Learning

Debugging DNS

Ole Michaelis on Aug 15, 2017

Here at DNSimple we deal with DNS every day, and as part of offering support to our customers we troubleshoot lots of different types of DNS issues. In this post I want to give you an overview how to trouble shoot your DNS issue.

There are two tools all of us use to debug any DNS issue. First there is whois, a handy tool to fetch domain related data from the registry, and dig, which is an abbreviation for domain information groper. Let's take a closer look at both of these tools.

whois

The first step when debugging a DNS issue is to check out what the registry says about the domain, so you use whois to find what's up there. Let's take a look at howdns.works.

$~ whois howdns.works
Domain Name: howdns.works
Registry Domain ID: 0cb56e2719ca49779e3b9758ee7df83f-DONUTS
...
Registrar: eNom, LLC
...
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
...
Registrant Name: Anthony Eden
...
Name Server: ns1.dnsimple.com
Name Server: ns4.dnsimple.com
Name Server: ns3.dnsimple.com
Name Server: ns2.dnsimple.com
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of WHOIS database: 2017-06-22T08:25:32Z <<<

For more information on Whois status codes, please visit https://icann.org/epp

Terms of Use: ...

I removed a bit of the noise you'll usually see in a whois response to highlight the interesting bits. Here you can see the current name servers (we will need this information for the second step), DNSSEC information, the Domain status, and all kinds of contact information for the domain registrar, administrative and tech contacts, etc.

If you would like to learn more about whois, my co-worker Amelia dedicated an entire post to it. Her post is definitely worth a read!

dig

With dig you dig out any information out of any name server on the internet. In its most basic form, you use it like this: dig <DOMAIN>. For example:

$~ dig howdns.works

; <<>> DiG 9.8.3-P1 <<>> howdns.works
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46871
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;howdns.works.			IN	A

;; ANSWER SECTION:
howdns.works.		4502	IN	A	52.84.0.195
howdns.works.		4502	IN	A	52.84.0.146
howdns.works.		4502	IN	A	52.84.0.197
howdns.works.		4502	IN	A	52.84.0.26
howdns.works.		4502	IN	A	52.84.0.217
howdns.works.		4502	IN	A	52.84.0.169
howdns.works.		4502	IN	A	52.84.0.13
howdns.works.		4502	IN	A	52.84.0.14

;; Query time: 216 msec
;; SERVER: 172.20.10.1#53(172.20.10.1)
;; WHEN: Thu Jun 22 12:28:31 2017
;; MSG SIZE  rcvd: 158

This gives you the default domain to IP address mapping. Here you see what dig queried at the server for in the QUESTION SECTION: and the response in the ANSWER SECTION:. The default question in dig is for an A record and the response is a set of IP addresses.

We use regional records so that you can use region.dnsimple.com to determine at what region you are currently resolving:

$~ dig TXT region.dnsimple.com +short
"ams"

With the +short option you can skip all the detail information and just get the record value. In my case it's our ams datacenter where I resolve my records at the moment. Since we run an Anycast network, you may receive a different response depending where you are located in the world.

You can also query for any other record type like so: dig <RECORD-TYPE> <DOMAIN>.

$~ dig TXT howdns.works

; <<>> DiG 9.8.3-P1 <<>> TXT howdns.works
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63157
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;howdns.works.			IN	TXT

;; ANSWER SECTION:
howdns.works.		3599	IN	TXT	"ALIAS for d15wy2x1yew1be.cloudfront.net"

;; Query time: 87 msec
;; SERVER: 172.20.10.1#53(172.20.10.1)
;; WHEN: Thu Jun 22 16:04:00 2017
;; MSG SIZE  rcvd: 82

In this case you see that we asked for all TXT records. The DNSimple ALIAS records always also add a TXT record indicating the custom record type ALIAS.

In the response you can also see what server you were talking to ;; SERVER: 172.20.10.1#53(172.20.10.1). This usually is the DNS server configured by your operating system or via DHCP from the router you are using.

As I mentioned before, with dig you can query any name server on the internet. This is one of the super helpful things I learned for debugging DNS.

Query specific name servers

There are various reasons why you would want to query a different name server. Mostly because you want to bypass your local one, ask the famous Google resolvers (8.8.8.8), or because you want to see how long your records will be cached at a specific server.

You can do this like so: dig @<NAME-SERVER> <RECORD-TYPE> <DOMAIN>.

You can either use the name server IP or the name server name.

$~ dig @ns1.dnsimple.com howdns.works

; <<>> DiG 9.8.3-P1 <<>> @ns1.dnsimple.com howdns.works
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4308
;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;howdns.works.			IN	A

;; ANSWER SECTION:
howdns.works.		3600	IN	A	52.84.0.14
howdns.works.		3600	IN	A	52.84.0.197
howdns.works.		3600	IN	A	52.84.0.169
howdns.works.		3600	IN	A	52.84.0.13
howdns.works.		3600	IN	A	52.84.0.195
howdns.works.		3600	IN	A	52.84.0.146
howdns.works.		3600	IN	A	52.84.0.41
howdns.works.		3600	IN	A	52.84.0.217

;; Query time: 44 msec
;; SERVER: 162.159.24.4#53(162.159.24.4)
;; WHEN: Thu Jun 22 16:14:31 2017
;; MSG SIZE  rcvd: 158

And last but not least, there is the ability to trace the complete resolution chain.

trace DNS resolution

Sometimes domains to not resolve as they should, due to the distributed nature of DNS it's hard to reproduce a failing case just by doing the same query on my machine. In these cases we ask the customers to execute the following command for us: dig <RECORD-TYPE> <DOMAIN> +trace.

In our example we query for the same TXT record as we already did above.

$~ dig TXT region.dnsimple.com +trace

; <<>> DiG 9.8.3-P1 <<>> TXT region.dnsimple.com +trace
;; global options: +cmd
.			102657	IN	NS	a.root-servers.net.
.			102657	IN	NS	b.root-servers.net.
.			102657	IN	NS	c.root-servers.net.
.			102657	IN	NS	d.root-servers.net.
.			102657	IN	NS	e.root-servers.net.
.			102657	IN	NS	f.root-servers.net.
.			102657	IN	NS	g.root-servers.net.
.			102657	IN	NS	h.root-servers.net.
.			102657	IN	NS	i.root-servers.net.
.			102657	IN	NS	j.root-servers.net.
.			102657	IN	NS	k.root-servers.net.
.			102657	IN	NS	l.root-servers.net.
.			102657	IN	NS	m.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 3562 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 497 bytes from 198.97.190.53#53(198.97.190.53) in 2409 ms

dnsimple.com.		172800	IN	NS	ns1.dnsimple.com.
dnsimple.com.		172800	IN	NS	ns2.dnsimple.com.
dnsimple.com.		172800	IN	NS	ns3.dnsimple.com.
dnsimple.com.		172800	IN	NS	ns4.dnsimple.com.
;; Received 285 bytes from 192.41.162.30#53(192.41.162.30) in 87 ms

region.dnsimple.com.	3600	IN	TXT	"ams"
;; Received 53 bytes from 162.159.26.4#53(162.159.26.4) in 29 ms

Here you can follow every single step of the domain resolution. Starting at the root name servers down to our very own name servers. We can see all intermediate queries that are made, including their answers. If a domain is signed with DNSSEC there is also some zone signing information within the trace.

$~ dig bingo.pizza +trace +dnssec

; <<>> DiG 9.8.3-P1 <<>> bingo.pizza +trace +dnssec
;; global options: +cmd
.			508541	IN	NS	i.root-servers.net.
.			508541	IN	NS	c.root-servers.net.
.			508541	IN	NS	f.root-servers.net.
.			508541	IN	NS	a.root-servers.net.
.			508541	IN	NS	j.root-servers.net.
.			508541	IN	NS	m.root-servers.net.
.			508541	IN	NS	l.root-servers.net.
.			508541	IN	NS	e.root-servers.net.
.			508541	IN	NS	k.root-servers.net.
.			508541	IN	NS	g.root-servers.net.
.			508541	IN	NS	h.root-servers.net.
.			508541	IN	NS	d.root-servers.net.
.			508541	IN	NS	b.root-servers.net.
.			508543	IN	RRSIG	NS 8 0 518400 20170712050000 20170629040000 14796 . BG8N05rEZ7fPpTx+yKcSSkZevM8CnDUJfbuo4Lhhf3lPzXWXlFtaz7b/ A0LVsqGOQAX2C53920bplM7m8Jl4nV69wSFKqNU8Pd3fAUJbNTo8x5l5 SA1af4jTSPK5ZpABLokGVnUZ3FXURyH/zIZ+UY9L5+sAygNoN3GcFDeO MztFHh9Jpuf3P256ZQaanNmHywv1hPhdeyUm4I8XcJPpRecO7ekzaAjk v2drowlwLCkCZTt/yjCDhXk2oFx7FeD0w8khitILq4TnZ9IOIo5cLbjf mIOprfwXSl5IgnP2qxfdx5wREQeHL61XKtSbXmLcAWu77jfIbUM4v0SJ AKCG9A==
;; Received 1097 bytes from 192.168.178.1#53(192.168.178.1) in 65 ms

pizza.			172800	IN	NS	demand.beta.aridns.net.au.
pizza.			172800	IN	NS	demand.alpha.aridns.net.au.
pizza.			172800	IN	NS	demand.delta.aridns.net.au.
pizza.			172800	IN	NS	demand.gamma.aridns.net.au.
pizza.			86400	IN	DS	46567 8 1 231AFB5B2FA2B83186C851729B35D1ABE44E9478
pizza.			86400	IN	DS	46567 8 2 9E37C81C7E9B01EE8046E5277D0668CF0750F6D192E7D0F213F51110 96BF2CC0
pizza.			86400	IN	RRSIG	DS 8 1 86400 20170712050000 20170629040000 14796 . W+Kq836EI/VfkIiorr1EVBai5KomFcWkyuXXhZR1IVw4HVL1lt+2LXZx xxd4uWAvfRXGmNgOFp0CB8LdPvKUS241tO/DpqoHs80zVnA+Xtt4Khv7 qMrBk+PXOornhXib4zBKT2oJE5321gnNFi5VsoX8K2qTMGe5FrFapa1o tvEuek6Jk/jasXOT2k9DL3te+/lBIDyD0qq0Xka+mq9fb+vP+TBsZlwU l4j8FKbgoFonFAlSK/VCyP1Wg8M8x1N2T/8ONB3XbmKsvvhtEL7UC/wT /RGkDGNcPyil5m2sdLDD5S7bM6SDhLyPx2CyHFroKvN4jgdprW/Ws+zR kQiIUQ==
;; Received 707 bytes from 198.41.0.4#53(198.41.0.4) in 27 ms

bingo.pizza.		86400	IN	NS	ns2.dnsimple.com.
bingo.pizza.		86400	IN	NS	ns3.dnsimple.com.
bingo.pizza.		86400	IN	NS	ns4.dnsimple.com.
bingo.pizza.		86400	IN	NS	ns1.dnsimple.com.
bingo.pizza.		86400	IN	DS	30580 8 2 28BE9152DD18A2306886165AF7339E9737E2FF2E7E8A8AA35E3956D5 6EBD7D8D
bingo.pizza.		86400	IN	RRSIG	DS 8 2 86400 20170729085840 20170629075840 64128 pizza. RII7waroNfD1ZA5vcoCp1pwyqHtkE83zQB9GZRfKg9tJhWAkbQq16CM1 fGHt7bRqLs6muKMT7cXVq+BHM7AZMSECQwcC4+g6aOIQK6E/jLKJ3wcB jW4xR1CSgDZaABLV7nhsOyk2uHRosmptuOrSSBb4xyKHsa44MkXyB4Dz ZAPqYhpGCCklbpOTTlewf8sr5wCdrzKwGip0X93ZpTXqlw==
;; Received 369 bytes from 37.209.196.7#53(37.209.196.7) in 127 ms

bingo.pizza.		3600	IN	A	188.166.203.69
bingo.pizza.		3600	IN	RRSIG	A 8 2 3600 20170927085455 20170629085455 33258 bingo.pizza. hc2uONHeEHPjvKIFYP7DjXTRR8JIG631xyAwIbCqqJWb/l8uNgnUfxNh q0O9du1LOkinkrQg2OH3DIw0duB+9g==
;; Received 163 bytes from 162.159.26.4#53(162.159.26.4) in 2 ms

If you have any trouble with your DNSimple domain, please do not hesitate to drop us a message to support@dnsimple.com or visit the support center where you can also find a similar step by step guide.

Share on Twitter and Facebook

Ole Michaelis

Conference junkie, user groupie and boardgame geek also knows how to juggle. Oh, and software.

We think domain management should be easy.
That's why we continue building DNSimple.

Try us free for 30 days

4.3 out of 5 stars.

Based on Trustpilot.com and G2.com reviews.

Learning

The Top DNS Servers And What They Offer

There are a lot of DNS Servers out there. We're looking at some of the top ones here and comparing their features and why some are chosen

Joseph Caudle

Features

Introducing Notes for DNS Records

New Record Notes allow you to record why you made DNS zone changes.

Dallas Read

Engineering

Two years of squash merge

A retrospective of the last two years where we adopted --squash as our default merge strategy for git branches.

Simone Carletti