What to do when nslookup & dig disagree?

John Shaver bobjohnbob at gmail.com
Wed Feb 5 13:55:19 MST 2014


On Wed, Feb 5, 2014 at 12:18 PM, S. Dale Morrey <sdalemorrey at gmail.com>
wrote:
So I'm having a very strange problem on one of my sites.
A day or so ago we moved off cloudfront and onto someone else.

Now the site resolves for some people and not others (admitedly in
different parts of the world).
This would be somewhat expected behavior I guess, except for the fact that
when I test it the site pulls up fine and snappy in the webbrowser but SSH
can't connect.

nslookup shows that there is no DNS entry
dig shows the server and it's name servers.

Here is a quick example to verify that dns is correctly setup (even if not
yet propagated).

I'll use my domain jshaver.net as an example.

let's start by checking what the authoritative dns servers for the net.
domain are (since I don't have them memorized):

$ dig NS net

In the answer section you see :

;; ANSWER SECTION:
net. 84911 IN NS j.gtld-servers.net.
net. 84911 IN NS f.gtld-servers.net.
net. 84911 IN NS i.gtld-servers.net.
net. 84911 IN NS l.gtld-servers.net.
net. 84911 IN NS g.gtld-servers.net.
net. 84911 IN NS a.gtld-servers.net.
net. 84911 IN NS e.gtld-servers.net.
net. 84911 IN NS c.gtld-servers.net.
net. 84911 IN NS h.gtld-servers.net.
net. 84911 IN NS b.gtld-servers.net.
net. 84911 IN NS d.gtld-servers.net.
net. 84911 IN NS m.gtld-servers.net.
net. 84911 IN NS k.gtld-servers.net.


Pick one and do:

$ dig NS jshaver.net @d.gtld-servers.net.

...

;; AUTHORITY SECTION:
jshaver.net. 172800 IN NS ns-us.1and1-dns.us.
jshaver.net. 172800 IN NS ns-us.1and1-dns.de.
jshaver.net. 172800 IN NS ns-us.1and1-dns.org.
jshaver.net. 172800 IN NS ns-us.1and1-dns.com.

...

Now you can query each of the name servers for the domain to see if it has
the correct records:

$ dig @ns-us.1and1-dns.com jshaver.net
$ dig @ns-us.1and1-dns.org jshaver.net
$ dig @ns-us.1and1-dns.de jshaver.net
$ dig @ns-us.1and1-dns.us jshaver.net


If you don't want to just check the A record results, then you can specify
NS, MX or other records to query.

If the records are set on all of your name servers, then it's just a matter
of the records propagating to the DNS provider (usually their internet
provider) of the person trying to resolve the domain.

If you want to know what DNS server dig pulled the information from it
shows at the bottom of the query result:

;; Query time: 3 msec
;; SERVER: 10.1.200.90#53(10.1.200.90)
;; WHEN: Wed Feb  5 13:37:33 2014
;; MSG SIZE  rcvd: 74


You can use the -x parameter with dig to do a reverse lookup on the ip
address of the server, if you'd like.

I don't know alot about nslookup, but I know that windows keeps it's own
dns cache that you can flush with ipconfig /flushdns.


Also:

If you query a non authoritative DNS server you will see the countdown on
the TTL:

$ dig jshaver.net

;; ANSWER SECTION:
jshaver.net. 85916 IN A 98.202.125.211

That DNS server is caching that record for another 85,916 seconds.


If I check xmission's DNS server:

$ dig @198.60.22.2 jshaver.net

;; ANSWER SECTION:
jshaver.net. 86377 IN A 98.202.125.211

They will cache it for 86,377 more seconds.


These are some of the ways I use dig when trying to trouble shoot if
something is a DNS propagation issue or something else.

-John


More information about the PLUG mailing list