$ Linux One Liners
Back to lessons

Web Server Rescue

Risk: safe

Compare DNS Answers Across Resolvers

A site behaves differently for different users and you need to compare DNS answers from multiple public resolvers.

Command

for r in 1.1.1.1 8.8.8.8 9.9.9.9; do printf '%s ' "$r"; dig @"$r" +short edge.test A; done

Before you run this

Risk: safe. Do not assume public resolver agreement proves every ISP cache has updated.

Expected output

Resolver IPs followed by the A record each resolver returns.

System impact

Nothing changes. The command sends read-only DNS queries.

Recovery / rollback: no state is changed.

When to use it

Use during DNS cutovers, CDN moves, or reports that only some users reach the wrong IP.

When not to use it

Do not assume public resolver agreement proves every ISP cache has updated.

Watch this command run

Example output from a temporary Linux lab

This example uses disposable sample files and sanitized output so you can inspect the shape of the result before touching a real system.

demo@lab:~$

$ dig +short example.com A

203.0.113.10

$ for r in 1.1.1.1 8.8.8.8 9.9.9.9; do printf '%s ' "$r"; dig @"$r" +short example.com A; done

1.1.1.1 203.0.113.10
8.8.8.8 198.51.100.44
9.9.9.9 203.0.113.10
View reproducible demo details

This page shows the sanitized shell transcript and the setup steps needed to reproduce the example.

Lab setup steps

  1. dig +short edge.test A
  2. for r in 1.1.1.1 8.8.8.8 9.9.9.9; do printf '%s ' "$r"; dig @"$r" +short edge.test A; done

next steps

Related commands

Web Server Rescue Risk: safe

Compare Authoritative Nameserver Answers

The recursive resolver was not the problem. One nameserver disagreed.

for ns in $(dig +short NS edge.test); do printf '%s ' "$ns"; dig @"$ns" +short edge.test A; done
Web Server Rescue Risk: safe

Compare A and AAAA Records

IPv4 worked. IPv6 sent users to a different edge.

printf 'A '; dig +short edge.test A; printf 'AAAA '; dig +short edge.test AAAA
Web Server Rescue Risk: safe

Check CAA Certificate Issuers

The certificate request failed because DNS allowed the wrong issuer.

dig +short edge.test CAA
Web Server Rescue Risk: safe

Show the DNS Answer TTL

The fix was correct. The TTL explained why users still saw the old edge.

dig +noall +answer edge.test A
Web Server Rescue Risk: safe

Check the WWW CNAME Target

The apex was right. The www name pointed through a different path.

dig +short www.edge.test CNAME
Study mapping

Use this as independent command practice: read the notes, predict the output, then compare it with the example before using a real shell.

  • lpic1:109-networking
  • lfcs:networking
  • lfcs:services-logs
  • linuxplus:provisional
  • linuxplus:troubleshooting
  • risk:read-only

Useful for

  • LPIC-1 style command-line practice
  • LFCS style performance tasks
  • Linux+ style troubleshooting review

Independent study support only. No affiliation, endorsement, exam dumps, or real exam questions.