8)
   • Try Cloudflare DNS (1.1.1.1)
5. Clear DNS cache
   • Flush local DNS cache
   • Test again after clearing
6. Check authoritative servers
   • Query nameservers directly
   • Compare responses
7. Examine network configuration
   • Check resolv.conf or network settings
   • Verify firewall rules
8. Review recent changes
   • Any DNS record modifications?
   • Any network configuration changes?

Common Error Messages

Understanding DNS error responses:

• NXDOMAIN: Domain doesn't exist
• SERVFAIL: Server failure
• REFUSED: Query refused
• NOERROR: No error but no data

11. Summary & Key Takeaways

Mastering these DNS troubleshooting tools will save you hours of frustration when websites won't load or email goes missing. Here are the essential points to remember:

1. dig is most powerful: Provides detailed information and advanced options
2. nslookup is interactive: Great for exploring DNS data interactively
3. host is simple: Perfect for quick checks and basic troubleshooting
4. Systematic approach: Follow a logical troubleshooting methodology
5. Cross-platform awareness: Know platform-specific tools and commands
6. Security considerations: Understand DNSSEC and security implications
7. Automation benefits: Script repetitive troubleshooting tasks

Start with dig for detailed analysis, use nslookup for interactive testing, and rely on host for quick checks. With practice, you'll quickly identify and resolve most DNS problems.

Whether you're a system administrator, developer, or power user, these DNS troubleshooting skills will make you invaluable when network issues arise. Remember to document your findings and share knowledge with your team to build collective expertise.