ipdetecto.com logo
ipdetecto.com
My IPSpeed
Knowledge Hub
HomeKnowledge HubCommands Dns Troubleshooting
© 2026 ipdetecto.com
support@ipdetecto.comAboutContactPrivacyTermsllms.txt
Troubleshooting
5 MIN READ
Apr 19, 2026

Commands for DNS Troubleshooting

Use dig with +trace and +tcp, compare resolvers, validate DNSSEC with delv, inspect systemd-resolved or Windows ipconfig cache, and catch stale TTL or split-horizon mismatches.

Recursive vs authoritative

Your laptop talks to a recursive resolver (ISP, Google, Cloudflare, or internal AD DNS). Authoritative servers for a zone only answer when the query reaches them along delegations. dig +trace walks delegations manually so you spot lame delegations or wrong NS glue.

Everyday commands

ScenarioCommandSignal
Which resolver answersdig example.comSERVER line in output footer
Delegation faultsdig +trace example.comSERVFAIL at a specific hop
UDP path brokendig +tcp @resolver example.comWorks over TCP only
DNSSEC validationdelv example.cominsecure vs bogus vs ok

Stub resolvers

On systemd systems resolvectl query host shows how stub 127.0.0.53 forwards. On Windows ipconfig /displaydns reveals negative caching—flush only after you fix the authoritative side.

Related: nslookup and dig, how DNS works, what does nslookup do, diagnosing slow internet.

Frequently Asked Questions

Q.Why does dig work but the browser still shows the old site?

Browser DNS cache, DoH to another resolver, or a CDN edge holding stale records—compare `dig` against the resolver your browser uses and check TTL remaining.

Q.What does SERVFAIL from a public resolver mean?

The resolver could not get a valid answer—often broken DNSSEC, lame delegation, or an authoritative timeout. Re-run `dig +trace` from your laptop to see where the chain stops.

Q.When should I use dig +tcp instead of UDP?

When UDP is filtered, fragmented, or middleboxed—large responses also trigger truncation that retries over TCP. If +tcp fixes the issue, inspect path MTU and firewall rules.

Q.How do I compare two resolvers fairly?

Run `dig @8.8.8.8` vs `dig @1.1.1.1` with `+stats` and the same QNAME/QTYPE. Cold cache vs warm cache skews first queries—repeat twice.

Q.Why does delv say bogus while dig returns A records?

Plain dig may not validate DNSSEC. bogus means signatures fail—fix DS records at the registrar or repair broken ZSK/KSK rotation on the authoritative side.

Q.Does flushing systemd-resolved fix authoritative mistakes?

Only locally—it clears cached NXDOMAIN or stale TTL. If authoritative data is wrong, flushing clients hides nothing from the rest of the internet.

Q.Why does internal split DNS differ from public DNS?

Corporate resolvers override public zones for intranet names. Test with `dig @corp-resolver` vs `dig @1.1.1.1` to confirm intentional split horizon.

Q.What log fields help on authoritative BIND/Knot servers?

Client IP, QNAME, QTYPE, response code, and query time—correlate spikes with resolver retries after upstream latency events.
TOPICS & TAGS
dig +tracedig +tcpdelv DNSSECsystemd-resolvedDNS troubleshooting commands