DNS Troubleshooting Cheat Sheet: 10 Checks Every Sysadmin Should Know
Tags: dns, networking, devops, webdev
Every sysadmin has been there — a website goes down, email stops delivering, or SSL certificates expire at 2 AM. Having a systematic troubleshooting workflow saves hours of guesswork.
Here are 10 essential DNS and network checks I run on every issue, with the commands and free online tools to do them instantly.
1. DNS Propagation Check
When you update DNS records, changes don't happen instantly. DNS propagation can take up to 48 hours depending on TTL values.
What to check: Query multiple global DNS servers to see if your changes have propagated.
dig @8.8.8.8 example.com A
dig @1.1.1.1 example.com A
dig @9.9.9.9 example.com A
Or check 30+ servers at once with DNS Propagation Checker.
2. WHOIS / RDAP Lookup
Domain expired? Ownership dispute? WHOIS tells you registration dates, registrar, and nameservers.
whois example.com
RDAP is the modern replacement — structured JSON, no rate limiting. Try it with WHOIS Lookup.
3. SSL Certificate Verification
Expired SSL = browser warnings = lost visitors. Always check certificate expiry, chain, and protocol support.
openssl s_client -connect example.com:443 -servername example.com
For a visual breakdown: SSL Certificate Checker.
4. SPF Record Validation
SPF tells receiving mail servers which IPs are allowed to send email for your domain. A misconfigured SPF record = emails landing in spam.
dig example.com TXT | grep "v=spf1"
Check syntax and lookup count (max 10!) with SPF Checker.
5. DKIM Record Check
DKIM adds a cryptographic signature to outgoing emails. If your DKIM record is missing or wrong, deliverability tanks.
dig selector._domainkey.example.com TXT
Validate your DKIM setup: DKIM Checker.
6. DMARC Policy Check
DMARC ties SPF and DKIM together and tells receivers what to do with failing emails (none, quarantine, reject).
dig _dmarc.example.com TXT
Analyze your policy: DMARC Checker.
7. IP Blacklist Check
If your server IP is on a DNSBL blacklist, your emails will be rejected. Check regularly.
# Check against Spamhaus
dig +short 4.3.2.1.zen.spamhaus.org
Check 50+ blacklists at once: IP Blacklist Checker.
8. Reverse DNS (PTR) Lookup
Many mail servers reject email from IPs without valid PTR records. Your PTR should match your mail server hostname.
dig -x 93.184.216.34
Quick check: Reverse DNS Lookup.
9. MX Record Lookup
Email not working? First check if MX records are properly configured and pointing to the right mail servers.
dig example.com MX
Check MX priority and reachability: MX Lookup.
10. Port Connectivity Test
Firewall blocking traffic? Check if specific ports are open and reachable from outside your network.
nc -zv example.com 443
nc -zv example.com 25
Test any port remotely: Port Checker.
Quick Reference Table
| Issue | Check | Record Type |
|---|---|---|
| Site not resolving | DNS Propagation | A / AAAA |
| Domain expired | WHOIS Lookup | — |
| SSL warning | Certificate Check | — |
| Email in spam | SPF + DKIM + DMARC | TXT |
| Email rejected | IP Blacklist + PTR | PTR |
| Email not arriving | MX Lookup | MX |
| Service unreachable | Port Check | — |
Wrapping Up
These 10 checks cover 90% of DNS and network issues I encounter. Having them in a systematic workflow means less guesswork and faster resolution.
All the tools mentioned above are free at DNS Robot — no signup, no rate limits, works in 12 languages.
What's your go-to troubleshooting workflow? Drop it in the comments.
Top comments (1)
Perfect Helpful toolkit for Web Hosting Support teams.