Troubleshoot DNS resolution failures and cases where resolution works but the website remains inaccessible.
DNS resolution not taking effect
Q: How do I test whether DNS resolution is working?
A: Check whether local and authoritative DNS results match your settings. If they match, resolution is working. If local results differ, wait 10 minutes for the DNS cache to expire and retest. If authoritative results differ, contact after-sales support. Methods to test resolution effectiveness.
Q: Why is my domain name resolution not working?
A: The following are common reasons why domain name resolution does not take effect:
New domain names
For new domain names, DNS servers may not have completed synchronization. You can wait for a short period and then check again. If synchronization has not occurred, you can manually change the DNS server address of the domain name. After you change the DNS server, the change can take up to 48 hours to propagate globally.
Abnormal domain status
An abnormal domain status directly affects domain name resolution. You can use the WHOIS lookup tool to check the domain status. If the status is "serverHold" or "clientHold", the domain name cannot be resolved.
Possible reasons: This can be caused by domain names registered with public templates, incomplete identity verification, domain name disputes, or penalties for business violations imposed by the communications administration.
Solution:
If your domain name registrar is not Alibaba Cloud, contact your registrar to resolve the issue.
If your domain name is registered with Alibaba Cloud, see Remove the ClientHold and ServerHold lock statuses from a domain name.
In the WHOIS lookup results, if the Domain Status is serverHold, this indicates that the domain name registry has suspended resolution. This may be due to incomplete identity verification.
In the Alibaba Cloud DNS console, on the Domain Names page, if the DNS Server column shows an Abnormal status, this indicates that the DNS server of the domain name is not working correctly.
NoteIf this document does not resolve your issue, you can contact after-sales support by submitting a ticket to online customer service for domain names.
Domain name blocked by regulatory authorities
You can check for official notices or emails from regulatory authorities. If a regulatory authority has blocked the domain name, this is beyond the control of Alibaba Cloud. You must contact the relevant authority directly to resolve the issue.
Expired domain name
If a domain name expires, its DNS resolution is paused. This prevents users from accessing the website.
Solution: You can check the expiration date of the domain name using the WHOIS lookup tool. If the domain name has expired, you must renew it promptly. For more information, see Domain name renewal. Domain name resolution will resume within 24 to 48 hours after a successful renewal.
Subdomain hosted elsewhere
If your subdomain is hosted elsewhere, the DNS settings that are configured for the root domain do not apply to that subdomain. For example, your root domain example.com might be configured in Alibaba Cloud DNS, but the subdomain www.example.com is hosted on another Alibaba Cloud account or with a different service provider (SP). In this case, any DNS record changes that you make for www.example.com under the root domain example.com do not take effect.
Solution: You can reconfigure the DNS records where the subdomain www.example.com is hosted, and then test again.
DNS record was modified
After you modify a DNS record, you must wait for the local DNS cache of various Internet Service Providers (ISPs) to expire before the change can take effect. The propagation time depends on the TTL value that is configured for the domain name. For more information about the effective time of resolution, see FAQ about the time when DNS settings take effect.
Domain name's DNS server was changed
After you change the DNS server of a domain name, the change can take up to 48 hours to propagate globally. During this 48-hour period, you must ensure that the DNS data is consistent between the new and legacy DNS service providers. If you delete DNS records from the legacy DNS service provider, or if you do not add DNS data to the new DNS service provider, domain name resolution fails. For more information about common issues when you change DNS servers, see FAQ about changing DNS servers for a domain name.
Not using Alibaba Cloud DNS servers
You can check whether the DNS server of the domain name is one assigned by Alibaba Cloud DNS. You can use the WHOIS lookup tool to find the DNS server that is currently used. If the DNS server that is shown in the WHOIS lookup result is not in the following list, this indicates that your domain name is not using Alibaba Cloud DNS for resolution. You must contact your DNS service provider to investigate.
Alibaba Cloud DNS server name | Edition |
vip(1-8).alidns.com | Paid Edition |
ns(1-32).hichina.com, ns(1-8).alidns.com | Free Edition |
Solution: You can change the DNS server to one that is assigned by Alibaba Cloud DNS. For more information, see How to modify the DNS server for an Alibaba Cloud domain name.
If you recently changed the DNS server but the WHOIS lookup still shows the previous DNS server name, you must wait for the information to be updated. WHOIS lookup results are cached and not updated in real time. On the WHOIS lookup results page, you can click Get Latest Info to retrieve the latest information.
Default line not configured for domain name resolution
If a DNS record with the source set to "Default" is not configured as a fallback, resolution may fail. This occurs when requests from certain regions or network lines cannot be matched to a specific DNS record.
Solution: You can add a DNS record with the source set to "Default" for the domain name. After the Time to Live (TTL) expires, you can test again.
Q: How do I troubleshoot DNS resolution failures?
A: DNS resolution failure means query results do not match your Cloud DNS settings, or queries cannot retrieve the target server IP. Troubleshooting approach for resolution not taking effect.
Q: What if DNS resolution does not take effect for a long time?
A: This is usually caused by stale local DNS cache. Your local DNS server (cache DNS server) is outside Cloud DNS control and caches records based on the TTL you set. Typical propagation times:
Adding records: Immediate
Deleting or modifying records: Depends on the local DNS cache TTL (default: 10 minutes).
Q: What if local DNS resolution is not taking effect?
A: Your local DNS server (cache DNS server) is outside Cloud DNS control and caches records based on your TTL setting. Wait for the TTL to expire before retesting. TTL value setting method.
If you need to flush the local DNS cache on the client side, you can use the following commands:
Windows:
ipconfig /flushdnsmacOS:
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponderLinux:
sudo systemd-resolve --flush-caches # or new version: sudo resolvectl flush-cachesIf using nscd cache service:
sudo /etc/init.d/nscd restart
We also recommend using the browser's incognito/private mode or clearing the browser cache to rule out browser-level cache interference (especially for URL forwarding or HTTPS certificate error scenarios).
Q: Why does resolution not take effect in certain regions?
A: Two common causes:
Local DNS server cache: After you modify a record, propagation speed depends on each region's local DNS cache refresh rate. Regions with slower cache refresh may still serve stale records.
Solution: Cloud DNS cannot control local DNS caches. Contact your ISP.
Resolution line settings: Missing a default line can cause resolution failures in some regions.
Solution: Add a record with Resolution Request Source set to "default", keeping other settings consistent with the failing record. Adding resolution records.
Packet capture for troubleshooting: If access fails in a specific region or ISP, capture packets during the failure using Wireshark (Windows) or tcpdump (Linux), and save the .cap file to analyze whether the failure occurs at the DNS resolution stage or the TCP connection stage.
# Linux packet capture example
tcpdump -i eth0 -w dns_capture.cap port 53Q: Can Cloud DNS contact ISPs to refresh caches?
A: No. Cloud DNS is an authoritative DNS server and cannot control cache refresh on local DNS servers nationwide.
Q: After configuring CNAME, TXT, or MX records, third-party platform verification fails or shows resolution errors. How to resolve?
A: For scenarios such as email verification, SSL certificate verification, or CDN/CNAME integration, troubleshoot as follows:
Verify record type and value: Strictly check whether the host record (such as
_acme-challenge,_dmarc,@,www) and record value exactly match the third-party platform requirements. Pay attention to trailing dots, extra spaces, and other formatting details.Verify resolution results:
Use
digornslookupto query with the specific record type:dig TXT example.com nslookup -type=CNAME www.example.comUse the Alibaba Cloud DNS diagnostic tool to check whether the records have propagated across all national nodes.
Cache and propagation time: Global DNS propagation and cache refresh may take 10 minutes to 48 hours. If the diagnostic tool shows correct results but the third-party still reports errors, wait and retry, or contact the third-party platform to check its detection node cache.
Conflict check: Ensure there are no conflicts with other records. For example, a CNAME record and an A record cannot coexist on the same host record.
Resolution works but website is inaccessible
Q: DNS resolution works, but the website won't open or redirects abnormally??
A: DNS resolution is only one part of website hosting. First verify resolution using Methods to test resolution effectiveness. If resolution is normal but the website is still inaccessible, check the following:
Domain names that resolve to mainland China servers require ICP filing. Verify your ICP filing status. How to troubleshoot website access issues caused by ICP filing?
Verify that ports 80 and 443 (required for HTTPS) are open in the server security group.
telnet your-server-ip 80 telnet your-server-ip 443For Alibaba Cloud ECS, Check ECS instance security group rules.
Verify that the web service is running and listening on the expected port. Check service status and port listening status.
Verify that the server firewall allows traffic on the required ports. Check ECS firewall settings.
If the browser displays "Connection Reset" or "Not Secure", check whether the SSL certificate is correctly deployed on the server. The DNS layer cannot resolve HTTPS certificate issues.
Redirection/forwarding settings:
If URL forwarding is configured, please note that Alibaba Cloud's explicit/implicit URL forwarding only supports access via the HTTP protocol and does not support HTTPS source domains. Accessing via HTTPS may result in connection failures or redirect loops.
Check whether the web server (such as Nginx or Apache) is configured with incorrect redirect rules (e.g., redirecting to private IPs or unresolved domains).
If all checks pass, contact your server or hosting provider for further troubleshooting.
Q: My DNS resolution is active, but the ping command fails. Why?
A: An active resolution means that the domain name resolution service is working correctly. The ping command relies on the Internet Control Message Protocol (ICMP) and can only probe the IP addresses of A records (IPv4) or AAAA records (IPv6). A failed ping command usually indicates a problem with the network link.
For example, pinging a canonical name (CNAME) or MX record might fail if the target domain name does not have an A record or AAAA record, or if the resolution chain is broken. Ping commands will also fail if a server has disabled the ICMP protocol.
If your server's IP address is from Alibaba Cloud, submit a ticket for server troubleshooting. If your server's IP address is not from Alibaba Cloud, contact your server provider for troubleshooting.
Q: Is intermittent website access caused by unstable DNS resolution?
A: First determine whether the issue is website instability, slow access, or actual DNS resolution instability.
Website instability or slow access: These are not DNS issues. If the domain resolves to the correct IP, DNS is working. Troubleshoot server configuration, web application, and network environment instead.
Unstable resolution: DNS queries go from Local DNS to root DNS, top-level domain DNS, and then Cloud DNS (authoritative DNS). If the Local DNS is unstable, resolution anomalies can occur. Capture a screenshot from the Alibaba query tool and submit a ticket.
Other common scenarios
Q: After an ECS instance expires or is released, are DNS records automatically deleted?
A: No. When an ECS instance expires or is released, DNS records in Alibaba Cloud DNS are not automatically deleted. The records still point to the original IP, but the service is unavailable. If the IP is reassigned to another user, your domain may resolve to someone else's server - a security risk. Delete unused DNS records promptly.
Q: What should I do if queries for internationalized (Chinese) domain names return errors?
A: Some third-party tools may not properly handle internationalized domain names. Use the Punycode encoding for queries and configuration. For example, the Punycode for a Chinese domain is in the format xn--fiq228c.com. Use an online Punycode converter tool.
Q: After configuring Global Traffic Manager (GTM), regular DNS records in the DNS console no longer take effect?
A: If a GTM instance is configured, GTM has the highest priority, and regular DNS records in the DNS console will no longer take effect. If the GTM service is disabled or deleted, regular DNS records will resume after the cache expires.
Q: The Alibaba Mail client reports an error or a parsing error, but the webmail works correctly. What should I do?
A: If you can send and receive email using the webmail and a DNS network probe confirms that your MX and TXT records are active, your DNS configuration is correct. The client-side error is likely caused by a local cache or a delay in server-side data synchronization.
Delete any unnecessary DNS records that do not belong to your current mailbox provider.
Wait 24 to 48 hours to allow for full synchronization of global DNS data and the mailbox provider's internal data.
Restart the mail client or re-add the account to test the configuration.
Q: After domain renewal, will DNS records become ineffective?
A: Domain renewal does not affect configured DNS records. As long as the domain is in a normal status (not expired or frozen), DNS records continue to be effective. If a brief anomaly occurs after renewal, it is typically caused by a delay in domain status synchronization. Wait a moment and the records will resume.