Understanding DNS Error Types (Browser Errors)
| Error Message | Meaning | Likely Cause |
|---|---|---|
| DNS_PROBE_FINISHED_NXDOMAIN | Domain does NOT exist | Typo, expired domain, missing NS records |
| DNS_PROBE_FINISHED_NO_INTERNET | No DNS resolution | Local network issue, DNS server down |
| DNS_PROBE_FINISHED_BAD_CONFIG | DNS configuration error | Wrong DNS IP, proxy issues |
| ERR_NAME_NOT_RESOLVED | DNS lookup failed | General DNS failure |
| ERR_CONNECTION_TIMED_OUT | DNS server not responding | Firewall blocking port 53, DNS down |
Basic DNS Diagnostics (What to Check First)
Before diving into complex commands, check these basics:
- Is it just you? Check https://downforeveryoneorjustme.com/
- Can you ping by IP?
ping 8.8.8.8(if this works, it's DNS; if not, it's network) - Can you ping by domain?
ping google.com - Flush your DNS cache:
- Windows:
ipconfig /flushdns - Mac:
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder - Linux:
sudo systemd-resolve --flush-caches
- Windows:
- Change your DNS server: Try Cloudflare (1.1.1.1) or Google (8.8.8.8)
Command Line Tools: dig, nslookup, host
dig (Linux/Mac - Most Powerful)
# Basic lookup
dig example.com
# Get only IP address
dig example.com +short
# Use specific DNS server
dig @8.8.8.8 example.com
# Get all record types
dig example.com ANY
# Trace full resolution path
dig example.com +trace
# Check specific record type
dig example.com MX
dig example.com TXT
dig example.com NSnslookup (Windows/Linux/Mac)
# Basic lookup
nslookup example.com
# Use specific DNS server
nslookup example.com 8.8.8.8
# Interactive mode
nslookup
> set type=MX
> example.com
> exit
# Reverse DNS lookup
nslookup 93.184.216.34host (Simple, All Platforms)
# Basic lookup
host example.com
# Specific record type
host -t MX example.com
host -t NS example.comBrowser DNS Debugging
Google Chrome / Edge
# View internal DNS cache
chrome://net-internals/#dns
# Clear Chrome DNS cache
chrome://net-internals/#dns β "Clear host cache"
# DNS over HTTPS settings
chrome://settings/security β "Use secure DNS"Firefox
# DNS cache info
about:networking#dns
# Clear DNS cache
about:networking#dns β "Clear DNS Cache"
# DNS over HTTPS settings
about:preferences#privacy β "DNS over HTTPS"Common DNS Issues & Quick Fixes
β Issue 1: DNS_PROBE_FINISHED_NXDOMAIN
Symptoms: Domain name doesn't exist error
Quick Fixes: Check for typos, verify domain registration, check NS records
β Issue 2: DNS Server Not Responding
Symptoms: Timeout errors, slow browsing
Quick Fixes: Restart router, change DNS server to 1.1.1.1, check firewall
β Issue 3: Wrong IP Address Resolving
Symptoms: Website goes to wrong server
Quick Fixes: Flush DNS cache, check hosts file, wait for propagation
Advanced Diagnostics: Tracing the Full Resolution Path
To find exactly where DNS resolution is failing, trace the full path from your device to the authoritative nameserver.
Step 1: Check Local Resolution
# Check if /etc/hosts is overriding
cat /etc/hosts | grep example.comStep 2: Check DNS Resolver Configuration
# Linux
cat /etc/resolv.conf
# Mac
scutil --dns
# Windows
ipconfig /all | findstr "DNS Servers"Step 3: Trace Resolution with dig +trace
# This shows EVERY step from root to your domain
dig example.com +trace
# Output shows:
# 1. Root servers (.)
# 2. TLD servers (.com)
# 3. Your domain's authoritative nameservers
# 4. The actual answerStep 4: Check Firewall Connectivity
# Test UDP port 53 (standard DNS)
nc -vzu 8.8.8.8 53
# Test TCP port 53 (for large responses)
nc -vz 8.8.8.8 53Troubleshooting DNSSEC Issues
Symptoms of DNSSEC Problems:
- Website works with "dnscrypt" but not normally
- Browsers return "SERVFAIL"
- dig returns status: SERVFAIL
Diagnostic Commands:
# Check if DNSSEC is the problem (disable validation)
dig +cd example.com A
# Check DNSKEY records
dig example.com DNSKEY +dnssec
# Validate chain of trust
dig example.com DS +traceFixing DNSSEC Issues:
- If DS record is missing β Add at registrar
- If signatures expired β Re-sign zone
- If key mismatch β Verify KSK and ZSK
DNS Propagation & Cache Issues
If you've changed DNS records but don't see them, it's almost always a caching issue.
Check Current TTL Values:
# Check TTL on your current record
dig example.com A +ttlid
# Example output: example.com. 300 IN A 93.184.216.34
# 300 = 5 minutes TTLCheck Global Propagation Status:
# Check from multiple global resolvers
for server in 1.1.1.1 8.8.8.8 208.67.222.222 9.9.9.9; do
echo "=== $server ==="
dig @$server example.com A +short
sleep 1
doneDNS Security Issues (Hijacking, Spoofing)
Check for DNS Hijacking:
# Compare response from your router vs trusted resolver
# Your router's DNS
dig example.com @192.168.1.1
# Trusted public resolver
dig example.com @1.1.1.1
# If results differ, your router may be hijackedCheck Router DNS Settings:
- Log into router admin panel (usually 192.168.1.1)
- Check DNS server settings under WAN/Internet settings
- Reset to automatic or set to 1.1.1.1 and 8.8.8.8
Esoteric DNS Issues (Advanced)
Issue: CNAME at Zone Apex (Root Domain)
Problem: CNAME records cannot coexist with other record types at the root domain.
Fix: Use ALIAS, ANAME, or CNAME flattening providers.
Issue: TCP vs UDP Fallback Problems
Symptom: Large DNS responses (>512 bytes) fail
Fix: Ensure firewall allows TCP port 53: dig +tcp example.com ANY
Quick Diagnostic Checklist:
# Check for DNS response size issues
dig +stats example.com ANY
# Check for EDNS0 support
dig +edns=0 example.com
# Check for DNSSEC compatibility
dig +dnssec +cd example.com SOA
