Troubleshooting DNS – Terminal Commands
If you are trying to troubleshoot your DNS, and check why it might not be working properly, try some of these commands to help you out. We will be using the command line and nslookup/dig plus a few useful services to see what is going on.
Troubleshooting DNS via the command prompt or terminal
If you are trying to troubleshoot your DNS resolution, we recommend opening up your command prompt (if on Windows) or Terminal (if on Mac/Linux) to make the process easier. In this guide we will use the nslookup command for Windows and the Dig command for Mac/Linux. Hopefully it will help you understand and identify what is going on with your DNS resolution when a problem arises.
Test 1: What DNS resolver am I using?
If you want to quickly see what DNS resolver you are using, run this command:Windows:
dig www.google.com |grep SERVER
Both will reply with the DNS server you are using. This is specially useful if you tried to change your DNS resolver, but you are not sure it is going through. For the nslookup on Windows, you will see the DNS server information right at the top:
Server: 192.168.10.1 Address: 192.168.10.1#53
In the example above, you can see that I am using 192.168.10.1 as my DNS resolver, which is likely my router IP address. There is one caveat: It may not display your real resolver if your router is configured as a forwarder (pretty common).
Test 2: What’s my real DNS resolver?
The first example showed what DNS resolver your computer is initially taking to, but doesn’t really tell what DNS resolver is actually contacting the DNS authoritative servers. If you configured CleanBrowsing or OpenDNS on your router, you would still see the router IP address on your config.
To find the real resolver, try this command:Windows:
nslookup -type=txt -class=chaos version.bind
dig +short -t TXT -c chaos version.bind @126.96.36.199
This command requests the “version.bind” that most providers have available. For example, if you are using CleanBrowsing, that’s what you would see:
dig +short -t TXT -c chaos version.bind "CleanBrowsing v1.4a - dns-edge-usa-west-la"
Which is pretty useful to also see what datacenter you are being routed to. The same command would work for other providers:
$dig +short -t TXT -c chaos version.bind @188.8.131.52 "Q9-P-5.1" $ dig +short -t TXT -c chaos version.bind @184.108.40.206 "Freenom World (www.freenom.world) - use 220.127.116.11 to resolve fast and anonymous"
Whoever, that’s not fool proof. OpenDNS, for example, does not support it, but they have their own custom domain for debugging:
$ dig +short -t TXT debug.opendns.com @18.104.22.168 "server m35.lax" "flags 20 0 70 180000000000000000003950800780000000000" "originid 0" "actype 0" "source 22.214.171.124:33187"
Others, like Yandex DNS, show the DNS version they are using (love to PowerDNS):
$ dig +short -t TXT -c chaos version.bind @126.96.36.199 "PowerDNS Recursor 4.0.8 (built Dec 11 2017 10:39:35 by root@4351f9921268)"
If you are not getting any result from this command, keep reading. It means your DNS resolver doesn’t support it.
Test 3: What IP address is my DNS resolver using?
The following test will help you identify what IP address your DNS resolver is using. Based on that, we can likely guess what provider do you have configured. We leverage a very useful DNS API by the PowerDNS team to do so:Windows:
nslookup -type=txt iptest.whois.dnscontest.cleanbrowsing.org
dig +short -t txt iptest.whois.dnscontest.cleanbrowsing.org
The result of this command will be the IP address used to contact the DNS API endpoint. For example, for CleanBrowsing, you would see:
And if you run the reverse lookup for that IP, it would show the pointer that we configured:
$ nslookup 188.8.131.52 Non-authoritative answer: 184.108.40.206.in-addr.arpa name = dns-edge-usa-west-la.cleanbrowsing.org.
Confirming you are using CleanBrowsing. If the reverse lookup doesn’t give you a hint, try running whois on the IP address.
In this example, I was able to identify CleanBrowsing’s Free Family filter using IPv6 (e.g., 2a0d:2a00:1::):
$ whois 2a0d:2a00:1:: inet6num: 2a0d:2a00:1::/48 netname: DNS-ANYCAST-CLEANBROWSING country: CA
Step 4: Checking why a domain is not loading
If you need to check why a domain is not loading try these commands (replace example.com for the one you are testing):Windows:
nslookup -type=txt example.com
And depending on the answer, you will be able to know what is going on. If you get a SERVFAIL error, it might mean a broken DNSSEC configuration. If that happens, I recommend going to DNSViz to confirm.
On CleanBrowsing if you see a SOA with the following entry cleanbrowsing.rpz.noc.org. accesspolicy.rpz.noc.org, it actually means it blocked access to the specified domain. If you get a proper response from these commands, you problem is likely else where and not at the DNS level.
And that’s it. Hopefully these commands will help you on your troubleshooting steps.