DNS Issues: dig, nslookup, host
Introduction
DNS (Domain Name System) is the internet's phone book, translating human-readable domain names into IP addresses that computers use to communicate. When DNS fails, websites become unreachable, email stops flowing, and applications break - even though the underlying servers may be functioning perfectly. DNS issues are among the most common yet often misunderstood problems in server administration.
This comprehensive guide provides system administrators with practical command-line tools for diagnosing and resolving DNS problems. You'll master the three primary DNS diagnostic tools - dig, nslookup, and host - learning when and how to use each effectively to troubleshoot DNS resolution issues, verify configurations, and identify the root cause of connectivity problems.
Understanding DNS diagnostics is essential for anyone managing servers, web applications, or network infrastructure. This guide covers everything from basic DNS lookups to advanced troubleshooting techniques for complex DNS scenarios including load balancing, CDNs, and email authentication records.
Understanding DNS Basics
How DNS Works
DNS resolution follows a hierarchical process:
- Local Cache: Check browser/OS cache
- Recursive Resolver: Query configured DNS server (usually ISP or 8.8.8.8)
- Root Servers: Query for TLD (.com, .org, etc.)
- TLD Servers: Query for authoritative nameserver
- Authoritative Server: Return the actual IP address
DNS Record Types
Common DNS record types you'll encounter:
- A: Maps domain to IPv4 address
- AAAA: Maps domain to IPv6 address
- CNAME: Canonical name (alias for another domain)
- MX: Mail exchange servers
- NS: Nameserver records
- TXT: Text records (SPF, DKIM, verification)
- PTR: Reverse DNS (IP to domain)
- SOA: Start of Authority (zone information)
- SRV: Service records
Common DNS Issues
Resolution Failures: Domain doesn't resolve to any IP Incorrect Resolution: Domain resolves to wrong IP Propagation Delays: Changes not visible everywhere Cache Issues: Old records still being served Configuration Errors: Typos or syntax errors in DNS records Nameserver Problems: Authoritative servers not responding Network Issues: Firewall blocking DNS queries
Initial DNS Assessment
Quick DNS Status Check
# Basic DNS resolution test
ping -c 1 example.com
# Check if DNS is working at all
ping -c 1 google.com
ping -c 1 8.8.8.8
# Current DNS servers
cat /etc/resolv.conf
# Network manager DNS
nmcli dev show | grep DNS
# systemd-resolved status
systemd-resolve --status
resolvectl status
# Test basic resolution
getent hosts example.com
Quick interpretation:
# If ping 8.8.8.8 works but google.com fails
# THEN DNS resolution broken
# If ping google.com works but example.com fails
# THEN problem with specific domain
# If all pings fail
# THEN network connectivity issue (not DNS)
Step 1: Using dig
Basic dig Usage
The dig (Domain Information Groper) command is the most powerful DNS diagnostic tool:
# Install dig (part of dnsutils/bind-utils)
apt install dnsutils # Debian/Ubuntu
yum install bind-utils # CentOS/RHEL
# Basic lookup
dig example.com
# Simplified output (just answer)
dig example.com +short
# Specific record type
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com NS
dig example.com TXT
# All records for domain
dig example.com ANY
# Query specific DNS server
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
# Reverse DNS lookup
dig -x 8.8.8.8
dig -x 192.168.1.1
Understanding dig Output
dig example.com
; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 93.184.216.34
;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 11 10:30:00 UTC 2026
;; MSG SIZE rcvd: 56
Key sections explained:
- HEADER: Query status (NOERROR = success, NXDOMAIN = doesn't exist)
- QUESTION: What was queried
- ANSWER: The response (TTL, type, value)
- Query time: How long lookup took
- SERVER: Which DNS server answered
Advanced dig Queries
# Trace DNS resolution path
dig example.com +trace
# Show only answer section
dig example.com +noall +answer
# Multiple queries
dig example.com A example.com MX
# Disable recursion
dig example.com +norecurse
# Check DNSSEC validation
dig example.com +dnssec
# Verbose output
dig example.com +stats
# Query over TCP instead of UDP
dig example.com +tcp
# Set custom timeout
dig example.com +time=2 +tries=1
# Batch queries from file
dig -f domains.txt +short
# Zone transfer (if allowed)
dig @ns1.example.com example.com AXFR
dig for Troubleshooting
# Compare DNS servers
echo "Checking multiple DNS servers..."
for server in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "Server: $server"
dig @$server example.com +short
done
# Check if domain exists
dig example.com +short
if [ $? -eq 0 ]; then
echo "Domain resolves"
else
echo "Domain doesn't resolve"
fi
# Measure query performance
dig example.com | grep "Query time"
# Check DNS propagation
for ns in $(dig example.com NS +short); do
echo "Checking $ns:"
dig @$ns example.com +short
done
# Find authoritative nameservers
dig example.com NS +short
# Check SOA record
dig example.com SOA
# Get TTL value
dig example.com | grep -A1 "ANSWER SECTION" | tail -1 | awk '{print $2}'
Step 2: Using nslookup
Basic nslookup Usage
# Basic lookup
nslookup example.com
# Query specific DNS server
nslookup example.com 8.8.8.8
# Specific record type
nslookup -type=A example.com
nslookup -type=MX example.com
nslookup -type=NS example.com
nslookup -type=TXT example.com
# Reverse lookup
nslookup 8.8.8.8
# Set query type
nslookup -query=mx example.com
Interactive Mode
# Start interactive mode
nslookup
# Within interactive mode:
> server 8.8.8.8 # Change DNS server
> set type=MX # Set query type
> example.com # Query domain
> set type=A # Change type
> example.com # Query again
> exit # Exit
# Debug mode
nslookup -debug example.com
# Detailed output
nslookup -d2 example.com
nslookup Troubleshooting
# Test if DNS server is responsive
nslookup google.com 8.8.8.8
# Check local DNS server
nslookup example.com $(grep nameserver /etc/resolv.conf | head -1 | awk '{print $2}')
# Timeout issues
nslookup -timeout=5 example.com
# Non-authoritative vs authoritative
nslookup -type=NS example.com
# Then query the nameserver directly
nslookup example.com ns1.example.com
Step 3: Using host
Basic host Usage
The host command provides simple, concise DNS lookups:
# Basic lookup
host example.com
# Verbose output
host -v example.com
# Specific record type
host -t A example.com
host -t MX example.com
host -t NS example.com
host -t TXT example.com
# All records
host -a example.com
# Reverse lookup
host 8.8.8.8
# Query specific server
host example.com 8.8.8.8
# Timeout setting
host -W 5 example.com
# Retry count
host -R 3 example.com
host for Quick Checks
# Simple check if domain resolves
host example.com >/dev/null 2>&1 && echo "Resolves" || echo "Fails"
# Get just IP addresses
host example.com | grep "has address" | awk '{print $4}'
# Get MX records
host -t MX example.com | awk '{print $6, $7}'
# Get nameservers
host -t NS example.com | awk '{print $4}'
# Check multiple domains
for domain in google.com facebook.com twitter.com; do
echo "$domain: $(host $domain | grep "has address" | awk '{print $4}' | head -1)"
done
Step 4: DNS Configuration Files
Checking System DNS Configuration
# Primary DNS configuration
cat /etc/resolv.conf
# Network Manager DNS
nmcli dev show | grep IP4.DNS
# systemd-resolved configuration
cat /etc/systemd/resolved.conf
resolvectl status
# Check DNS search domains
cat /etc/resolv.conf | grep search
# Hosts file (local DNS)
cat /etc/hosts
# nsswitch configuration
cat /etc/nsswitch.conf | grep hosts
Modifying DNS Configuration
# Temporary DNS change (lost on reboot)
echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv.conf
# Prevent resolv.conf changes
chattr +i /etc/resolv.conf
# Remove immutable flag
chattr -i /etc/resolv.conf
# For systemd-resolved
cat > /etc/systemd/resolved.conf << 'EOF'
[Resolve]
DNS=8.8.8.8 1.1.1.1
FallbackDNS=8.8.4.4 1.0.0.1
EOF
systemctl restart systemd-resolved
# For NetworkManager
nmcli con mod "connection-name" ipv4.dns "8.8.8.8 1.1.1.1"
nmcli con up "connection-name"
Step 5: Common DNS Problems
Problem: Domain Not Resolving
# Test basic connectivity
ping -c 1 8.8.8.8
# Try different DNS servers
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
# Check if domain exists
dig example.com +short
whois example.com | grep "Name Server"
# Verify nameservers are responding
dig example.com NS +short | while read ns; do
echo "Testing $ns:"
dig @$ns example.com +short
done
# Check for NXDOMAIN
dig example.com | grep status
Problem: Slow DNS Resolution
# Measure query time
dig example.com | grep "Query time"
# Test multiple DNS servers
for server in 8.8.8.8 1.1.1.1 208.67.222.222 $(grep nameserver /etc/resolv.conf | awk '{print $2}'); do
echo "Server: $server"
dig @$server google.com | grep "Query time"
done
# Check network latency to DNS server
ping -c 5 8.8.8.8
# Test with UDP and TCP
echo "UDP:" && dig example.com | grep "Query time"
echo "TCP:" && dig example.com +tcp | grep "Query time"
Problem: Inconsistent Resolution
# Check all authoritative servers
dig example.com NS +short | while read ns; do
echo "Server: $ns"
dig @$ns example.com A +short
done
# Check DNS propagation
echo "Checking DNS propagation..."
for server in 8.8.8.8 1.1.1.1 208.67.222.222 9.9.9.9; do
echo "DNS: $server - IP: $(dig @$server example.com +short)"
done
# Check local cache
systemd-resolve --statistics
systemd-resolve --flush-caches
Problem: Reverse DNS Issues
# Check reverse DNS
dig -x 93.184.216.34
# Get PTR record
host 93.184.216.34
# Verify forward and reverse match
DOMAIN="example.com"
IP=$(dig $DOMAIN +short | head -1)
REVERSE=$(dig -x $IP +short)
echo "Forward: $DOMAIN -> $IP"
echo "Reverse: $IP -> $REVERSE"
Problem: MX Record Issues
# Check MX records
dig example.com MX +short
# Verify MX priority
dig example.com MX | grep "ANSWER SECTION" -A5
# Test mail server connectivity
MX=$(dig example.com MX +short | sort -n | head -1 | awk '{print $2}')
echo "Testing $MX"
telnet $MX 25
# Check if MX resolves
dig example.com MX +short | while read priority mx; do
echo "MX: $mx (Priority: $priority)"
dig $mx +short
done
Step 6: DNS Cache Issues
Flushing DNS Cache
# systemd-resolved
systemd-resolve --flush-caches
resolvectl flush-caches
# nscd
service nscd restart
/etc/init.d/nscd restart
# dnsmasq
service dnsmasq restart
killall -HUP dnsmasq
# Clear browser cache
# Chrome: chrome://net-internals/#dns
# Firefox: about:networking#dns
# Verify cache is cleared
systemd-resolve --statistics
Checking DNS Cache
# systemd-resolved cache stats
systemd-resolve --statistics
# Query cache
resolvectl query example.com
# dnsmasq cache dump
killall -USR1 dnsmasq
cat /var/log/syslog | grep dnsmasq
# Check TTL to see if cached
dig example.com | grep -A1 "ANSWER SECTION"
# Wait a few seconds
dig example.com | grep -A1 "ANSWER SECTION"
# TTL should decrease if cached
Step 7: Advanced DNS Diagnostics
DNSSEC Validation
# Check DNSSEC
dig example.com +dnssec
# Verify DNSSEC chain
dig example.com +dnssec +multiline
# Check DS records
dig example.com DS +short
# Validate DNSSEC
delv example.com
# Check DNSKEY
dig example.com DNSKEY
DNS Performance Testing
# Benchmark DNS servers
cat > /tmp/dns-benchmark.sh << 'EOF'
#!/bin/bash
DOMAINS="google.com facebook.com twitter.com amazon.com microsoft.com"
SERVERS="8.8.8.8 1.1.1.1 208.67.222.222 9.9.9.9"
for SERVER in $SERVERS; do
echo "Testing $SERVER:"
TOTAL=0
COUNT=0
for DOMAIN in $DOMAINS; do
TIME=$(dig @$SERVER $DOMAIN | grep "Query time" | awk '{print $4}')
TOTAL=$((TOTAL + TIME))
COUNT=$((COUNT + 1))
done
AVG=$((TOTAL / COUNT))
echo "Average: ${AVG}ms"
echo ""
done
EOF
chmod +x /tmp/dns-benchmark.sh
/tmp/dns-benchmark.sh
DNS Zone Transfer Testing
# Attempt zone transfer
dig @ns1.example.com example.com AXFR
# Try with specific nameserver
NS=$(dig example.com NS +short | head -1)
dig @$NS example.com AXFR
# Check if zone transfer allowed
dig @ns1.example.com example.com AXFR | grep "Transfer failed"
Checking DNS Propagation
# Check multiple global DNS servers
cat > /tmp/check-propagation.sh << 'EOF'
#!/bin/bash
DOMAIN=$1
SERVERS=(
"8.8.8.8:Google"
"1.1.1.1:Cloudflare"
"208.67.222.222:OpenDNS"
"9.9.9.9:Quad9"
"64.6.64.6:Verisign"
)
echo "Checking DNS propagation for $DOMAIN"
echo "========================================"
for entry in "${SERVERS[@]}"; do
IFS=: read server name <<< "$entry"
result=$(dig @$server $DOMAIN +short | head -1)
echo "$name ($server): $result"
done
EOF
chmod +x /tmp/check-propagation.sh
/tmp/check-propagation.sh example.com
Step 8: Email-Related DNS Records
SPF Records
# Check SPF record
dig example.com TXT +short | grep "v=spf1"
# Detailed SPF
host -t TXT example.com | grep spf
# Verify SPF syntax
# Look for: v=spf1 ... ~all or -all
DKIM Records
# Check DKIM record (replace selector)
dig selector._domainkey.example.com TXT +short
# Common selectors to try
for selector in default google dkim mail; do
echo "Trying selector: $selector"
dig ${selector}._domainkey.example.com TXT +short
done
DMARC Records
# Check DMARC record
dig _dmarc.example.com TXT +short
# Detailed DMARC
host -t TXT _dmarc.example.com
Solutions and Prevention
Setting Up Local DNS Cache
# Install dnsmasq
apt install dnsmasq
# Configure dnsmasq
cat > /etc/dnsmasq.conf << 'EOF'
listen-address=127.0.0.1
cache-size=1000
neg-ttl=3600
server=8.8.8.8
server=1.1.1.1
EOF
# Update resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# Start dnsmasq
systemctl enable dnsmasq
systemctl start dnsmasq
DNS Monitoring Script
cat > /usr/local/bin/dns-monitor.sh << 'EOF'
#!/bin/bash
DOMAINS="example.com google.com"
LOG_FILE="/var/log/dns-monitor.log"
ALERT_EMAIL="[email protected]"
for DOMAIN in $DOMAINS; do
if ! dig $DOMAIN +short >/dev/null 2>&1; then
echo "$(date): DNS resolution failed for $DOMAIN" >> "$LOG_FILE"
echo "DNS resolution failed for $DOMAIN on $(hostname)" | \
mail -s "DNS Alert: $DOMAIN" "$ALERT_EMAIL"
fi
done
EOF
chmod +x /usr/local/bin/dns-monitor.sh
# Run every 5 minutes
echo "*/5 * * * * /usr/local/bin/dns-monitor.sh" | crontab -
DNS Failover Configuration
# Configure multiple DNS servers
cat > /etc/resolv.conf << 'EOF'
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 208.67.222.222
options timeout:2
options attempts:2
EOF
# For systemd-resolved
cat > /etc/systemd/resolved.conf << 'EOF'
[Resolve]
DNS=8.8.8.8 1.1.1.1 208.67.222.222
FallbackDNS=8.8.4.4 1.0.0.1
DNSStubListener=yes
EOF
systemctl restart systemd-resolved
Conclusion
DNS troubleshooting requires understanding the tools available and how to interpret their output. Key takeaways:
- Use dig for detailed analysis: Most comprehensive output
- Use nslookup for simplicity: Quick interactive queries
- Use host for scripting: Concise, scriptable output
- Check multiple DNS servers: Identify propagation issues
- Verify record types: Ensure correct records exist
- Monitor DNS performance: Slow DNS affects everything
- Implement redundancy: Multiple DNS servers prevent outages
Understanding dig, nslookup, and host - along with when to use each - enables rapid diagnosis and resolution of DNS issues. Regular monitoring, proper configuration, and these diagnostic skills ensure reliable DNS resolution for your infrastructure.