DNS Troubleshooting: How to Fix Common DNS Problems
Systematic guide to troubleshooting DNS problems. Covers site not loading, email failures, propagation delays, NXDOMAIN, SERVFAIL, and wrong IP resolution.
Last updated: 2026-02-17
DNS problems are frustrating because they are invisible. Your code is fine, your server is running, your configuration looks correct, but nothing works. The issue is buried somewhere in the chain between a domain name and an IP address. This guide provides a systematic approach to diagnosing and fixing the most common DNS problems.
The DNS Troubleshooting Methodology
Before diving into specific problems, establish a consistent diagnostic process. DNS issues have a limited number of root causes, and a methodical approach finds them faster than guessing.
Reproduce the problem
Confirm the issue exists and understand exactly what is failing. Is it a website, email, API, or something else? Is it failing everywhere or just from your machine?
Check from multiple locations
Query DNS from a public resolver (8.8.8.8), your authoritative nameserver, and a global DNS checker. This narrows down whether the problem is local, ISP-specific, or global.
Query the authoritative nameserver directly
If the authoritative nameserver returns the correct answer, the problem is caching or propagation. If it returns the wrong answer, the problem is your DNS configuration.
Check for recent changes
Review your DNS provider's change log. Many DNS problems are caused by recent modifications, either intentional ones that went wrong or unauthorized changes.
Verify the complete chain
Check registrar settings, nameserver delegation, zone configuration, and individual records. The problem could be at any layer.
Problem: Website Not Loading
The most common DNS symptom. Users cannot reach your website, and the browser shows a "DNS could not resolve" error.
Diagnostic Steps
# Check if the domain resolves at all
dig example.com A +short
# If no result, check the nameservers
dig example.com NS +short
# Query the authoritative nameserver directly
dig @ns1.your-provider.com example.com A +short
# Check if it's a local caching issue
dig @8.8.8.8 example.com A +short
dig @1.1.1.1 example.com A +short
Common Causes
Missing A record
The domain has no A record configured. This often happens after a DNS provider migration where a record was missed. Create the correct A record at your DNS provider.
Wrong nameservers at registrar
The registrar is pointing to nameservers that do not have a zone for your domain. Verify nameserver delegation at your registrar matches your DNS provider's nameservers.
Expired domain
The domain has expired and the registrar has removed or redirected its DNS. Check your registrar account and renew the domain.
DNS provider outage
Your DNS provider's nameservers are down. Query the nameservers directly to see if they respond. Check your provider's status page.
Problem: Email Not Working
Email failures can manifest as bounced messages, delayed delivery, or complete inability to send or receive.
Diagnostic Steps
# Check MX records
dig example.com MX +short
# Verify each MX hostname resolves
dig mail.example.com A +short
# Check SPF record
dig example.com TXT +short | grep spf
# Check DMARC record
dig _dmarc.example.com TXT +short
# Test SMTP connectivity to the mail server
Common Causes
- Missing or incorrect MX records: The MX records point to a server that does not exist or does not accept email for your domain
- Stale MX records from old provider: Records from a previous email service are still present and receiving some email
- SPF record too restrictive or missing: Outgoing email fails authentication checks and is rejected by recipients
- DKIM misconfiguration: Keys have expired, selectors are wrong, or the DNS record was accidentally deleted
Check MX priorities
If you have multiple MX records, verify the priority values are correct. A decommissioned backup server with a lower priority number (higher priority) than your active server will receive email that never gets delivered.
Problem: DNS Propagation Delays
You made a change but the old value persists, either everywhere or in some locations.
Diagnostic Steps
# Verify the change at the authoritative nameserver
dig @ns1.your-provider.com example.com A +short
# Check what public resolvers see
dig @8.8.8.8 example.com A +short
dig @1.1.1.1 example.com A +short
# Check the TTL of the cached record
dig @8.8.8.8 example.com A | grep -A1 "ANSWER SECTION"
The Fix
If the authoritative nameserver shows the correct new value but public resolvers show the old value, this is normal propagation behavior. The remaining TTL on cached records determines how long you wait.
If the authoritative nameserver shows the old value, the change was not saved correctly. Re-apply it at your DNS provider.
Detect DNS Problems Before Users Do
DNS Monitor continuously checks your records from multiple global locations, alerting you to issues before they become outages.
Problem: Wrong IP Address Resolving
Your domain resolves, but to the wrong IP address.
Diagnostic Steps
# Check what IP is being returned
dig example.com A +short
# Compare against your expected IP
# If wrong, check the authoritative source
dig @ns1.your-provider.com example.com A +short
# Check if there are multiple A records
dig example.com A
Common Causes
- Record pointing to old server: After a server migration, the A record was not updated
- Multiple A records: More than one A record exists, and some point to decommissioned servers. DNS round-robins between them, causing intermittent failures
- CDN or proxy misconfiguration: If using Cloudflare or a similar service, the proxied IP is expected. Check whether the issue is actually at the CDN layer, not DNS
- DNS hijacking: The record was changed without authorization. Check your DNS provider's audit log
Problem: NXDOMAIN Errors
NXDOMAIN means "Non-Existent Domain." The DNS system is explicitly stating that the name does not exist.
| Response | Meaning | Likely Cause |
|---|---|---|
| NXDOMAIN | Domain does not exist in DNS | Missing record, expired domain, or wrong nameservers |
| NOERROR with empty answer | Domain exists but no record of the queried type | Record type not configured (e.g., no AAAA record) |
| SERVFAIL | Server failed to process the query | Nameserver misconfiguration or DNSSEC issue |
| REFUSED | Server refused to answer | Not authoritative and recursion disabled |
Diagnostic Steps for NXDOMAIN
# Check if the name exists at all
dig example.com ANY
# Check if nameservers are responding
dig example.com NS +short
# Query the authoritative nameserver
dig @ns1.your-provider.com example.com A
# Check if this is a subdomain issue
dig subdomain.example.com A
dig example.com A
If the root domain resolves but a subdomain returns NXDOMAIN, the subdomain record is simply missing. If the root domain itself returns NXDOMAIN, the nameserver delegation or the zone itself is broken.
Problem: SERVFAIL Errors
SERVFAIL is a generic server error that typically indicates a problem with DNSSEC validation or a broken delegation chain.
Common Causes
DNSSEC validation failure
The most common cause of SERVFAIL in modern DNS. If DNSSEC signatures are expired, keys are mismatched, or DS records at the registrar do not match the keys at your DNS provider, validating resolvers will return SERVFAIL.
Lame delegation
The nameservers listed at the registrar do not have a zone configured for your domain. When queried, they either return REFUSED or SERVFAIL.
Nameserver unreachable
The authoritative nameservers are down or unreachable from the recursive resolver. Check your nameserver's connectivity and firewall rules.
Diagnostic Steps for SERVFAIL
# Try querying with DNSSEC validation disabled
dig example.com A +cd
# If +cd returns a result but without it returns SERVFAIL,
# the problem is DNSSEC
# Check DNSSEC chain
dig example.com DNSKEY +short
dig example.com DS +short
# Check the parent zone's DS record
dig example.com DS @a.gtld-servers.net +short
DNSSEC SERVFAIL affects all record types
A DNSSEC validation failure does not just break one record. It makes your entire domain unreachable for any resolver that validates DNSSEC. This includes major public resolvers like Google (8.8.8.8) and Cloudflare (1.1.1.1). The fix is to either correct the DNSSEC configuration or remove DNSSEC entirely by deleting the DS record at your registrar.
Problem: Intermittent Resolution Failures
The domain works sometimes and fails other times. This is often the hardest type of DNS problem to diagnose.
Common Causes
- Multiple A records with one stale entry: DNS round-robins between good and bad IPs
- One of multiple nameservers is misconfigured: Some queries hit the working server, others hit the broken one
- Flapping DNSSEC: Signature expiration causing intermittent validation failures
- Rate limiting: Your DNS provider is rate-limiting queries and dropping some
Diagnostic Approach
Query each nameserver individually:
# Get all nameservers
dig example.com NS +short
# Query each one separately
dig @ns1.provider.com example.com A +short
dig @ns2.provider.com example.com A +short
dig @ns3.provider.com example.com A +short
If one returns a different result or fails entirely, you have found the problem.
Essential DNS Troubleshooting Tools
| Tool | Platform | Best For |
|------|----------|----------|
| dig | Linux, macOS, WSL | Detailed DNS queries with full response data |
| nslookup | All platforms | Quick lookups without installing anything |
| host | Linux, macOS | Simple, clean reverse and forward lookups |
| whois | All platforms | Checking domain registration and registrar info |
| Web DNS checkers | Browser | Global propagation and multi-location testing |
| DNS monitoring | SaaS | Continuous automated checking and alerting |
DNS troubleshooting follows a consistent pattern: verify the authoritative source, check what resolvers see, compare the two, and trace the discrepancy. Most problems come down to missing records, stale caches, broken delegation, or DNSSEC issues. A systematic approach finds the answer faster than random troubleshooting.
Catch DNS Problems Before They Become Outages
DNS Monitor continuously verifies your records from multiple global locations. Get instant alerts when resolution fails, records change, or propagation stalls.