Azure DNS Troubleshooting Guide

This guide provides common steps and tools to diagnose and resolve issues with Azure DNS zones.

Introduction to Azure DNS

Azure DNS provides a reliable and high-performance name resolution service to host your DNS domains. It uses Azure's global network of DNS servers to ensure your domain is resolvable from anywhere in the world. Troubleshooting DNS issues often involves checking configurations, understanding propagation, and using diagnostic tools.

Common Azure DNS Issues

Incorrect Name Resolution

Users or applications cannot resolve your domain name to the correct IP address.

  • Verify DNS records are correctly configured in your Azure DNS zone.
  • Check for typos in hostnames and IP addresses.
  • Ensure the correct record type (A, CNAME, MX, etc.) is used.

Slow Propagation of DNS Changes

Changes made to DNS records are not reflected globally immediately.

  • Understand TTL (Time To Live) values. Lowering TTL before making changes can speed up propagation.
  • Azure DNS typically propagates changes within minutes, but client-side caching can cause delays.

Domain Not Resolvable After Creation

A newly created domain or subdomain is not resolving correctly.

  • Ensure the name servers (NS records) for your domain are correctly delegated at your domain registrar.
  • Verify that the NS records in your Azure DNS zone match the NS records at your registrar.

Diagnosing Lookup Failures

When a DNS lookup fails, it can be due to several reasons. Here's a systematic approach:

Tools for Diagnosis

  • `nslookup` (Windows/Linux/macOS): A command-line tool to query DNS servers. 
    nslookup yourdomain.com
  • `dig` (Linux/macOS): A more advanced tool for querying DNS. 
    dig @ yourdomain.com SOA
    dig yourdomain.com A
  • Azure Network Watcher's DNS availability test: A graphical tool within Azure portal.

Common Scenarios

No response from DNS server

This could indicate network connectivity issues to the DNS server or an unresponsive server.

  • Try querying public DNS servers (e.g., 8.8.8.8 for Google DNS).
  • Ensure firewalls are not blocking DNS queries (UDP/TCP port 53).

NXDOMAIN (Non-Existent Domain)

The domain name does not exist or is not configured correctly.

  • Double-check spelling of the domain name.
  • Verify DNS records exist for the queried name within your Azure DNS zone.

SERVFAIL (Server Failure)

The DNS server encountered an internal error.

  • Check Azure service health for any ongoing Azure DNS incidents.
  • Ensure your zone is not misconfigured (e.g., incorrect NS records within the zone itself).

Understanding DNS Propagation

When you make changes to your DNS records, these changes need to propagate across the global DNS infrastructure. This process is governed by the Time-To-Live (TTL) value of each record.

  • TTL (Time To Live): This value, set for each DNS record, indicates how long a DNS resolver is allowed to cache the information. A lower TTL means changes propagate faster but can increase DNS query load and cost.
  • Azure DNS Propagation Time: Azure DNS aims for rapid propagation, often within minutes. However, client-side DNS resolvers and intermediate caches can hold onto old records until their TTL expires.

Best Practice: Before making significant changes (like changing IP addresses), consider temporarily lowering the TTL of affected records. Remember to revert the TTL to a sensible value afterward.

Troubleshooting Delegation Issues

Proper delegation is crucial for your domain to be resolvable. This involves configuring your domain registrar to point to Azure DNS name servers.

  1. Identify Azure DNS Name Servers: In the Azure portal, navigate to your DNS zone. The four name servers assigned to your zone will be listed under "Overview".
  2. Configure at Registrar: Log in to your domain registrar's control panel. Find the DNS or name server settings for your domain. Replace the existing name servers with the ones provided by Azure.
  3. Verification: Use tools like `dig` or `nslookup` to query the NS records for your domain. 
    dig yourdomain.com NS
    You should see the Azure DNS name servers listed.

Common Mistake: Misspelling the name servers or incorrectly copying them. Ensure exact matches.

SOA Record (Start of Authority)

The SOA record contains administrative information about the DNS zone, including the primary name server, administrator's email, zone's serial number, and refresh/retry/expire timers.

  • Ensure the SOA record is correctly configured in your Azure DNS zone.
  • The serial number is important for zone transfers. Azure DNS manages this automatically when changes are made within the portal. If you are using DNSSEC, ensure the serial number is updated correctly.

Azure DNS Health Checks and Monitoring

Azure provides tools to monitor the health and performance of your DNS zones.

  • Azure Service Health: Check for any Azure DNS service advisories or incidents that might be affecting resolution.
  • Azure Monitor: Set up alerts for DNS query metrics (e.g., query count, latency) to proactively identify issues.

Advanced Diagnostic Techniques

  • Trace DNS Resolution Path: Use `traceroute` or `tcptraceroute` (if UDP 53 is blocked) to follow the path of a DNS query and identify where it might be failing.
  • Query Specific Azure DNS Servers: Directly query the Azure DNS name servers for your zone to bypass local caching issues. 
    nslookup yourdomain.com
  • DNSSEC Validation Issues: If you have DNSSEC enabled, verify your keys and signatures are correctly configured. Tools like DNSViz can be invaluable for visualizing DNSSEC configurations.

Additional Resources