Flapping DNS and what to do about it

Has this one ever happened to you? Your DNS record is there – and then it’s not. Or it’s there when you check certain DNS servers, but not others. Or you hit “reload” on a DNS lookup tool (like, perhaps, Wombatmail) and the results aren’t consistent. Hit reload 5 different times, maybe you get 3-4 different results. What the heck is going on?

First, know that you’re not crazy. This happens, and more often than you might think! And the underlying issue is usually a simple one.

Most commonly, it’s an issue of DNS caching. DNS caching – how long a DNS server will cache results (store them without looking them up again) is based on something called the “TTL (Time to Live) setting” for a domain and its DNS entries. You don’t have to become an expert on TTL, but if you wanted to learn more, you could do that here. When you go to your Godaddy DNS control panel (or Hover.com, in my case), the TTL setting will be displayed on the screen where you set up DNS entries. TTL of 15 minutes isn’t uncommon. And TTL is natively referred to in seconds, so if you see a TTL of 900, that means 900 seconds, meaning 15 minutes. (If you really want to be a nerd, here’s how to lookup the TTL for a given DNS entry from the command line. I really should add that to Wombatmail at some point.)

So, TTL = caching. And if your TTL is set to 15 minutes, that means that if you lookup a DNS record, then make a change to the DNS record, then try to perform that DNS lookup again, you’re going to see the old results, for up to 15 minutes. Whoops, I thought I fixed this! Why isn’t it updated yet? Because of the TTL.

The solution here is just wait and try again. Compulsively hit reload on the DNS checker, because I know you’re going to anyway, but don’t assume that everything is fine until you’re reliably getting the same result every time.

There is also a rarer problem that can happen. If your DNS results never completely update, never stabilize, or continue to be inconsistent, then maybe something is wrong with one of the DNS servers for your domain name.

DNS information is stored in servers specific to their task. Every domain name has one or more (almost always two or more) domain name servers that store DNS information for that domain. You can look those up directly (“NS record lookup”) on Wombatmail, and even if you don’t, when you look up other types of DNS info, Wombatmail will say “the authoritative servers for this host are” and tell you the DNS servers that are the owners of the right info for this particular domain or lookup.

Remember how I said “almost always two or more DNS servers” above? Here’s where things can get hairy. Like I said, it’s rare, but sometimes weird things can happen and you can end up with a scenario where one or more of those authoritative DNS servers doesn’t give the right response. Multiple servers means you can have a scenario where one or more servers is out of sync. And since results are given in a round-robin fashion (and done so in a way that may not be clearly understood by the end user), weird stuff sometimes happens.

How do you tell? That’s where Wombatmail’s “Multi DNS: Special” setting can help. It’ll figure out and check all of the authoritative domains for your DNS request, and you can visually compare them and make sure that they’re the same. Do they show the same results? Do they show different results? Does one show an expected result, but the other shows “NXDOMAIN”? Do the results vary every time you hit refresh? If the results are not static and unchanging, then the domain name in question, the one you’re looking up in the DNS query, has some sort of broken DNS server. If you’re just regular joe user of a domain registrar’s DNS service, like Godaddy or Hover.com, there’s nothing you can do about that. You’ll need to nudge them to fix it. But at least you can be aware of what’s going on.

And finally, Wombatmail has got another secret DNS tool in the toolbox for you: Public DNS checks. Select “Multi DNS: Yes” when performing any DNS lookup, and Wombatmail will perform the same lookup against a dozen different public DNS servers. If you see varying results here, you’ve got a strong indicator of one of the problems described above – either you’re waiting for cached data to expire, or a public DNS server isn’t getting reliable and stable results from your authoritative DNS servers.

The public DNS check also comes in handy after you fix a DNS typo, and you’re waiting for the cache to clear. If you’re absolutely at wits end, about to pull your hair out, because this problem needs to be fixed yesterday, you can sit there and hit “reload” on the Public DNS version of the Wombatmail lookup every minute or two, and you’ll probably see the results get more and more accurate as the cache starts to disappear and get replaced with updated info. Maybe none of the output will be correct on the first view. But after a few minutes, a couple of the DNS servers will show the correct data. Then a few more, and so on. That can help give you confidence that things are moving in the right direction.

I have found all of this endlessly handy when helping clients correct typos to self-hosted DNS for DKIM and DMARC records, and I hope that you’ll find some value in it too!

Disclaimer: I’m not a DNS expert, by any means. This is one of those scenarios where the teacher is barely one page ahead in the book, compared to the students. Want to learn more about DNS? I’m not the person for that. You know who is? Julia Evans. While she admits that DNS is hard to learn, she has put together a whole Zine explaining How DNS Works, and she has kindly provided a handy sandbox called “Mess With DNS” where you can go to practice your mastery of DNS, hands-on. I've learned much from her expertise and am grateful for everything she has shared.
Post a Comment