乐闻世界logo
搜索文章和话题

How to Troubleshoot and Resolve DNS Resolution Failures

3月6日 22:51

DNS resolution failure is one of the most common network issues. When users cannot access websites, it may be due to DNS resolution problems. This article introduces systematic troubleshooting methods and solutions.

Common DNS Resolution Error Types

1. NXDOMAIN (Non-Existent Domain)

Error Message:

shell
dig: couldn't get address for 'example.com': not found

Causes:

  • Domain name spelling error
  • Domain not registered or expired
  • DNS records not configured

2. SERVFAIL (Server Failure)

Error Message:

shell
dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL

Causes:

  • DNS server failure
  • Zone transfer failure
  • DNSSEC validation failure

3. TIMEOUT

Error Message:

shell
dig: connection timed out; no servers could be reached

Causes:

  • Network connection issues
  • DNS server not responding
  • Firewall blocking DNS queries

4. REFUSED

Error Message:

shell
dig: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED

Causes:

  • DNS server configuration refuses recursive queries
  • ACL restrictions

Troubleshooting Flowchart

shell
DNS Resolution Failure
Check Network Connection → Not Working → Fix Network
    ↓ Working
Check Local DNS Configuration
Test Different DNS Servers → Individual Failure → Change DNS
    ↓ All Fail
Check Domain Status
Check DNS Record Configuration
Check TTL and Cache

Detailed Troubleshooting Methods

Step 1: Confirm Network Connection

bash
# Test network connectivity
ping 8.8.8.8

# Test gateway
traceroute 8.8.8.8

# Check network interface configuration
ip addr show
ifconfig

If Network Not Working:

  • Check Ethernet cable/WiFi connection
  • Restart router
  • Check IP configuration

Step 2: Check Local DNS Configuration

Linux/macOS

bash
# View DNS configuration
cat /etc/resolv.conf

# View systemd-resolved configuration
systemd-resolve --status

# Check hosts file
cat /etc/hosts

Windows

cmd
# View DNS configuration
ipconfig /all

# View hosts file
type C:\Windows\System32\drivers\etc\hosts

Common Issues:

  • Incorrect DNS server addresses
  • Hosts file tampered with
  • Configured non-existent DNS servers

Step 3: Test DNS Servers

bash
# Test with specific DNS server
dig @8.8.8.8 www.example.com
dig @1.1.1.1 www.example.com
dig @223.5.5.5 www.example.com

# Use nslookup
nslookup www.example.com 8.8.8.8

# Use host
host www.example.com 8.1.1.1

Result Analysis:

  • If one DNS server can resolve → Original DNS server has issues
  • If all DNS servers cannot resolve → May be domain itself issue

Step 4: Check Domain Status

bash
# Query domain WHOIS information
whois example.com

# Check if domain is expired
# View domain registration status

Check Points:

  • Domain is registered
  • Domain is not expired
  • Domain is not frozen or deleted

Step 5: Check DNS Record Configuration

bash
# Query domain's NS records
dig NS example.com

# Query authoritative server
dig @ns1.example.com www.example.com

# Check SOA record
dig SOA example.com

# Check complete resolution chain
dig +trace www.example.com

Common Issues:

  • NS records point to wrong DNS servers
  • A records not configured or incorrectly configured
  • CNAME conflicts with A records

Step 6: Check TTL and Cache

bash
# View DNS cache (Linux)
systemd-resolve --statistics

# Clear DNS cache
# Linux
sudo systemd-resolve --flush-caches

# macOS
sudo killall -HUP mDNSResponder

# Windows
ipconfig /flushdns

Common Scenario Solutions

Scenario 1: Local DNS Server Failure

Symptoms:

  • All domains cannot be resolved
  • Works after changing DNS server

Solution:

bash
# Temporarily change DNS (Linux)
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

# Permanent change (NetworkManager)
nmcli con mod "connection name" ipv4.dns "8.8.8.8 1.1.1.1"
nmcli con up "connection name"

Scenario 2: Domain Resolution Hijacking

Symptoms:

  • Specific domain resolves to wrong IP
  • Different DNS servers return different results

Solution:

  1. Change to trusted DNS servers (like 1.1.1.1, 8.8.8.8)
  2. Use DoH/DoT encrypted DNS
  3. Check if local hosts file is tampered with
  4. Check router DNS settings

Scenario 3: DNS Records Not Taking Effect

Symptoms:

  • Recently modified DNS records cannot be resolved
  • Some regions can resolve, some cannot

Solution:

  1. Wait for TTL expiration (usually 24-48 hours)
  2. Use dig +trace to check resolution chain
  3. Use online tools to check global resolution status

Scenario 4: DNSSEC Validation Failure

Symptoms:

  • Returns SERVFAIL
  • Can resolve after disabling DNSSEC validation

Solution:

bash
# Check DNSSEC status
dig +dnssec www.example.com

# Check DS record
dig DS example.com

# If configuration is wrong, need to fix DNSSEC configuration at domain registrar

Scenario 5: Firewall Blocking DNS

Symptoms:

  • Cannot connect to DNS servers
  • Timeout errors

Solution:

bash
# Test DNS port connectivity
telnet 8.8.8.8 53
nc -vz 8.8.8.8 53

# Check firewall rules
sudo iptables -L | grep 53

Open DNS Ports:

bash
# Linux (iptables)
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

Useful Troubleshooting Tools

Command Line Tools

ToolPurposeExample
digDetailed DNS querydig +trace example.com
nslookupInteractive querynslookup -type=mx example.com
hostSimple queryhost -a example.com
whoisDomain informationwhois example.com
pingConnectivity testping 8.8.8.8
tracerouteRoute tracingtraceroute 8.8.8.8

Online Tools

  • DNSChecker.org: Check global DNS resolution status
  • WhatsMyDNS.net: View DNS propagation
  • Google Admin Toolbox: Dig tool
  • MXToolbox.com: Comprehensive DNS check

Troubleshooting Checklist

Basic Checks

  • Network connection is normal
  • DNS server addresses are correctly configured
  • Hosts file is not tampered with
  • DNS service is running

Advanced Checks

  • Domain is registered and not expired
  • NS records are correctly configured
  • A/CNAME records are correctly configured
  • TTL is reasonably set
  • DNSSEC is correctly configured (if enabled)

Network Checks

  • Firewall is not blocking port 53
  • Router DNS settings are correct
  • ISP is not hijacking DNS

Preventive Measures

  1. Use Multiple DNS Servers
shell
nameserver 8.8.8.8
nameserver 1.1.1.1
nameserver 223.5.5.5

  1. Monitor DNS Status

    • Use monitoring tools to regularly check domain resolution
    • Set up DNS change alerts

  2. Set TTL Reasonably

    • Use longer TTL for stable services
    • Lower TTL before changes

  3. Use Trusted DNS Services

    • Public DNS: Google, Cloudflare, Alibaba DNS
    • Consider using DoH/DoT encryption

Summary

Issue TypeCommon CausesSolutions
NXDOMAINDomain error/not registeredCheck spelling, confirm domain status
SERVFAILServer failure/DNSSECChange DNS, check DNSSEC
TIMEOUTNetwork/firewallCheck network, open ports
Slow ResolutionTTL/cacheClear cache, optimize TTL
HijackingMalicious configurationChange to trusted DNS, use DoH

标签:DNS
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(30)JavaScript(56)Linux(20)Docker(65)Rust(10)TypeScript(27)Mongoose(18)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)