yukt.tools
blog
Tools Guide

DNS Dig Troubleshooting: A Practical Guide

Use dig to debug DNS records, propagation, TTLs, DNSSEC, and resolver differences with clear examples and practical next steps.

Published 2026-06-19 · Updated 2026-06-19 · 4 min read

A practical guide for developers, operators, founders, and Canadian users who need to diagnose DNS issues without ad clutter.

Start With The Exact Symptom

DNS troubleshooting is faster when you start with the failure you can observe, not with a broad record search. Decide whether the problem is a missing record, an unexpected answer, a slow propagation change, a resolver disagreement, or a validation issue such as DNSSEC.

For example, if a new TXT record is not visible, check the authoritative nameserver first before comparing public resolvers. If a website is not loading after a DNS change, check A, AAAA, CNAME, and NS records before assuming the application is broken.

  • Use A and AAAA checks for website reachability issues.
  • Use CNAME checks when a hostname should point to another hostname.
  • Use MX and TXT checks for mail setup, domain verification, SPF, DKIM, and DMARC.
  • Use NS and SOA checks when delegation or propagation looks inconsistent.
  • Use DNSSEC checks when authenticity validation matters, including DNS-AID-related records.

Compare Authoritative And Public Resolvers

A common dig mistake is checking only one resolver and treating the answer as final. DNS answers can differ because of cache, TTL, resolver policy, or delegation problems. Start with the authoritative source, then compare it with resolvers your users are likely to hit.

In a terminal workflow, that usually means checking the domain nameservers, querying one authoritative server directly, then comparing a public resolver such as 1.1.1.1 or 8.8.8.8. In yukt.tools, the DNS dig utility can support this kind of focused lookup without extra interface clutter.

  • Find nameservers with a NS lookup.
  • Query an authoritative nameserver directly for the record type you changed.
  • Compare the answer against one or two public resolvers.
  • Check TTL values before deciding whether a change is genuinely stuck.
  • Record the exact hostname, record type, resolver, answer, and time checked.

What Should I Check When A DNS Change Has Not Propagated?

First, confirm that the new record exists at the authoritative nameserver. If it is missing there, the issue is usually with the DNS provider, zone file, or the hostname you updated. If it exists there but not on public resolvers, the issue is more likely cache timing, TTL, or resolver-specific behavior.

Next, check whether you changed the correct record. A common example is updating example.com while the failing service uses www.example.com, api.example.com, or a verification-specific TXT hostname. DNS dig troubleshooting should stay precise: hostname, type, resolver, answer, TTL.

  • If authoritative DNS is wrong, fix the zone before testing resolvers again.
  • If authoritative DNS is right but public DNS is old, wait for TTL expiry and retest.
  • If only one resolver is wrong after TTL expiry, compare multiple resolvers before escalating.
  • If DNSSEC is enabled, validate signatures rather than checking record presence only.

Use Concrete Commands And Save The Evidence

When debugging with a teammate, registrar, hosting provider, or DNS provider, vague notes like "DNS is broken" slow everyone down. Share the lookup target, record type, resolver, and observed answer. This makes the issue reproducible.

Useful examples include checking an A record for a site hostname, a TXT record for verification, or an MX record for mail routing. Related yukt.tools utilities such as JSON formatting, URL encoding, timestamp conversion, and UUID generation can sit beside this workflow when you are preparing support notes, API payloads, or deployment records.

  • Example target: api.example.com A via authoritative nameserver.
  • Example target: example.com TXT via 1.1.1.1 and 8.8.8.8.
  • Example target: example.com MX with TTL included.
  • Example note: changed at 2026-06-19 14:20 America/Toronto; old TTL was 3600 seconds.

Know When DNS Is Not The Root Cause

A correct DNS answer does not prove the full service is healthy. If the hostname resolves to the expected address, continue with HTTP status checks, TLS certificate checks, application logs, firewall rules, CDN configuration, and deployment status.

Use DNS dig troubleshooting as the first narrowing step. It tells you whether the name resolves as expected, whether resolvers agree, and whether validation looks credible. From there, move to the layer that actually fails instead of repeatedly changing DNS records.

  • If DNS resolves correctly but the site fails, check TLS, HTTP, and hosting configuration.
  • If mail records are correct but messages fail, inspect mail provider diagnostics and authentication reports.
  • If verification TXT records are present, confirm the exact hostname expected by the third-party service.
  • If DNS-AID records are present, validate DNSSEC before relying on the discovery signal.

Frequently asked questions

What is the fastest way to troubleshoot DNS with dig?

Check the exact hostname and record type against the authoritative nameserver first, then compare public resolvers and TTL values.

Why do two DNS resolvers return different answers?

Resolver caches, TTL timing, delegation changes, and resolver policy can produce different answers. Compare results after the old TTL should have expired.

Does a correct dig result mean my website or app is working?

No. A correct DNS answer only confirms name resolution. You still need to check TLS, HTTP responses, hosting, CDN, and application behavior.