Guide

Concepts and learning path

Troubleshooting

Failure modes and fixes

Cheatsheet

Commands to keep handy

DNS troubleshooting

Hostname resolves on one host but not another

Compare /etc/resolv.conf, /etc/hosts, and grep hosts /etc/nsswitch.conf on both machines. Test with getent hosts hostname and dig @nameserver hostname to separate local config from upstream DNS.

`dig` works but application still fails

dig talks DNS directly; apps use NSS via getaddrinfo. A stale /etc/hosts or NSS ordering issue may cause applications to return a different result than dig. Run getent hosts api.example.com to mirror the app path.

Tip: SERVFAIL vs NXDOMAIN

This distinction comes up constantly when reading dig output.

NXDOMAIN — the name does not exist (no such record in the zone)
SERVFAIL — the resolver could not answer (DNSSEC failure, upstream issue, timeout, misconfiguration, etc.)

dig hostname

Check the status line in the answer section:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ...
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: ...

These imply completely different troubleshooting paths — NXDOMAIN points at the name or zone (typo, missing record); SERVFAIL points at resolver health, DNSSEC, or upstream authority problems.

`Could not resolve host` / `Name or service not known`

Check that nameservers in /etc/resolv.conf are reachable (dig @10.0.0.2 example.com). Verify the DNS service is running (systemctl status systemd-resolved). Confirm outbound UDP/TCP port 53 is not blocked by a firewall.

Intermittent or slow resolution

Look for unreachable nameservers listed first in resolv.conf — libc tries them in order and waits for timeouts. Remove dead servers or set options timeout:1 attempts:2. Check for IPv6 AAAA lookups timing out when only IPv4 works: dig AAAA hostname.

Wrong IP returned

Inspect /etc/hosts for overrides. Compare dig +short hostname against getent hosts hostname. Public resolvers may legitimately return different answers due to GeoDNS, split-horizon DNS, or load balancing. Stale resolver cache can also cause this: resolvectl flush-caches (systemd-resolved) or restart the caching service.

Short hostname resolves unexpectedly

The search directive appends domains to unqualified names. db may become db.internal.example.com. Use FQDNs in configs, or audit the search list in /etc/resolv.conf.

systemd-resolved conflicts

On systemd systems, /etc/resolv.conf may be a symlink managed by resolved. Editing it directly can be overwritten at reboot.

ls -l /etc/resolv.conf
resolvectl status
# Set DNS per-interface or in /etc/systemd/resolved.conf

Use resolvectl dns eth0 10.0.0.2 or configure DNS= in a .network file for persistent changes.

Debugging workflow

1. Compare NSS path vs raw DNS

getent hosts api.example.com
dig +short api.example.com
grep api /etc/hosts

2. Test each configured nameserver

grep nameserver /etc/resolv.conf
dig @10.0.0.2 api.example.com +time=2 +tries=1

3. Trace delegation for public names

dig +trace api.example.com

Reverse DNS (PTR) mismatches

Mail servers and some APIs require forward and reverse DNS to align:

dig +short example.com A
dig +short -x 93.184.216.34 PTR

Practice scenarios

Hands-on DNS scenarios on live Linux VMs: dns

Cheatsheet →