DNS Flapping: When Resolution Oscillates

Your DNS queries return one IP, then another. Here's why.

DNS flapping describes a situation where DNS resolutions apparently randomly alternate between different values. This can be intentional (round-robin load balancing) or problematic (desynchronized secondaries, corrupted zone, attack). Problematic flapping causes inconsistent user experience: sometimes the site loads, sometimes not. Identifying whether flapping is normal or abnormal is the first diagnostic step.

Symptoms of DNS Flapping

  • dig returns different IPs on each query
  • Site works sometimes, not others, without clear pattern
  • External monitors alternate between UP and DOWN rapidly
  • Users report inconsistent experience

Causes of Flapping

  • Intentional round-robin: You configured multiple A records for load balancing. Normal, each IP must work.
  • Desynchronized NS: Your secondary NS don't have the same zone as primary. Response depends on which NS responds.
  • Ongoing propagation: During migration, caches have different values based on residual TTL.

Flapping Diagnosis

  1. Query each NS individually: dig @ns1.example.com example.com then @ns2...
  2. Verify SOA serial is identical on all NS.
  3. If intentional round-robin, verify ALL returned IPs are valid.
  4. Test on multiple public resolvers to see if flapping is local or global.

Flapping Detection with MoniTao

MoniTao identifies flapping patterns:

  • Detection of abnormal DNS value alternation
  • Alert if NS return different values (desynchronization)
  • Distinction between legitimate round-robin and zone problem

Stabilizing DNS

  • For round-robin, ensure each IP is monitored individually
  • Regularly verify secondary NS synchronization
  • Use consistent TTL across all your records
  • Avoid frequent DNS changes that create transient states

FAQ - DNS Flapping

Is DNS round-robin reliable?

For basic load balancing, yes. But it has no health check: if an IP goes down, users are still sent there.

How to force a single IP?

Delete other A records and keep one IP. For real load balancing, use a load balancer.

My NS are desynchronized, how to fix?

Check zone transfers (AXFR/IXFR), SOA serial, and that NOTIFY works between primary and secondaries.

Can flapping be an attack?

Potentially. An attacker who compromised one NS can return different values. Verify your server integrity.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing