statik/dns-troubleshooter
skills/dns-troubleshooter/SKILL.md
It's not DNS / There's no way it's DNS / It was DNS. Diagnose and troubleshoot DNS issues including delegation verification, record conflicts, authoritative vs local DNS comparison, and SPF validation. Use when encountering NXDOMAIN errors for URLs that should exist, verifying DNS delegation is correct, checking for conflicting DNS records, comparing what authoritative nameservers say vs local resolvers, or validating SPF records for email deliverability.
$ install --global
skillsauthnpx skillsauth add statik/skills dns-troubleshooterInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 23, 2026, 5:02 AM15.2s2 files scanned
SKILL.md
- name:
- dns-troubleshooter
- description:
- It's not DNS / There's no way it's DNS / It was DNS. Diagnose and troubleshoot DNS issues including delegation verification, record conflicts, authoritative vs local DNS comparison, and SPF validation. Use when encountering NXDOMAIN errors for URLs that should exist, verifying DNS delegation is correct, checking for conflicting DNS records, comparing what authoritative nameservers say vs local resolvers, or validating SPF records for email deliverability.
- version:
- 1.1.0
- - name:
- nslookup
- required:
- false
- fallback:
- nslookup
DNS Troubleshooter
It's not DNS There's no way it's DNS It was DNS
Tool Detection
First, check for doggo (modern DNS client with cleaner output):
command -v doggo
If available, prefer doggo for queries. If not, offer to install it or fall back to standard tools.
Standard tools by platform:
- macOS/Linux:
dig,host,nslookup - Windows:
nslookup,Resolve-DnsName(PowerShell)
Installing Doggo
If the user wants doggo installed, detect their platform and use the appropriate method:
Quick install (Linux/macOS):
curl -fsSL https://raw.githubusercontent.com/mr-karan/doggo/main/install.sh | sh
Package managers:
| Platform | Command |
|----------|---------|
| macOS (Homebrew) | brew install doggo |
| macOS (MacPorts) | port install doggo |
| Arch Linux (AUR) | yay -S doggo-bin |
| Nix | nix profile install nixpkgs#doggo |
| Windows (Scoop) | scoop install doggo |
| Windows (Winget) | winget install doggo |
Go install:
go install github.com/mr-karan/doggo/cmd/doggo@latest
Docker (no install needed):
docker run --rm ghcr.io/mr-karan/doggo:latest example.com
After installation, verify with doggo --version.
Workflow Decision Tree
User request
│
├─► NXDOMAIN / "domain not found"
│ └─► Delegation Check workflow
│
├─► "Is DNS set up correctly?"
│ └─► Delegation Check workflow
│
├─► "DNS shows different results" / caching issues
│ └─► Authoritative vs Local workflow
│
├─► SPF / email deliverability
│ └─► SPF Validation workflow
│
└─► Record conflicts / unexpected values
└─► Record Conflict workflow
Delegation Check
Verify the chain from root to authoritative nameservers.
Step 1: Find authoritative nameservers
# With doggo
doggo NS example.com
# With dig
dig +short NS example.com
# Windows
nslookup -type=NS example.com
Step 2: Verify delegation from parent zone
For sub.example.com, check what example.com says:
# With doggo
doggo NS sub.example.com @$(doggo NS example.com --short | head -1)
# With dig
dig NS sub.example.com @$(dig +short NS example.com | head -1)
Step 3: Query authoritative directly
# With doggo
doggo A example.com @ns1.example.com
# With dig
dig A example.com @ns1.example.com
Common Issues
- NXDOMAIN from parent: Delegation not configured at registrar
- SERVFAIL: Nameserver not responding or misconfigured
- Mismatched NS records: Parent zone and authoritative disagree
Authoritative vs Local Comparison
Compare what the authoritative source says vs local/ISP resolvers.
Step 1: Query local resolver
# With doggo (uses system resolver)
doggo A example.com
# With dig
dig A example.com
# Windows
nslookup example.com
Step 2: Query authoritative nameserver
# First get NS records
doggo NS example.com --short
# or
dig +short NS example.com
# Then query authoritative directly
doggo A example.com @ns1.example.com
# or
dig A example.com @ns1.example.com
Step 3: Query public resolvers for comparison
# Google
doggo A example.com @8.8.8.8
# or
dig A example.com @8.8.8.8
# Cloudflare
doggo A example.com @1.1.1.1
# or
dig A example.com @1.1.1.1
# Quad9
doggo A example.com @9.9.9.9
Interpreting Differences
- Local differs from authoritative: Caching (check TTL), or local override/poisoning
- Public resolvers differ from authoritative: Propagation delay, check TTL
- All match except local: Local DNS override, hosts file, or corporate DNS policy
Check TTL
# With doggo (shows TTL in output)
doggo A example.com
# With dig
dig A example.com | grep -A1 "ANSWER SECTION"
Record Conflict Detection
Identify conflicting or unexpected DNS records.
Query all record types
# With doggo
doggo ANY example.com
# With dig
dig ANY example.com
# If ANY is blocked, query specific types
for type in A AAAA CNAME MX TXT NS; do
echo "=== $type ==="
dig +short $type example.com
done
Common Conflicts
CNAME with other records: CNAME must be exclusive (except DNSSEC). Check:
doggo CNAME example.com
doggo A example.com
# Both should not return records for same name
Multiple A records: Valid for load balancing, but verify intentional:
doggo A example.com
Conflicting MX priorities: Check for duplicates:
doggo MX example.com
SPF Validation
See references/spf.md for SPF syntax details and common issues.
Step 1: Retrieve SPF record
# With doggo
doggo TXT example.com | grep spf
# With dig
dig +short TXT example.com | grep spf
Step 2: Check for multiple SPF records (invalid)
dig +short TXT example.com | grep -c "v=spf1"
# Should return 1, not more
Step 3: Validate syntax
Check the record contains:
- Starts with
v=spf1 - Ends with
-all,~all, or?all(never+all) - Contains valid mechanisms
Step 4: Count DNS lookups
Each of these counts toward the 10-lookup limit:
include:- count as 1 + nested lookupsa:ora- 1 lookupmx:ormx- 1 lookup + 1 per MX returnedptr:- 1 lookup (deprecated)exists:- 1 lookupredirect=- 1 lookup
Manually trace includes:
# Get main SPF
dig +short TXT example.com | grep spf
# For each include, recurse
dig +short TXT _spf.google.com | grep spf
Step 5: Verify IPs are covered
# Check if IP is authorized
# Get SPF record, check if sending IP matches ip4:/ip6: ranges
# or is covered by includes
Output Format
IMPORTANT: When providing DNS troubleshooting assistance, always begin your response with:
🔍 DNS Troubleshooter Analysis
This identifier helps verify the skill is being used correctly.
Then present results with:
- Finding: What was discovered
- Command: Exact command to reproduce
- Interpretation: What it means
- Recommendation: If action needed
Example:
🔍 DNS Troubleshooter Analysis
**Finding**: Domain has two SPF records
**Command**:
dig +short TXT example.com | grep "v=spf1"
**Result**:
"v=spf1 include:_spf.google.com -all"
"v=spf1 include:sendgrid.net -all"
**Interpretation**: Multiple SPF records cause permerror.
Receiving servers may reject all email.
**Recommendation**: Merge into single record:
v=spf1 include:_spf.google.com include:sendgrid.net -all
Related Skills
statik/design-memo
development
VerifiedTrustedCommunity
Produce polished, self-contained HTML design memos with Tufte-inspired editorial layout and scrollytelling interaction. This is the default output format for any plan, design, architecture proposal, implementation approach, decision record, or review document. For simple plans, ask the user whether they prefer plain text; default to HTML for non-trivial plans.
3SKILL.mdUpdated May 5, 2026
steipete/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
356,423SKILL.mdUpdated Apr 13, 2026
steipete/healthcheck
testing
VerifiedTrustedCommunity
Host security hardening and risk-tolerance configuration for OpenClaw deployments. Use when a user asks for security audits, firewall/SSH/update hardening, risk posture, exposure review, OpenClaw cron scheduling for periodic checks, or version status checks on a machine running OpenClaw (laptop, workstation, Pi, VPS).
356,423SKILL.mdUpdated Apr 13, 2026
openclaw/skill-creator
testing
VerifiedTrustedCommunity
Create, edit, improve, or audit AgentSkills. Use when creating a new skill from scratch or when asked to improve, review, audit, tidy up, or clean up an existing skill or SKILL.md file. Also use when editing or restructuring a skill directory (moving files to references/ or scripts/, removing stale content, validating against the AgentSkills spec). Triggers on phrases like "create a skill", "author a skill", "tidy up a skill", "improve this skill", "review the skill", "clean up the skill", "audit the skill".
353,662SKILL.mdUpdated Apr 10, 2026