Why does DNS work on one network but not another?

Problem Statement

Resolution succeeds on one network but fails on another.

Different answers, blocked names, or resolver-specific timeout/validation behavior.

Identify resolvers in use, run identical queries, compare policy/filtering, and test DNSSEC validation.

dig example.com A @resolver-a ; dig example.com A @resolver-b ; dig +dnssec example.com A @resolver-b

Expected is explainable geo variance; bad output is unintended policy mismatch or stale cache.

Align policy, flush stale cache, correct forwarding rules, and document split-view behavior.

Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.

Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
Document the root cause and the final fix in your runbook to shorten future incidents.