FastTool All tools

Developer Cluster

Network Debugging Toolkit: DNS, CIDR, Subnets, IPs

Published April 11, 2026 · 10 min read

Most "it's a networking problem" tickets are actually two or three small questions layered together. Is the DNS record correct? Is the target IP in the expected range? Does the subnet mask leave enough host addresses? Does the CIDR block overlap with another one? You do not need packet captures or a terminal to answer most of these. You need a clear mental model and a handful of calculators that do the bit manipulation for you.

This guide walks through the pieces of network debugging you are most likely to run into as an application developer or DevOps engineer: DNS resolution, CIDR notation, subnet math, IP ranges, and the spots where a wrong assumption breaks routing in ways that take hours to diagnose.

DNS, the slow half of every request

DNS is described in RFC 1035, which turns forty in 2027 and is still remarkably readable. When a client wants to talk to api.example.com, it asks a resolver to translate that name into an IP address. The resolver walks a tree of authoritative servers, caches the answer for a time-to-live, and returns it.

Most DNS problems are one of four things:

  • Wrong record. Someone updated the A record but forgot the AAAA record, or pointed a CNAME at a record that no longer exists. Run a lookup to see what the world actually returns.
  • Stale cache. You updated the record, but your browser, your OS, your recursive resolver, and every resolver downstream still has the old answer until the TTL expires.
  • Propagation delay. New records can take minutes to hours to reach every resolver on the internet. "It works for me but not for the user" often reduces to "their resolver has not caught up."
  • Record type confusion. MX for mail, TXT for verification (SPF, DKIM, domain ownership), CNAME for aliases, A for IPv4, AAAA for IPv6, SRV for service discovery. A common mistake is adding a CNAME at the zone apex, which the DNS standard forbids.

Use DNS Lookup to inspect records for any domain — A, AAAA, MX, TXT, NS, and CNAME — directly from the browser. The tool queries public resolvers, so the answer you see is what a random user's resolver would likely see, not what your local caching resolver is returning. For cross-checking, IANA's list of root servers documents the authoritative top of the tree.

CIDR notation in sixty seconds

Classless Inter-Domain Routing (RFC 4632) replaced the old Class A/B/C system in 1993. The notation 192.168.1.0/24 means "the network starting at 192.168.1.0, with the first 24 bits fixed." The remaining 8 bits are the host portion, giving 256 addresses (minus two reserved for network and broadcast, so 254 usable).

The shortcut every network engineer knows: the smaller the number after the slash, the bigger the block. /8 is huge (16,777,216 addresses), /24 is small (256 addresses), /32 is a single host.

The part that confuses newcomers is that a given IP can belong to multiple overlapping CIDR blocks. 10.0.5.20 is inside 10.0.0.0/16, 10.0.4.0/22, and 10.0.5.0/24 simultaneously. Routing tables rely on longest-prefix match: the most specific block wins. If your firewall rule for 10.0.0.0/16 says ALLOW and a more specific 10.0.5.0/24 says DENY, the deny rule takes precedence for traffic to 10.0.5.20.

When you are scoping a firewall rule or a VPC route table and need the exact range of IPs a CIDR block covers, use IP Subnet Calculator. Give it the prefix and it returns the first address, the last address, the netmask, the host count, and the binary representation. This is the tool that keeps you from off-by-one errors at 2 a.m.

Subnet splitting without bugs

Subnetting is the act of cutting a larger network into smaller non-overlapping pieces. A common cloud scenario: you have a 10.0.0.0/16 VPC and you want four subnets for public, private, database, and management tiers.

The naive approach is to give each tier a /18 (16,384 addresses), splitting the /16 in four. That works but wastes addresses if tiers have very different needs. A better approach is Variable Length Subnet Masking: size each subnet to its actual need.

For example:

  • Public: 10.0.0.0/24 (256 addresses, for load balancers)
  • Private: 10.0.16.0/20 (4,096 addresses, for application servers)
  • Database: 10.0.32.0/23 (512 addresses, small set of managed DBs)
  • Management: 10.0.48.0/24 (256 addresses, bastion hosts)

The fixed-width approach of cutting into quarters is simpler to reason about. The VLSM approach is more efficient. Either is fine as long as the blocks do not overlap and you leave room to expand. Use Subnet Calculator to validate any split before you apply it. The tool shows you whether your planned blocks overlap and how many addresses each leaves usable.

One gotcha in cloud networking: AWS and Azure reserve several addresses in every subnet (the network address, broadcast, the first three host addresses for router/DNS), so a /28 (16 addresses) gives you only 11 usable hosts, not 14. Check the cloud docs for your provider before assuming pure RFC arithmetic.

IP lookups and geolocation

When an IP shows up in a log and you want to know what it is, you are asking several questions at once: who owns the AS it is routed from, what country is it geolocated to, is it a known VPN or cloud provider, and is it on any threat intelligence list?

The free answer to the first two questions is a WHOIS-style lookup. IP Address Lookup returns the country, region, city, autonomous system, and ISP for any public IP. This is the right tool for "who tried to brute-force my login?" investigations, though keep in mind geolocation is approximate — city-level accuracy is often wrong, and VPN users are reported at the exit node, not their actual location.

For threat intelligence — "is this IP known to be malicious?" — consult resources like NIST NVD for vulnerability data and public block lists maintained by security research groups. The IANA registry is the authoritative source for IP block assignments at the top level.

IPv6, briefly

IPv4 has 4.3 billion addresses. IPv6 has 3.4 times 10 to the 38th. The problem is that IPv6 has been rolling out for twenty-plus years and is still only half-deployed, so you end up debugging both.

IPv6 addresses are 128 bits, written as eight groups of four hex digits separated by colons: 2001:0db8:0000:0000:0000:ff00:0042:8329. They can be shortened by collapsing leading zeros and replacing a single run of zero groups with ::, so the same address becomes 2001:db8::ff00:42:8329.

The rules that trip people up:

  • Only one :: per address (otherwise it is ambiguous).
  • The loopback is ::1, not 127.0.0.1.
  • The documentation prefix (like example.com for domains) is 2001:db8::/32.
  • Link-local addresses start with fe80:: and are scoped to a single network interface.

If you are writing code that accepts both formats, always normalize to the long form internally and display the short form in UI. Hand-matching IPv6 strings is the source of a huge number of bugs.

Adjacent tools worth bookmarking

Other network-adjacent calculators you will want later: Hash Generator for checksumming DNS zone files before reloading, UUID Generator for synthetic identifiers in logging, HTTP Status Codes when the network layer is healthy but the application is returning 502s, and API Tester for quick "does the service actually respond?" checks once the routing is sorted.

Related pillar guide

This cluster is part of the developer track. For the broader browser-tools reference across categories, see The Complete Guide to Free Online Tools in 2026.

FAQ

Why do DNS changes take time to "propagate"?

Because resolvers cache answers for the TTL on the record. If you set a 24-hour TTL and then change the record, resolvers hold the old answer for up to 24 hours. Lower the TTL before making changes so propagation is fast.

What is the difference between a netmask and a CIDR prefix?

They encode the same information in different notations. 255.255.255.0 and /24 both mean "the first 24 bits are the network part." CIDR is shorter and clearer, which is why modern tools prefer it.

Can two CIDR blocks overlap?

Yes, and routing uses the most specific one. In firewall and routing contexts, overlap is deliberate. In subnet allocation for a VPC, overlap is a bug because the same address could belong to two subnets.

Is IPv6 faster than IPv4?

Usually no. The two are about equal in latency on modern networks. IPv6 simplifies some things for operators (no NAT, massive address space) but the wire-level performance is not the reason to adopt it.

How do I check if a domain is really using DNSSEC?

A DNS lookup that supports DNSSEC will return RRSIG records alongside the answers, and a validating resolver will mark them authenticated. Not every tool exposes this, but it is a signal that the domain's owner cares about DNS integrity.

Closing thought

The hardest part of network debugging is usually accepting that the problem is one of the dull, obvious things — an expired record, a typo in a CIDR block, a firewall rule with the wrong prefix — and not something exotic. Start with the obvious, verify with calculators, and the exotic explanations almost never turn out to be true.