It Was DNS Again
Why is this Networking meme funny?
Level 1: The Wrong Address Book
DNS is like an address book for the internet. You ask it, “Where does this place live?” and it gives you an address. The joke is that people often insist the address book cannot be the problem, then after checking everything else, they find out the address book had the wrong address all along. It is funny because the simplest hidden thing can waste the most time.
Level 2: Names Need Answers
DNS, the Domain Name System, is the internet’s naming system. Humans use names like example.com; computers need addresses like IPv4 or IPv6 values. DNS connects those two worlds. An A record maps a name to an IPv4 address. A DNS server answers questions about names, and a DNS cache stores answers for a while so the same lookup does not have to be repeated constantly.
The meme is funny because DNS sits underneath almost everything. If DNS gives the wrong answer, your application may look broken even when the application code is fine. A web request can fail before it reaches your server. A database connection can point at the wrong host. A certificate can appear mismatched. A load balancer can look unhealthy. The error message often does not say, “Hello, I am DNS, the ancient tax you forgot to pay.”
DNS propagation is the everyday name for waiting while updated records stop being stale across caches. If a bad record was cached for an hour, fixing the source record does not instantly fix every resolver that already copied the old answer. That is why operations teams ask which resolver you used, where you tested from, whether VPN was on, and what dig or nslookup returned. They are not being pedantic. They are mapping where the lie still lives.
Level 3: The Root Of Denial
The image is pure operations folklore in four lines:
It's not DNS There is no way it's DNS It was DNS. -Unknown wise person
The joke works because every experienced developer, sysadmin, SRE, or network engineer has lived this exact emotional arc. A service fails, the app logs look suspicious, someone blames the deploy, another person restarts a pod, a third person opens a dashboard with great confidence, and eventually the boring answer crawls out from under the floorboards: DNS. Name resolution is so foundational that people forget it exists until it stops resolving reality correctly.
The associated post adds a specific kind of DNS nightmare: records for a major domain reportedly included private 192.168.1.0 and 192.168.1.1 addresses. Those are addresses from a private IPv4 range commonly used inside home and office networks, not public internet destinations. If a public domain returns private LAN-looking addresses, weird things can happen depending on resolvers, rebinding protections, local network setup, browser behavior, and cache state. Some systems may reject the answer. Others may try to connect somewhere local. Many will simply make the incident look like five different unrelated failures because DNS enjoys wearing disguises.
The deeper pain is that DNS failures are rarely binary. A bad DNS record might be fixed at the authoritative nameserver while recursive resolvers continue serving cached answers until their TTL expires. Split-horizon DNS can return one answer inside a network and another outside. Corporate VPNs can override resolvers. Local hosts files can lie. Container runtimes can add their own resolver layer. Browsers and operating systems can cache differently. That is why “it works for me” is practically a DNS diagnostic smell, not reassurance.
This is also why debugging DNS feels insulting. The mechanism is conceptually simple: turn a name into an address. The operational reality is a distributed, cached, delegated system where stale state can persist in many places. Smart engineers skip DNS because the application failure looks too specific, too high-level, too obviously caused by the new release. Then dig ruins everyone’s afternoon. Again.
Description
A pale orange meme image with a faint shield-like background contains large centered white text: "It's not DNS", "There is no way it's DNS", "It was DNS.", and the attribution "-Unknown wise person". The visual is simple and text-first, using the familiar escalating denial format. The technical context is the recurring operations reality that name resolution, caching, propagation, split-horizon configuration, or stale records often explain failures that initially look like application bugs. It is especially relatable to engineers who have lost hours debugging services before checking DNS.
Comments
29Comment deleted
DNS is the distributed system everyone debugs last and unknowingly depends on first.
What? Comment deleted
Eat some shit, MS Comment deleted
wtf? Comment deleted
Fuckers Comment deleted
What the actual fuck? Comment deleted
it is real? Comment deleted
I mean I have a subdomain that points to one of my local devices IPs but what is that? Like does anybody know a reasoning behind what ms did? Comment deleted
My isp doesn’t allow me to ping my own ip using my own ip. So thats why Comment deleted
So you don’t know why and what this causes but it’s because Microsoft is shit? Comment deleted
Good for you ig Comment deleted
they did revert this Comment deleted
Can anybody explain what it means for someone not so close to the internals of the Internet? Comment deleted
Microsoft added locally-routable (LAN) addresses to their public (WAN) domain names, so that people trying to visit Microsoft website or other network services are directed to their own (not Microsoft's) local adresses, resulting in long timeouts and "Could not establish a connection" errors. Comment deleted
define "their" microsoft or people? Comment deleted
Thanks Geniuses Comment deleted
Bruh but wouldn’t devices be smart enough to connect to another ip? Isn’t that the point of having multiple ips for the same domain? Comment deleted
This is a legitimate question, based on my assumption. Comment deleted
Yes, they ultimately would, but not before waiting for the timeout on the first address being tried (DNS records are returned in round-robin fashion, so only a fraction of users would be affected by such misconfigurations), but it is of course application-specific — some applications may want to try alternative addresses after a very short delay, such as in IPv6 to IPv4 fallback. Comment deleted
Ah okay good to know Comment deleted
So if I put multiple IPs onto the same domain it would basically be random who uses which ip? And I would assume that 30 min timeout is when the cache is dropped? Comment deleted
Yes, it is usually random, but depends on caching — both on intermediate DNS servers (resolvers) and clients, which in turn may exercise their own policy on record ordering. You may set record expiration time (for re-querying) for the entire zone and per record, but that is only informational for the users — each party may choose to ignore original setting at least to some extent, such as establishing their own minimum and maximum time-to-live. Comment deleted
I see would the cache be renewed while in use? Like suddenly an xhr would go to another server? Comment deleted
Normally, the caching is controlled by Refresh (soft) and Expire (hard) limits setglobally for zone, but also by an optional per-record TTL: my.zone IN SOA ns.icann.org. noc.dns.icann.org. ( 2020.... ; Serial 7200 ; Refresh 3600 ; Retry 1209600 ; Expire 3600 ; Negative caching ) microsoft.com 3600 IN A 192.168.1.1 But the actual use of this data is totally consumer-dependent. It may stick to the same IP address to avoid routing and firewalling issues, as well as to simultaneously use all available addresses to distribute the load and lower the risk of "unlucky" choice. Comment deleted
In Armenia there's a thing with some taxes related government service, it has 2 A-records. The 1st one points to a local IP in the dev team network, the 2nd to an actual public backend. So you either have to hardcode the public one in your hosts file locally or just spam refreshes until you get lucky and round-robin hits the public IP. Comment deleted
Even funnier is that they got like hundreds of complaints, but just answered that that's a feature and they do not plan to change it. Comment deleted
; <<>> DiG 9.18.21 <<>> api.workpermit.am ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10557 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;api.workpermit.am. IN A ;; ANSWER SECTION: api.workpermit.am. 300 IN A 192.168.3.30 api.workpermit.am. 300 IN A 83.139.47.27 Comment deleted
The bundled ms-office online and for Android is so buggy, I switched back to cryptpad Comment deleted
Alright, that's why i use other subnet. Suck ms Comment deleted