🌐 DNS Deep Dive
8 分钟阅读
DNS Monitoring and Troubleshooting Tools
Master DNS troubleshooting with dig, nslookup, and monitoring tools. Diagnose resolution failures, propagation issues, and performance problems.
Essential DNS Troubleshooting Commands
dig (Domain Information Groper)
dig is the most powerful DNS troubleshooting tool. It provides detailed query and response information:
# Basic A record lookup
dig example.com
# Query specific record type
dig example.com MX
dig example.com TXT
dig example.com AAAA
# Query a specific DNS server
dig @8.8.8.8 example.com
# Trace the full resolution path
dig +trace example.com
# Short output (just the answer)
dig +short example.com
# Show all records
dig example.com ANY
Understanding dig Output
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3600 IN A 93.184.216.34
;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; MSG SIZE rcvd: 56
Key fields: TTL (3600 seconds remaining), Query time (23ms latency), SERVER (which resolver answered).
nslookup
Simpler than dig, available on all platforms including Windows:
# Basic lookup
nslookup example.com
# Specify record type
nslookup -type=MX example.com
# Use a specific DNS server
nslookup example.com 8.8.8.8
host
The simplest DNS lookup tool:
host example.com
host -t MX example.com
host 93.184.216.34 # Reverse lookup
Common DNS Problems and Solutions
Domain Not Resolving
# Step 1: Check if the domain resolves from a public DNS
dig @8.8.8.8 example.com
# Step 2: Check your local resolver
dig @127.0.0.1 example.com
# Step 3: Check the authoritative servers directly
dig NS example.com
dig @ns1.example.com example.com
If public DNS works but local does not, the issue is with your local resolver or cache. Flush your DNS cache.
Propagation Delays
After changing DNS records, different resolvers see the update at different times based on caching:
# Check the current TTL (time remaining in cache)
dig example.com | grep -A1 "ANSWER SECTION"
# Check multiple resolvers to see propagation status
for dns in 8.8.8.8 1.1.1.1 9.9.9.9 208.67.222.222; do
echo "=== $dns ==="
dig @$dns +short example.com
done
DNSSEC Validation Failures
# Check if DNSSEC is causing resolution failures
dig +dnssec example.com
# Check DNSSEC chain of trust
dig +trace +dnssec example.com
# Test with DNSSEC validation disabled
dig +cd example.com # CD = Checking Disabled
DNS Monitoring Tools
| Tool | Type | Use Case |
|---|---|---|
| DNSViz (dnsviz.net) | Web | Visualize DNSSEC chain, detect configuration errors |
| MXToolbox | Web | DNS, mail, and blacklist diagnostics |
| Pingdom | SaaS | DNS monitoring with alerts |
| dnsperf | CLI | DNS server performance benchmarking |
| dnstop | CLI | Real-time DNS query monitoring on a server |
| Prometheus + dns_exporter | Self-hosted | Continuous DNS monitoring with Grafana dashboards |
DNS Performance Testing
# Measure resolution time
dig example.com | grep "Query time"
# Benchmark resolver performance
# Install dnsperf
dnsperf -d queryfile.txt -s 1.1.1.1 -l 30
# Compare resolver latency
for dns in 1.1.1.1 8.8.8.8 9.9.9.9; do
echo -n "$dns: "
dig @$dns example.com | grep "Query time"
done