Problemas de DNS: dig, nslookup, host
Introducción
DNS (Sistema de Nombres de Dominio) es la guía telefónica de internet, traduciendo nombres de dominio legibles por humanos en direcciones IP que las computadoras usan para comunicarse. Cuando DNS falla, los sitios web se vuelven inaccesibles, el correo electrónico deja de fluir y las aplicaciones se rompen - aunque los servidores subyacentes pueden estar funcionando perfectamente. Los problemas de DNS están entre los problemas más comunes pero a menudo mal entendidos en la administración de servidores.
Esta guía completa proporciona a los administradores de sistemas herramientas prácticas de línea de comandos para diagnosticar y resolver problemas de DNS. Dominarás las tres herramientas principales de diagnóstico de DNS - dig, nslookup y host - aprendiendo cuándo y cómo usar cada una eficazmente para solucionar problemas de resolución DNS, verificar configuraciones e identificar la causa raíz de problemas de conectividad.
Entender el diagnóstico de DNS es esencial para cualquier persona que gestione servidores, aplicaciones web o infraestructura de red. Esta guía cubre todo desde búsquedas DNS básicas hasta técnicas avanzadas de solución de problemas para escenarios DNS complejos incluyendo balanceo de carga, CDNs y registros de autenticación de correo electrónico.
Entendiendo los Fundamentos de DNS
Cómo Funciona DNS
La resolución DNS sigue un proceso jerárquico:
- Caché Local: Verificar caché del navegador/SO
- Resolver Recursivo: Consultar servidor DNS configurado (usualmente ISP o 8.8.8.8)
- Servidores Raíz: Consultar por TLD (.com, .org, etc.)
- Servidores TLD: Consultar por servidor de nombres autoritativo
- Servidor Autoritativo: Devolver la dirección IP real
Tipos de Registros DNS
Tipos de registros DNS comunes que encontrarás:
- A: Mapea dominio a dirección IPv4
- AAAA: Mapea dominio a dirección IPv6
- CNAME: Nombre canónico (alias para otro dominio)
- MX: Servidores de intercambio de correo
- NS: Registros de servidor de nombres
- TXT: Registros de texto (SPF, DKIM, verificación)
- PTR: DNS inverso (IP a dominio)
- SOA: Inicio de Autoridad (información de zona)
- SRV: Registros de servicio
Problemas Comunes de DNS
Fallos de Resolución: El dominio no se resuelve a ninguna IP Resolución Incorrecta: El dominio se resuelve a IP incorrecta Retrasos de Propagación: Los cambios no son visibles en todas partes Problemas de Caché: Registros antiguos aún siendo servidos Errores de Configuración: Errores tipográficos o de sintaxis en registros DNS Problemas de Servidor de Nombres: Servidores autoritativos no responden Problemas de Red: Firewall bloqueando consultas DNS
Evaluación Inicial de DNS
Verificación Rápida del Estado de DNS
# Basic DNS resolution test
ping -c 1 example.com
# Check if DNS is working at all
ping -c 1 google.com
ping -c 1 8.8.8.8
# Current DNS servers
cat /etc/resolv.conf
# Network manager DNS
nmcli dev show | grep DNS
# systemd-resolved status
systemd-resolve --status
resolvectl status
# Test basic resolution
getent hosts example.com
Interpretación rápida:
# If ping 8.8.8.8 works but google.com fails
# THEN DNS resolution broken
# If ping google.com works but example.com fails
# THEN problem with specific domain
# If all pings fail
# THEN network connectivity issue (not DNS)
Paso 1: Usar dig
Uso Básico de dig
El comando dig (Domain Information Groper) es la herramienta de diagnóstico DNS más poderosa:
# Install dig (part of dnsutils/bind-utils)
apt install dnsutils # Debian/Ubuntu
yum install bind-utils # CentOS/RHEL
# Basic lookup
dig example.com
# Simplified output (just answer)
dig example.com +short
# Specific record type
dig example.com A
dig example.com AAAA
dig example.com MX
dig example.com NS
dig example.com TXT
# All records for domain
dig example.com ANY
# Query specific DNS server
dig @8.8.8.8 example.com
dig @1.1.1.1 example.com
# Reverse DNS lookup
dig -x 8.8.8.8
dig -x 192.168.1.1
Entendiendo la Salida de dig
dig example.com
; <<>> DiG 9.16.1-Ubuntu <<>> example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 300 IN A 93.184.216.34
;; Query time: 45 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 11 10:30:00 UTC 2026
;; MSG SIZE rcvd: 56
Secciones clave explicadas:
- HEADER: Estado de consulta (NOERROR = éxito, NXDOMAIN = no existe)
- QUESTION: Qué se consultó
- ANSWER: La respuesta (TTL, tipo, valor)
- Query time: Cuánto tomó la búsqueda
- SERVER: Qué servidor DNS respondió
Consultas Avanzadas de dig
# Trace DNS resolution path
dig example.com +trace
# Show only answer section
dig example.com +noall +answer
# Multiple queries
dig example.com A example.com MX
# Disable recursion
dig example.com +norecurse
# Check DNSSEC validation
dig example.com +dnssec
# Verbose output
dig example.com +stats
# Query over TCP instead of UDP
dig example.com +tcp
# Set custom timeout
dig example.com +time=2 +tries=1
# Batch queries from file
dig -f domains.txt +short
# Zone transfer (if allowed)
dig @ns1.example.com example.com AXFR
dig para Solución de Problemas
# Compare DNS servers
echo "Checking multiple DNS servers..."
for server in 8.8.8.8 1.1.1.1 208.67.222.222; do
echo "Server: $server"
dig @$server example.com +short
done
# Check if domain exists
dig example.com +short
if [ $? -eq 0 ]; then
echo "Domain resolves"
else
echo "Domain doesn't resolve"
fi
# Measure query performance
dig example.com | grep "Query time"
# Check DNS propagation
for ns in $(dig example.com NS +short); do
echo "Checking $ns:"
dig @$ns example.com +short
done
# Find authoritative nameservers
dig example.com NS +short
# Check SOA record
dig example.com SOA
# Get TTL value
dig example.com | grep -A1 "ANSWER SECTION" | tail -1 | awk '{print $2}'
Paso 2: Usar nslookup
Uso Básico de nslookup
# Basic lookup
nslookup example.com
# Query specific DNS server
nslookup example.com 8.8.8.8
# Specific record type
nslookup -type=A example.com
nslookup -type=MX example.com
nslookup -type=NS example.com
nslookup -type=TXT example.com
# Reverse lookup
nslookup 8.8.8.8
# Set query type
nslookup -query=mx example.com
Modo Interactivo
# Start interactive mode
nslookup
# Within interactive mode:
> server 8.8.8.8 # Change DNS server
> set type=MX # Set query type
> example.com # Query domain
> set type=A # Change type
> example.com # Query again
> exit # Exit
# Debug mode
nslookup -debug example.com
# Detailed output
nslookup -d2 example.com
Solución de Problemas con nslookup
# Test if DNS server is responsive
nslookup google.com 8.8.8.8
# Check local DNS server
nslookup example.com $(grep nameserver /etc/resolv.conf | head -1 | awk '{print $2}')
# Timeout issues
nslookup -timeout=5 example.com
# Non-authoritative vs authoritative
nslookup -type=NS example.com
# Then query the nameserver directly
nslookup example.com ns1.example.com
Paso 3: Usar host
Uso Básico de host
El comando host proporciona búsquedas DNS simples y concisas:
# Basic lookup
host example.com
# Verbose output
host -v example.com
# Specific record type
host -t A example.com
host -t MX example.com
host -t NS example.com
host -t TXT example.com
# All records
host -a example.com
# Reverse lookup
host 8.8.8.8
# Query specific server
host example.com 8.8.8.8
# Timeout setting
host -W 5 example.com
# Retry count
host -R 3 example.com
host para Verificaciones Rápidas
# Simple check if domain resolves
host example.com >/dev/null 2>&1 && echo "Resolves" || echo "Fails"
# Get just IP addresses
host example.com | grep "has address" | awk '{print $4}'
# Get MX records
host -t MX example.com | awk '{print $6, $7}'
# Get nameservers
host -t NS example.com | awk '{print $4}'
# Check multiple domains
for domain in google.com facebook.com twitter.com; do
echo "$domain: $(host $domain | grep "has address" | awk '{print $4}' | head -1)"
done
Paso 4: Archivos de Configuración DNS
Verificar Configuración DNS del Sistema
# Primary DNS configuration
cat /etc/resolv.conf
# Network Manager DNS
nmcli dev show | grep IP4.DNS
# systemd-resolved configuration
cat /etc/systemd/resolved.conf
resolvectl status
# Check DNS search domains
cat /etc/resolv.conf | grep search
# Hosts file (local DNS)
cat /etc/hosts
# nsswitch configuration
cat /etc/nsswitch.conf | grep hosts
Modificar Configuración DNS
# Temporary DNS change (lost on reboot)
echo "nameserver 8.8.8.8" > /etc/resolv.conf
echo "nameserver 1.1.1.1" >> /etc/resolv.conf
# Prevent resolv.conf changes
chattr +i /etc/resolv.conf
# Remove immutable flag
chattr -i /etc/resolv.conf
# For systemd-resolved
cat > /etc/systemd/resolved.conf << 'EOF'
[Resolve]
DNS=8.8.8.8 1.1.1.1
FallbackDNS=8.8.4.4 1.0.0.1
EOF
systemctl restart systemd-resolved
# For NetworkManager
nmcli con mod "connection-name" ipv4.dns "8.8.8.8 1.1.1.1"
nmcli con up "connection-name"
Paso 5: Problemas Comunes de DNS
Problema: Dominio No Se Resuelve
# Test basic connectivity
ping -c 1 8.8.8.8
# Try different DNS servers
dig @8.8.8.8 example.com +short
dig @1.1.1.1 example.com +short
# Check if domain exists
dig example.com +short
whois example.com | grep "Name Server"
# Verify nameservers are responding
dig example.com NS +short | while read ns; do
echo "Testing $ns:"
dig @$ns example.com +short
done
# Check for NXDOMAIN
dig example.com | grep status
Problema: Resolución DNS Lenta
# Measure query time
dig example.com | grep "Query time"
# Test multiple DNS servers
for server in 8.8.8.8 1.1.1.1 208.67.222.222 $(grep nameserver /etc/resolv.conf | awk '{print $2}'); do
echo "Server: $server"
dig @$server google.com | grep "Query time"
done
# Check network latency to DNS server
ping -c 5 8.8.8.8
# Test with UDP and TCP
echo "UDP:" && dig example.com | grep "Query time"
echo "TCP:" && dig example.com +tcp | grep "Query time"
Problema: Resolución Inconsistente
# Check all authoritative servers
dig example.com NS +short | while read ns; do
echo "Server: $ns"
dig @$ns example.com A +short
done
# Check DNS propagation
echo "Checking DNS propagation..."
for server in 8.8.8.8 1.1.1.1 208.67.222.222 9.9.9.9; do
echo "DNS: $server - IP: $(dig @$server example.com +short)"
done
# Check local cache
systemd-resolve --statistics
systemd-resolve --flush-caches
Problema: Problemas de DNS Inverso
# Check reverse DNS
dig -x 93.184.216.34
# Get PTR record
host 93.184.216.34
# Verify forward and reverse match
DOMAIN="example.com"
IP=$(dig $DOMAIN +short | head -1)
REVERSE=$(dig -x $IP +short)
echo "Forward: $DOMAIN -> $IP"
echo "Reverse: $IP -> $REVERSE"
Problema: Problemas de Registro MX
# Check MX records
dig example.com MX +short
# Verify MX priority
dig example.com MX | grep "ANSWER SECTION" -A5
# Test mail server connectivity
MX=$(dig example.com MX +short | sort -n | head -1 | awk '{print $2}')
echo "Testing $MX"
telnet $MX 25
# Check if MX resolves
dig example.com MX +short | while read priority mx; do
echo "MX: $mx (Priority: $priority)"
dig $mx +short
done
Paso 6: Problemas de Caché DNS
Vaciar Caché DNS
# systemd-resolved
systemd-resolve --flush-caches
resolvectl flush-caches
# nscd
service nscd restart
/etc/init.d/nscd restart
# dnsmasq
service dnsmasq restart
killall -HUP dnsmasq
# Clear browser cache
# Chrome: chrome://net-internals/#dns
# Firefox: about:networking#dns
# Verify cache is cleared
systemd-resolve --statistics
Verificar Caché DNS
# systemd-resolved cache stats
systemd-resolve --statistics
# Query cache
resolvectl query example.com
# dnsmasq cache dump
killall -USR1 dnsmasq
cat /var/log/syslog | grep dnsmasq
# Check TTL to see if cached
dig example.com | grep -A1 "ANSWER SECTION"
# Wait a few seconds
dig example.com | grep -A1 "ANSWER SECTION"
# TTL should decrease if cached
Paso 7: Diagnóstico Avanzado de DNS
Validación DNSSEC
# Check DNSSEC
dig example.com +dnssec
# Verify DNSSEC chain
dig example.com +dnssec +multiline
# Check DS records
dig example.com DS +short
# Validate DNSSEC
delv example.com
# Check DNSKEY
dig example.com DNSKEY
Pruebas de Rendimiento DNS
# Benchmark DNS servers
cat > /tmp/dns-benchmark.sh << 'EOF'
#!/bin/bash
DOMAINS="google.com facebook.com twitter.com amazon.com microsoft.com"
SERVERS="8.8.8.8 1.1.1.1 208.67.222.222 9.9.9.9"
for SERVER in $SERVERS; do
echo "Testing $SERVER:"
TOTAL=0
COUNT=0
for DOMAIN in $DOMAINS; do
TIME=$(dig @$SERVER $DOMAIN | grep "Query time" | awk '{print $4}')
TOTAL=$((TOTAL + TIME))
COUNT=$((COUNT + 1))
done
AVG=$((TOTAL / COUNT))
echo "Average: ${AVG}ms"
echo ""
done
EOF
chmod +x /tmp/dns-benchmark.sh
/tmp/dns-benchmark.sh
Prueba de Transferencia de Zona DNS
# Attempt zone transfer
dig @ns1.example.com example.com AXFR
# Try with specific nameserver
NS=$(dig example.com NS +short | head -1)
dig @$NS example.com AXFR
# Check if zone transfer allowed
dig @ns1.example.com example.com AXFR | grep "Transfer failed"
Verificar Propagación DNS
# Check multiple global DNS servers
cat > /tmp/check-propagation.sh << 'EOF'
#!/bin/bash
DOMAIN=$1
SERVERS=(
"8.8.8.8:Google"
"1.1.1.1:Cloudflare"
"208.67.222.222:OpenDNS"
"9.9.9.9:Quad9"
"64.6.64.6:Verisign"
)
echo "Checking DNS propagation for $DOMAIN"
echo "========================================"
for entry in "${SERVERS[@]}"; do
IFS=: read server name <<< "$entry"
result=$(dig @$server $DOMAIN +short | head -1)
echo "$name ($server): $result"
done
EOF
chmod +x /tmp/check-propagation.sh
/tmp/check-propagation.sh example.com
Paso 8: Registros DNS Relacionados con Correo Electrónico
Registros SPF
# Check SPF record
dig example.com TXT +short | grep "v=spf1"
# Detailed SPF
host -t TXT example.com | grep spf
# Verify SPF syntax
# Look for: v=spf1 ... ~all or -all
Registros DKIM
# Check DKIM record (replace selector)
dig selector._domainkey.example.com TXT +short
# Common selectors to try
for selector in default google dkim mail; do
echo "Trying selector: $selector"
dig ${selector}._domainkey.example.com TXT +short
done
Registros DMARC
# Check DMARC record
dig _dmarc.example.com TXT +short
# Detailed DMARC
host -t TXT _dmarc.example.com
Soluciones y Prevención
Configurar Caché DNS Local
# Install dnsmasq
apt install dnsmasq
# Configure dnsmasq
cat > /etc/dnsmasq.conf << 'EOF'
listen-address=127.0.0.1
cache-size=1000
neg-ttl=3600
server=8.8.8.8
server=1.1.1.1
EOF
# Update resolv.conf
echo "nameserver 127.0.0.1" > /etc/resolv.conf
# Start dnsmasq
systemctl enable dnsmasq
systemctl start dnsmasq
Script de Monitoreo DNS
cat > /usr/local/bin/dns-monitor.sh << 'EOF'
#!/bin/bash
DOMAINS="example.com google.com"
LOG_FILE="/var/log/dns-monitor.log"
ALERT_EMAIL="[email protected]"
for DOMAIN in $DOMAINS; do
if ! dig $DOMAIN +short >/dev/null 2>&1; then
echo "$(date): DNS resolution failed for $DOMAIN" >> "$LOG_FILE"
echo "DNS resolution failed for $DOMAIN on $(hostname)" | \
mail -s "DNS Alert: $DOMAIN" "$ALERT_EMAIL"
fi
done
EOF
chmod +x /usr/local/bin/dns-monitor.sh
# Run every 5 minutes
echo "*/5 * * * * /usr/local/bin/dns-monitor.sh" | crontab -
Configuración de Conmutación por Error DNS
# Configure multiple DNS servers
cat > /etc/resolv.conf << 'EOF'
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 208.67.222.222
options timeout:2
options attempts:2
EOF
# For systemd-resolved
cat > /etc/systemd/resolved.conf << 'EOF'
[Resolve]
DNS=8.8.8.8 1.1.1.1 208.67.222.222
FallbackDNS=8.8.4.4 1.0.0.1
DNSStubListener=yes
EOF
systemctl restart systemd-resolved
Conclusión
La solución de problemas de DNS requiere comprender las herramientas disponibles y cómo interpretar su salida. Conclusiones clave:
- Usa dig para análisis detallado: Salida más completa
- Usa nslookup para simplicidad: Consultas interactivas rápidas
- Usa host para scripting: Salida concisa, scriptable
- Verifica múltiples servidores DNS: Identifica problemas de propagación
- Verifica tipos de registro: Asegúrate de que existan registros correctos
- Monitorea rendimiento DNS: DNS lento afecta todo
- Implementa redundancia: Múltiples servidores DNS previenen interrupciones
Entender dig, nslookup y host - junto con cuándo usar cada uno - permite un diagnóstico y resolución rápidos de problemas de DNS. El monitoreo regular, la configuración adecuada y estas habilidades de diagnóstico aseguran una resolución DNS confiable para tu infraestructura.