Why does my domain fail to resolve?
A domain could fail to resolve for multiple reasons, such as the domain’s name server changes not propagating completely, DNSSEC is enabled for the domain, DigitalOcean’s name servers are not configured at your registrar, or other DNS providers are active.
Name Server Changes Not Completely Propagated
The DNS resolution might fail if your DNS changes have not propagated across the internet. It usually takes 24-48 hours for name server changes to update completely across the internet. You can verify if the name server is completely propagated with the global DNS propagation checker.
Verify DNSSEC Status
DigitalOcean name servers do not currently offer support for domains with DNSSEC enabled. To ensure DNSSEC is disabled for your domain, run the following dig command on your domain. For more information about DigitalOcean and DNSSEC, read Does DigitalOcean Support DNSSEC?.
dig your-domain.com +dnssec
For example, if you run this command on dnssec-tools.org, you see the RRSIG record on the last line of the query’s ANSWER SECTION, which is the DNSSEC signature attached to the record. This denotes that DNSSEC is enabled for the domain. With the RRSIG, a DNS resolver can determine whether a DNS response is trusted.
; <<>> DiG 9.10.6 <<>> dnssec-tools.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39984
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;dnssec-tools.org. IN A
;; ANSWER SECTION:
dnssec-tools.org. 300 IN A 185.199.111.153
dnssec-tools.org. 300 IN A 185.199.108.153
dnssec-tools.org. 300 IN A 185.199.110.153
dnssec-tools.org. 300 IN A 185.199.109.153
dnssec-tools.org. 300 IN RRSIG A 13 2 300 20240306033514 20240221020514 52833 dnssec-tools.org. a16XkN9DHA4w4A+HdsfudiCIzDStxgq4+k+WUX3ignN4tOUVFJ0MYqaV a7Gt3ks39ysIAI2A39ppVEHj7M6l1Q==
If DNSSEC is enabled for your domain, disable it at your registrar and then check to see if this solves your resolution issue.
Verify Domain Registrar Status
To check if the registrar has imposed restrictions hindering DNS record updates for the domain, use whois to check the registrar’s current status. For information about the registrar status, read ICANN’s EPP status codes.
All DigitalOcean Name Servers are not Configured at Your Registrar
To propagate DNS records set up in the DigitalOcean Control Panel, your domain should point to all three DigitalOcean name servers. This means you need to delegate your domain by configuring your domain at your registrar to use DigitalOcean’s name servers instead of the registrar’s name servers.
DigitalOcean has three name servers:
- ns3.digitalocean.com.
- ns1.digitalocean.com.
- ns2.digitalocean.com.
You can verify if your domain is using these servers by running in your terminal:
dig +short your-domain.com NS
You should receive this output if your domain is correctly configured to use DigitalOcean’s name servers:
ns3.digitalocean.com.
ns1.digitalocean.com.
ns2.digitalocean.com.
If you recieve different name servers, reference your registrar’s documentation to see how to delegate your domain to use DigitalOcean’s name servers.
Other DNS Providers are Active
If you are using multiple DNS providers, this can cause inconsistent domain behavior. If you configure your domain to use name servers from both your domain’s registrar and DigitalOcean, then this could lead to inconsistent DNS propagation if the records are not synced between the two providers.
For example, if you have an A record for example.com that points to 203.0.113.65 on DigitalOcean and another A record at GoDaddy that points to 192.0.2.125, this causes inconsistent behavior as some users are sent to one IP address while others are sent to the other.
If you are using multiple DNS providers, but are having issues keeping records synced between the sets of name servers, consider using a single provider. You can do this by updating your domain’s delegation at your registrar to use only one set of name servers from a single provider.