Sometimes a website or application does not work properly because of DNS issues, including improperly configured DNS records, latency, or malicious attacks.
After reading this article you will be able to:
Copy article link
The Domain Name System, or DNS, maps domain names to IP addresses so that people can use web apps without memorizing precise network addresses. DNS is used for storing lots of other information associated with a domain as well — for instance, where to direct emails. DNS can cause issues if it is not set up properly, if attackers are targeting it, or if other technical challenges occur. Here is an overview of some of the most common DNS issues website administrators are likely to face.
The DNS records for the domain could be configured incorrectly. If the domain is misspelled in the records, if the wrong IP address is listed on the record, or if other essential information is missing or wrong, DNS will likely fail to resolve.
In addition to these basic errors, several types of DNS records are associated with a domain. Issues with those records could cause DNS errors. For instance, a domain could have an A record but lack an AAAA record, causing DNS resolution to initially fail for clients that use IPv6. Or, if the client is trying to reach an alternate domain (e.g. "blog.example.com" instead of "www.example.com"), the domain's CNAME record might not point to the right place.
To fix this error, site administrators should check the DNS records in their hosting provider or DNS provider's dashboard and make sure there are no errors. The DNS records then need to be fetched by DNS resolvers — the servers that reply to DNS queries — for the most up-to-date versions to be in the system. As long as the TTL is not set too high (see below) this should not take too long.
All DNS records contain a time-to-live (TTL)*, which is a count of the number of seconds for which a server may consider the record valid before having to re-query for an update. Essentially, TTL is like a "use by" date on a packaged food item: records are considered usable until the TTL time ends.
If the TTL is set too high, servers will wait too long to check for an update to DNS records. This means any changes will spread very slowly across the domain name system. Browsers might try to reach sites at the wrong IP address if DNS records have been updated for a domain but they have not received the updates.
To avoid this DNS issue, be sure TTLs are not too large: typically, the absolute maximum value is 86400 (counted in seconds, this equates to 24 hours), but most TTLs are much shorter (6 hours or less). The exact TTL for a record should depend on how often and quickly that record is expected to be updated in the future. (See information on TTL for Cloudflare DNS records.)
In addition, some DNS resolvers allow domain administrators to force a refresh of their caches for a domain — you can do so for Cloudflare's 1.1.1.1 here. But doing so does not flush all caches of all resolvers worldwide, so this is not a replacement for setting TTLs properly.
*TTL is used in other areas of networking as well, such as routing and caching.
Distributed denial-of-service (DDoS) attacks aim to do just what their name says: deny service. DDoS attacks bombard the target with junk traffic so that legitimate users cannot use the service. These attacks can make a website, application, API, or server unavailable for minutes or hours at a time.
When the DDoS target is DNS itself, browsers will be unable to resolve domains, which means users cannot load websites and apps, since their IP address cannot be found. A major attack of this kind took place in 2016, when an attack on Dyn left users in many parts of the world without the ability to use the Internet. Smaller DDoS attacks on DNS occur regularly and can be more targeted.
Avoid this problem by ensuring each domain's DNS provider has DDoS protection in place, or by implementing DDoS mitigation for self-hosted DNS resolution.
Latency is the time it takes for data to go from one point to another. High amounts of latency result in slow responses — or even request timeouts that terminate the connection.
Network congestion can cause latency, but the biggest culprit is often server location. DNS queries are pretty lightweight relative to other web traffic, but a faraway DNS resolver means a user might have to wait many seconds while the request travels to the server and the response comes back from the server. This problem might come up when users are attempting to load web content from an unexpected location or a different region of the world than normal, far from a DNS provider's network of servers.
To fix high DNS latency, use a DNS provider that has points of presence close to Internet users all over the globe. Learn about the Cloudflare global network.
In DNS cache poisoning attacks, a malicious party tricks a DNS resolver into caching an incorrect IP address for a domain. The result is that users trying to load that domain are instead directed to the IP address supplied by the attacker.
Adopting DNSSEC is a way to prevent unverified data from entering DNS resolver caches. DNSSEC authenticates messages between DNS servers (without DNSSEC, DNS operates on a principle of trust, which attackers can exploit).
A domain hijacking attack is when attackers alter the DNS records associated with a domain. Often they do this by getting domain registrars to transfer domains to them. As a result, site visitors may load the wrong webpage — often a malicious one — or the domain can fail to resolve altogether.
Applying domain locks at both the registrar and registry level can make DNS hijacking considerably more difficult for attackers.
"NXDOMAIN" is computer-speak for "nonexistent domain." Essentially, this error means that as far as the user's device can tell, the domain does not exist — like trying to call a nonexistent phone number or send a package to a city that does not exist.
This is a broad error that can be caused by the problems listed above, as well as problems on the client side (the device on which the person is trying to load the website):
Users can try reconnecting to their local network, hard-refreshing the webpage (Ctrl/Command + Shift + R), opening it in a different browser, or changing their DNS settings to use a different resolver (Cloudflare offers the highly reliable 1.1.1.1 DNS resolver for free).
An "NXDOMAIN" error may result in a "This site can't be reached" or "DNS server not responding" message in the browser. As described above, a number of problems can cause this error message.
For people and businesses running web apps, most of these issues can be fixed or mitigated by adopting Cloudflare, which proxies traffic to websites and uses the latest security measures to protect against DDoS attacks, DNS hijacking, DNS cache poisoning, and DNS misconfigurations. See Cloudflare plans to get started.