Troubleshooting DNS Outages: How to Read 'dig' and 'nslookup' Output
Master the command line. Learn how to interrogate authoritative name servers using dig and nslookup to diagnose frustrating cache and routing issues.
The Blank White Screen of Panic
You updated your domain's DNS records hours ago to point to your new expensive cloud server, but when you type your domain into the browser... nothing happens. Or worse, it loads the old server for you, but the new server for your coworker.
Browser extensions and web caches often lie to you. When DNS is failing, engineers open the terminal. Today, we will learn how to read the undeniable truth using `nslookup` and `dig`.
Beginner Mode: Using nslookup
Native to Windows (and available everywhere), `nslookup` allows you to directly interrogate servers.
Open your command prompt and type:
`nslookup getdnsinfo.com`
You will see:
```
Server: UnKnown
Address: 192.168.1.254
Non-authoritative answer:
Name: getdnsinfo.com
Addresses: 104.21.XX.XX
172.67.XX.XX
```
What does this mean?
The "Server" line tells you who you just asked (usually your home local router acting as a DNS forwarder).
The phrase "Non-authoritative answer" means your router had the answer stored in its local cache; it didn’t actually go ask the master domain registrar.
To ask for a specific record, like MX records:
`nslookup -type=mx getdnsinfo.com`
Expert Mode: Using dig (Domain Information Groper)
`dig` is the undisputed king of DNS troubleshooting, native to Linux and MacOS, giving explicitly detailed feedback.
Running a basic query:
`dig getdnsinfo.com A`
The output delivers massive metadata:
```
;; ANSWER SECTION:
getdnsinfo.com. 300 IN A 104.21.XX.XX
```
Look at the 300. That is the Time-To-Live (TTL). It tells you exactly how many seconds are left before your internet cache will drop the old record and hunt for a new one.
Tracing the Root Cause
The greatest power of `dig` is interrogating specific servers directly. If you want to know what Google’s public DNS thinks your site is doing, append `@8.8.8.8`.
`dig @8.8.8.8 getdnsinfo.com`
But what if you want to bypass all caches on earth and interrogate the absolute root authority nameservers that physically control your domain? Use the `+trace` command.
`dig getdnsinfo.com +trace`
This command maps the exact routing path. It queries the global Root Servers, which bounce it to the .Com TLD servers, which bounce it to your registrar name servers (like AWS or Cloudflare).
If this trace outputs your new IP perfectly, but a standard browser ping outputs a failure, you know with absolute mathematical certainty that your DNS configuration is scientifically flawless, and your local ISP is simply dragging its feet respecting the TTL cache.
If terminal commands aren't your style, remember you can query all records globally against authoritative sources using our visual DNS Lookup tool directly on our website.
