PROTOTYPE, PRETTY CRAPPY, PROBABLY HAS ONE MILLION BUGS
You give it a domain name where something is wrong, and it runs a bunch of checks to try to figure out the reason.
Usage: dns-doctor <optional-record-type> your-domain.com
You can install it with go install github.com/jvns/dns-doctor@latest
It basically just runs dig +trace and dig +norecurse on your domain, parses
the output, and tries to diagnose some problems. You'll need to have dig
installed.
$ ./dns-doctor cnameroot.com
FAILURE: cname-root
Details: CNAME at root points to 'examplecat.com.'
$ /dns-doctor asdfasdf.jvns.ca
FAILURE: no-record
Details: No record found, using nameserver 'ns-2-b.gandi.net'
$ ./dns-doctor bad-ip.ring269.messwithdns.com
FAILURE: no-http
Details: Failed to connect to 203.0.113.0:80
$ ./dns-doctor example.com
All checks passed!
Checks to see if your authoritative nameserver actually just doesn't have a record set.
- Look up the record with the authoritative nameserver (the equivalent of
dig +trace some.domain.com) - If there's no matching record, fail this check
DNS Doctor will give you the domain name of the nameservers where your record is set. That should give you a clue about where to fix it
Checks to see if your local resolver has an old cached version.
- Look up the record with the authoritative nameserver (the equivalent of
dig +trace some.domain.com) - Look up the record with the local resolver (the equivalent of
dig +norecurse some.domain.com) - If the record the local resolver returns is outdated (if it's not), fail this check
You just gotta wait! DNS Doctor will tell you how long you have to wait. It
figures that out by looking at the TTL (time to live) of the cached record.
This is a variant of cache-mismatch that checks specifically for negative caching (a cached "this domain does not exist" response).
- Look up the domain name with the authoritative nameserver
- If there's no result, return success
- Otherwise, look up the domain with local resolver, (equivalent of
dig some.domain.com) using+norecurse - If we get an empty NOERROR result, fail the check
You just gotta wait! DNS Doctor will tell you how approximately you have to wait. It
figures that out by looking at the TTL (time to live) on the domain's SOA record.
Checks if your domain's CNAME doesn't resolve to anything.
- Look up the domain name with the local resolver (equivalent of
dig some.domain.com) - Check if it returns a CNAME record. If there's no CNAME record, return success
- If there is a CNAME record, run
dig +trace cname.otherdomain.com - If
dig +tracereports no record forcname.otherdomain.com, fail the check
You might have made a typo in your CNAME record.
- Look up the domain name with the local resolver (equivalent of
dig some.domain.com) - Check if it returns a CNAME record. If there's no CNAME record, return success
- Run the
cache-mismatchcheck on the CNAME record
- Check if the domain has a CNAME record
- If it does, and if it's not a subdomain (
blah.example.comis ok,example.comis not), fail the check
This isn't necessarily a problem -- your site might work just fine! (todo: explain)
Only runs if you requested an A record check. This is a heuristic to see if you might have made a typo in the IP address.
- Look up the domain with the authoritative nameserver (the equivalent of
dig +trace some.domain.com) - Try to connect to each resulting IP address on port 80 and port 443
- If we get a "connection refused" error or if it times out, fail the check
If your server isn't a HTTP server, you can ignore this one. Otherwise there's likely an issue with the configuration of your HTTP server.
This checks for whether your nameservers changed recently, and if they're cached with your local resolver.
TODO: not implemented, not sure how to implement this.
You just gotta wait! Typically you'll have to wait up to 1-2 days after you made the changes. DNS Doctor will tell you the TTL (in days) for the total waiting time.