Introduction

Intermittent DNS resolution is harder than a full outage because the domain works just often enough to hide the pattern. One user resolves the hostname correctly while another gets NXDOMAIN, an old IP, or a timeout. That usually means DNS answers are inconsistent across resolvers, authoritative servers, or network paths rather than the website being completely down.

Symptoms

  • The same hostname works from one network but fails from another
  • Refreshing the page sometimes loads the site and sometimes returns a DNS error
  • Monitoring checks disagree depending on region or resolver
  • Some users get the new IP while others still receive an old destination
  • The issue appeared after a DNS migration, zone edit, or nameserver change

Common Causes

  • Authoritative nameservers do not all serve the same zone data
  • Split DNS or internal resolver policies return different answers by network
  • Delegation is incomplete and some resolvers still query old nameservers
  • Duplicate records, stale glue, or mixed A and AAAA answers send traffic to inconsistent targets
  • Resolver caches keep serving different data because TTLs or negative caching differ

Step-by-Step Fix

  1. Query the hostname from multiple public resolvers and directly against each authoritative nameserver to compare the exact answers and TTL values.
  2. Check whether all authoritative nameservers return the same records, because even one stale server can create random-looking failures.
  3. Verify delegation at the registry and your DNS provider so resolvers are not bouncing between old and new nameserver sets.
  4. Review the zone for conflicting A, AAAA, CNAME, or wildcard records that could send different clients to different destinations.
  5. If IPv6 is enabled, confirm the AAAA record points to a healthy service and is not causing only some networks to fail.
  6. Inspect split-DNS, VPN, office resolver, or internal domain search settings to see whether private users are resolving a different answer from public users.
  7. Lower confidence in cached results and retest after TTL expiry only once you have corrected the authoritative data.
  8. Validate the final answer from multiple regions and networks so you know the inconsistency is gone rather than just hidden by one resolver cache.
  9. Keep a record of the intended DNS state and nameserver ownership so future migrations do not recreate inconsistent delegation.