DNS Propagation and Validation Playbook
Who this is for
Users experiencing DNS-related issues: a domain not resolving to their server, SSL provisioning failing due to DNS, or a newly assigned domain not working after propagation.
How DNS Propagation Works
When you point a domain to a new server (by updating an A record), DNS changes propagate through the internet's DNS infrastructure. This takes:
- Typically: A few minutes to 2 hours
- Maximum: Up to 48 hours (rare, but possible with high TTL values)
During propagation, some visitors may still see the old IP address while others see the new one. This is normal.
Step 1 — Check Your Current DNS Record
Use a public DNS checker to see the current IP your domain resolves to:
- https://dnschecker.org
- https://whatsmydns.net
Enter your domain and check the A record. The IP should match your server's public IP in CloudAIPilot (shown in Server detail).
Step 2 — Verify Your DNS Record Is Set Correctly
At your domain registrar or DNS provider:
- Find the domain's DNS settings.
- Look for an A record for the root domain (
@) or subdomain you are using. - Confirm it points to the server's public IP address.
For subdomains (e.g., app.yourdomain.com):
- Add an A record for
apppointing to the server IP.
For root domains (e.g., yourdomain.com):
- Add an A record for
@pointing to the server IP.
Step 3 — Check TTL (Time to Live)
If the A record was recently updated, the old TTL determines how long the old IP is cached. Lower TTL = faster propagation.
To speed up future changes:
- Set your TTL to 300 seconds (5 minutes) 24 hours before making a DNS change.
- After propagation, you can raise TTL back to 3600 (1 hour) or higher.
Step 4 — Test Local Resolution
On your own computer, flush the DNS cache and test:
macOS:
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
dig A yourdomain.comWindows:
ipconfig /flushdns
nslookup yourdomain.comLinux:
systemd-resolve --flush-caches
dig A yourdomain.comStep 5 — Retry SSL After DNS Propagates
Once DNS resolves to the correct IP, retry SSL provisioning:
- Go to Site detail → SSL tab.
- Click Issue Certificate (or Renew).
See KB-12-02: SSL Issue Playbook for full SSL troubleshooting.
Using Cloudflare or a DNS Proxy?
If you are using Cloudflare (or another DNS proxy with the "orange cloud" enabled):
- Cloudflare's proxy hides your server's real IP. Let's Encrypt cannot reach port 80 on the server directly.
- Solution: Set the Cloudflare proxy to "DNS only" (grey cloud) during SSL provisioning. After the certificate is issued, you can re-enable the proxy.
Common DNS Issues
| Symptom | Likely cause | Fix |
|---|---|---|
| Domain resolves to old IP | DNS propagation in progress | Wait and recheck with dnschecker.org |
| Domain resolves to Cloudflare IP | Cloudflare proxy active | Switch to "DNS only" for SSL issuance |
| SSL fails even though DNS is correct | Port 80 blocked | Open port 80 on firewall |
DOMAIN_CONFLICT error in CloudAIPilot | Domain already registered on this server | Remove from old site first |
Related Articles
- KB-12-02: SSL Issue Playbook
- KB-03-03: Configure Domain and DNS for Sites
- KB-04-09: App Domains and SSL