Every web developer has uttered the phrase: "It's probably DNS!" It's a common refrain because issues with the Domain Name System are among the most frequent—and frustrating—roadblocks to hosting web applications, especially those building enterprise mission-critical applications.
DNS is the Internet's phone book. It translates human-readable domain names (such as www.example.com) into machine-readable IP addresses (such as 192.0.2.1). When this translation fails, your users can't reach your application. Regarding Duende IdentityServer customers, DNS failures can leave users unable to log in and complete their work, or clients unable to retrieve essential OAuth 2.0 tokens to communicate securely with other services. When DNS goes wrong, everything breaks.
Common DNS Issues for Web Applications
When troubleshooting web application accessibility, look out for these common DNS-related culprits:
- Incorrect A/AAAA Records: The most fundamental issue. Your domain's A (IPv4) or AAAA (IPv6) record might point to an outdated or inaccurate server IP address.
- Missing or Incorrect CNAME Records: If you use a CNAME (Canonical Name) record—often for setting up a subdomain to point to a hosting server or content delivery network (CDN)—an incorrect target can cause clients to misroute traffic.
- TTL (Time to Live) Cache Problems: When you change a DNS record, it takes time to propagate across the Internet. If administrators set the TTL value too high, old, incorrect records might be stubbornly cached by local resolvers, proxies, and even user browsers, making it seem like your change didn't take effect.
- Mismatched NS (Name Server) Records: The domain registrar is responsible for adding the correct NS records (and potential A glue records) to the TLD zone. (e.g., AWS Route 53, Cloudflare). If records are mismatched, you will never be able to query for the correct DNS records.
- DNSSEC Validation Failures: While DNSSEC adds a layer of security, misconfigurations can cause validation failures, leaving users unable to resolve the domain.
The Right Tool for the Job: Why You Should Use dig
When diagnosing DNS issues, having the right tool can save hours of frustration. While many administrators default to the older nslookup utility, we strongly recommend using dig (Domain Information Groper).
dig provides a much cleaner, more informative, and standardized view of the DNS query and response process. The current consensus in the professional networking and systems administration community favors dig. Why exactly?
| Feature | dig | nslookup |
|---|---|---|
| Query Detail | Displays the complete response, including answer, authority, and additional sections. | Often only shows the answer section, with less detail. |
| Standardization | Better reflects the actual DNS query process. | Often behaves differently based on the OS and version. |
| Output Clarity | Output is structured for parsing and troubleshooting, clearly separating query details from results. | Output is less structured and can be confusing for complex queries. |
| Query Types | Easily supports specific record type queries (e.g., dig example.com MX). |
A clunky interface for accessing extra features and behaviors. |
| Debugging | Includes essential debugging information, such as query time and the resolver that responded. | Provides minimal to no debugging statistics. |
For example, a simple query in dig clearly shows the full lifecycle of the request:
- Header: Shows the query ID and status.
- Question Section: Verifies the query you sent.
- Answer Section: Contains the actual records returned (A, CNAME, etc.).
- Authority Section: Lists the authoritative name servers.
- Statistics: Shows the query time and server details.
Let’s look at the difference between an nslookup and a dig output to get a real sense of the differences.
> nslookup demo.duendesoftware.com
We get the following output.
> nslookup demo.duendesoftware.com
Server: 192.168.86.1
Address: 192.168.86.1#53
Non-authoritative answer:
demo.duendesoftware.com canonical name = demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com.
Name: demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com
Address: 54.210.1.108
Name: demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com
Address: 52.1.218.254
Name: demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com
Address: 3.93.112.143
The nslookup output gives us a sense of “what?” is happening with our current DNS lookup for demo.duendesoftware.com, but it really lacks the “why?” details that could expedite our problem-solving.
Now, let’s try the same lookup with dig.
> dig demo.duendesoftware.com
A more detailed explanation is now available in the output.
> dig demo.duendesoftware.com
; <<>> DiG 9.10.6 <<>> demo.duendesoftware.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52649
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;demo.duendesoftware.com. IN A
;; ANSWER SECTION:
demo.duendesoftware.com. 300 IN CNAME demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com.
demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com. 60 IN A 52.1.218.254
demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com. 60 IN A 3.93.112.143
demo-2db40b8-1768555271.us-east-1.elb.amazonaws.com. 60 IN A 54.210.1.108
;; Query time: 36 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Mon Jan 26 09:50:34 EST 2026
;; MSG SIZE rcvd: 162
Much more information is available, helping us determine whether there’s more to our problems than a simple success/failure in resolving a DNS query. We can see the CNAME records along with the A records they correspond to, making it evident that our configuration is correct. Additionally, we can see timings for each lookup, which can help us pinpoint performance issues. More details help us make better-informed decisions.
Let’s go through a few examples of what you may use dig for when diagnosing DNS issues.
First, let’s see if we can retrieve the TXT records from the duendesoftware.com domain. A TXT (text) record isa type of DNS record that allows domain administrators to insert arbitrary text into the Domain Name System (DNS).
> dig txt duendesoftware.com
Running the command shows additional information that the Duende administration team has added to the DNS records, specifically around domain validation and outgoing spam protection.
> dig txt duendesoftware.com
; <<>> DiG 9.10.6 <<>> txt duendesoftware.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43729
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;duendesoftware.com. IN TXT
;; ANSWER SECTION:
duendesoftware.com. 300 IN TXT "google-site-verification=gYCmK1nR7YXzM34I7di9ri3CrA6vfV_BqBHP3OtdvgM"
duendesoftware.com. 300 IN TXT "MS=ms86031295"
duendesoftware.com. 300 IN TXT "google-site-verification=KdSyWlNJG5Tu8aYboVvLUXObu2qfzjBPL9Sz47GPDZw"
duendesoftware.com. 300 IN TXT "v=spf1 include:sendgrid.net include:_spf.google.com include:47428297.spf02.hubspotemail.net ~all"
duendesoftware.com. 300 IN TXT "notion-domain-verification=hyh8ALPCZnrPWqyce2WZRMuAszTAOk3CW9TG8UUGA9y"
;; Query time: 22 msec
;; SERVER: 192.168.86.1#53(192.168.86.1)
;; WHEN: Mon Jan 26 12:51:49 EST 2026
;; MSG SIZE rcvd: 427
Finally, you can diagnose DNS resolution issues by adding the DNS resolver’s IP address at the end of a command. Here, we’ll diagnose the resolution of duendesoftware.com using Cloudflare’s DNS of 1.1.1.1.
> dig +trace duendesoftware.com @1.1.1.1
Resulting in a clear trace showing all the servers involved in resolving the domain through the provided DNS server.
> dig +trace duendesoftware.com @1.1.1.1
; <<>> DiG 9.10.6 <<>> +trace duendesoftware.com @1.1.1.1
;; global options: +cmd
. 512356 IN NS a.root-servers.net.
. 512356 IN NS b.root-servers.net.
. 512356 IN NS c.root-servers.net.
. 512356 IN NS d.root-servers.net.
. 512356 IN NS e.root-servers.net.
. 512356 IN NS f.root-servers.net.
. 512356 IN NS g.root-servers.net.
. 512356 IN NS h.root-servers.net.
. 512356 IN NS i.root-servers.net.
. 512356 IN NS j.root-servers.net.
. 512356 IN NS k.root-servers.net.
. 512356 IN NS l.root-servers.net.
. 512356 IN NS m.root-servers.net.
. 512356 IN RRSIG NS 8 0 518400 20260208050000 20260126040000 21831 . hK7mFrMHVMbxttEttnMBOb5pCGaQGo3ndALMyKCWp3vOMUD2TmIIPxux /jJ1/C14VZwXvoD9/wktlqRFNlfADYYZwKCwSufZ0NloxhEfAjxS9YqB GRmefB1qm7mi5emF4f2dD01JmRorKWNwEKXeOFVRJe9Qk/c1XVNBg2sC bML6JoVuXUB68y3Xi932w2/WdOlorIeDBAQAzFe/e9foq+toZWjEXh94 1zh4SE55viwBexJdkW8cTonUccZ2+hCxr3xaALRdotWtcPPiPC3aAsdz gZLoocfa+Wqha/D2ibphEeEUaAKDvGq5buoqTZXy2UU5zTZmpgbTy9y8 70cm+g==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 8 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com. 86400 IN RRSIG DS 8 1 86400 20260208050000 20260126040000 21831 . jDDGt9m1BCSdpfLF6AufRlQtNK+N/+ByPa/juP9EkXx5XfzRUbf8r8kY p7WxjgCwYdLIEe8RysHFh6kRlqNiqSMD2up04BhBm7cE6VI/QF1yxXwg a/XcEP9E+NHVFqEg4OwEYb7hR8WoxTTm5qcFNWNskClp6bxXAMnNEZGb b6QLZ2FRrNF65BYr8SOYTizDZsb4WYo/dytUDu1yC+erzat2yCErB8Jn BNqH5fdLRxSgpteASd8Rkh/HA18LQQTjQ6VcyI1z6zZazQh+YXonR7YJ 3k43eJjtCAvPCl1XiBE6jOIiKGg4pY+C13Ofpal4im5mpyU9UhUoPbXB KksUeA==
;; Received 1178 bytes from 170.247.170.2#53(b.root-servers.net) in 12 ms
duendesoftware.com. 172800 IN NS ns-45.awsdns-05.com.
duendesoftware.com. 172800 IN NS ns-891.awsdns-47.net.
duendesoftware.com. 172800 IN NS ns-1568.awsdns-04.co.uk.
duendesoftware.com. 172800 IN NS ns-1187.awsdns-20.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 900 IN RRSIG NSEC3 13 2 900 20260130002721 20260122231721 35511 com. FRwJDTYcGgEr+lzbONMVnFNDkoYtjSmaKNF0x+q4JR+sD+rwZDoaYn/D rPkDTs5F1BwixFGXqZQizSc7cFjkdw==
D34GDDN2HCKR02J3J6CU7TVCDNKUK013.com. 900 IN NSEC3 1 1 0 - D34GIGLL01M5KJPV97PQO572TIK0KVMQ NS DS RRSIG
D34GDDN2HCKR02J3J6CU7TVCDNKUK013.com. 900 IN RRSIG NSEC3 13 2 900 20260202031449 20260126020449 35511 com. AxDfQMe7zUh6AeWlP3344g1BAcYxZJJgcdtJ9lDoLfnwHzOeF5AVGyTi fkbx0uSfQ45ig5hpTloqlSh1rsyA4A==
;; Received 556 bytes from 192.52.178.30#53(k.gtld-servers.net) in 69 ms
duendesoftware.com. 60 IN A 13.35.107.32
duendesoftware.com. 60 IN A 13.35.107.65
duendesoftware.com. 60 IN A 13.35.107.70
duendesoftware.com. 60 IN A 13.35.107.10
duendesoftware.com. 172800 IN NS ns-1187.awsdns-20.org.
duendesoftware.com. 172800 IN NS ns-1568.awsdns-04.co.uk.
duendesoftware.com. 172800 IN NS ns-45.awsdns-05.com.
duendesoftware.com. 172800 IN NS ns-891.awsdns-47.net.
;; Received 247 bytes from 205.251.192.45#53(ns-45.awsdns-05.com) in 20 ms
Seeing the entire journey of a DNS request can help you diagnose issues more quickly, and specifying the DNS resolver IP address can recreate a situation that would otherwise be more difficult with other tools.
Final Recommendation
To quickly and accurately troubleshoot DNS issues plaguing your web application, use the dig utility.
The detailed, standardized output from dig lets you immediately see whether the records point to an expected IP address, whether the Name Servers are accurate, and whether local caching is interfering with your results.
Next Steps and Resources
The best way to get familiar with dig is to practice. Try running dig with a domain and experiment with different query types:
- Check A record:
dig duendesoftware.com A - Check MX record:
dig duendesoftware.com MX - Check Name Servers:
dig duendesoftware.com NS - Bypass local resolver (query a specific server):
dig @8.8.8.8 duendesoftware.com - Trace from root zone (don't use your DNS server):
dig duendesoftware.com +trace
You may also learn more about dig by viewing the help menu.
> dig -h
The output will show you all the additional features and flags available to support your investigation.
Happy DNS debugging, and we hope you found this post helpful. If you have any questions regarding this or other Duende questions, please leave us a comment.