DNS problems can be frustrating because they affect your ability to access websites, send email, or reach your own services. This guide covers the most common DNS issues and how to diagnose and fix them.
DNS Diagnostic Tools
Before diving into specific problems, here are the essential tools for diagnosing DNS issues:
Using dig
dig is the most powerful DNS diagnostic tool. It's available on macOS and Linux by default, and on Windows via WSL or third-party tools.
# Basic lookup
dig example.com
# Query specific record type
dig example.com MX
dig example.com TXT
# Query a specific DNS server
dig @8.8.8.8 example.com
# Get short answer only
dig +short example.com
# Trace the full DNS resolution path
dig +trace example.comUsing nslookup
nslookup is available on all platforms and is simpler but less detailed:
# Basic lookup
nslookup example.com
# Query specific server
nslookup example.com 8.8.8.8
# Query specific record type
nslookup -type=MX example.comUsing host
# Simple lookup
host example.com
# Query specific record type
host -t MX example.comCommon DNS Errors
DNS_PROBE_FINISHED_NXDOMAIN
This error means the domain name doesn't exist in DNS. Causes include:
- Typo in the domain name — Check spelling carefully
- Domain expired — Check registration status at your registrar
- DNS not configured — No A record exists for the domain
- Local DNS cache issue — Try flushing your DNS cache
Diagnosis:
dig example.com
# If you see "status: NXDOMAIN" the domain truly doesn't exist in DNSDNS_PROBE_FINISHED_NO_INTERNET
Your device can't reach any DNS server. This is typically a network connectivity issue:
- Check your internet connection
- Restart your router
- Check if your DNS server is accessible:
ping 8.8.8.8 - Try switching to a public DNS like 1.1.1.1 or 8.8.8.8
SERVFAIL
The DNS server encountered an error while processing your query:
dig example.com
# Look for "status: SERVFAIL"Common causes:
- DNSSEC validation failure — The domain's DNSSEC is misconfigured
- Authoritative server issues — The domain's DNS servers are down
- Your resolver issues — Try a different DNS server
Slow DNS Resolution
If websites are slow to load initially but fast afterward, DNS resolution might be slow:
# Time a DNS query
time dig example.com
# Compare with a fast public DNS
time dig @1.1.1.1 example.comIf your ISP's DNS is slow, switch to a faster public DNS like Cloudflare (1.1.1.1) or Google (8.8.8.8).
Clearing DNS Cache
Outdated cached DNS records can cause issues. Here's how to clear them:
Windows
ipconfig /flushdnsmacOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponderLinux (systemd)
sudo systemd-resolve --flush-cachesBrowser DNS Cache
Browsers maintain their own DNS cache:
- Chrome: Visit
chrome://net-internals/#dnsand click "Clear host cache" - Firefox: Visit
about:networking#dnsand click "Clear DNS Cache" - Edge: Visit
edge://net-internals/#dnsand click "Clear host cache"
After flushing cache, use incognito/private browsing mode to test — this ensures you're not using any browser-level cache.
Propagation Issues
If you recently made DNS changes and they're not working yet:
Check Multiple DNS Servers
# Check various public DNS servers
dig @8.8.8.8 example.com A
dig @1.1.1.1 example.com A
dig @9.9.9.9 example.com A
dig @208.67.222.222 example.com AIf some servers show the new value and others show the old, propagation is still in progress.
Check TTL on Old Record
dig example.com A
# Look for the TTL value (second column after the name)
# example.com. 3600 IN A 192.0.2.1
# ^^^^
# TTL in secondsYou may need to wait for the TTL period to pass before all caches update.
Verify at Authoritative Server
# First, find the authoritative nameservers
dig NS example.com
# Then query one directly
dig @ns1.dnsprovider.com example.com AIf the authoritative server has the correct record, the change was made successfully and you just need to wait for propagation.
Email DNS Issues
Email problems are often DNS-related. Common issues include:
Email Not Delivered (MX Records)
dig example.com MX
# Should return your mail server(s)
# example.com. 300 IN MX 10 mail.example.com.If MX records are missing or incorrect, email won't be delivered to your domain.
Email Marked as Spam (SPF/DKIM/DMARC)
# Check SPF
dig example.com TXT | grep spf
# Check DKIM (replace 'selector' with your DKIM selector)
dig selector._domainkey.example.com TXT
# Check DMARC
dig _dmarc.example.com TXTMissing or incorrect email authentication records cause deliverability issues.
SPF records have a limit of 10 DNS lookups. If your SPF record exceeds this (common with multiple third-party services), it will fail validation. Use an SPF flattening service if needed.
Troubleshooting Checklist
| Issue | Check | Command |
|---|---|---|
| Domain not resolving | A/AAAA records | dig example.com A |
| www not working | www A or CNAME | dig www.example.com |
| Email not received | MX records | dig example.com MX |
| Email to spam | SPF, DKIM, DMARC | dig example.com TXT |
| Subdomain not working | Subdomain record | dig sub.example.com |