Common DNS Errors Explained (and How to Fix Them)

DNS errors fall into a small set of standard response codes. Each one points to a specific part of the lookup chain that went wrong. Knowing what each error means tells you immediately where to look, saving you from scattershot troubleshooting when a domain stops resolving.

NXDOMAIN, Non-Existent Domain

What it means: the DNS query reached an authoritative nameserver and received a definitive "this domain does not exist" response. Unlike a timeout, NXDOMAIN is an actual answer from the DNS system.

Common causes:

• Typo in the domain name.
• Expired domain registration, the domain has been removed from the registry.
• DNS not yet propagated after a new domain or record was created.
• Missing A or AAAA record for the queried hostname (the zone exists but has no record for that specific name).
• Locally cached NXDOMAIN from a previous failed lookup.

How to diagnose: run nslookup yourdomain.com 8.8.8.8. If Google's resolver also returns NXDOMAIN, the issue is with the domain or its DNS configuration. Check WHOIS to confirm the domain is registered. Query the authoritative nameserver directly to see if the record exists at the source.

SERVFAIL, Server Failure

What it means: the resolver was unable to get a valid answer. This is distinct from NXDOMAIN: the server couldn't complete the lookup rather than finding nothing. The resolution chain broke somewhere.

Common causes:

• The authoritative nameserver is offline or unreachable.
• DNSSEC validation failure, the DNS signatures don't match what's expected, so the resolver refuses to return the result.
• Misconfigured zone file, syntax errors or invalid record values that prevent the nameserver from serving the zone.
• The nameserver is configured for the domain but the zone file is missing or empty.

How to diagnose: query the authoritative nameserver directly:

dig @ns1.yourdns.net yourdomain.com A

If that also returns SERVFAIL, the problem is at the nameserver. If it returns a valid answer but public resolvers return SERVFAIL, suspect a DNSSEC misconfiguration, the signatures are present but failing validation. Check DNSSEC status using our DNS Lookup to query the RRSIG and DNSKEY records directly.

REFUSED

What it means: the nameserver understood the query but deliberately refused to answer it. This is a policy decision, the server is working fine, it just won't respond to this particular request.

Common causes:

• Querying a nameserver that is not authoritative for the domain and not configured as a recursive resolver.
• Access control lists on the nameserver blocking your IP address.
• Querying a non-public recursive resolver (e.g. a company's internal DNS) from outside their network.

How to fix: use a public recursive resolver like 8.8.8.8 for general lookups. If you're querying a specific nameserver and expecting it to answer for a zone it doesn't host, you'll get REFUSED. Only query a nameserver for zones it's authoritative for.

TIMEOUT

What it means: the resolver sent a query and received no response before the timeout expired. Unlike REFUSED or SERVFAIL, there is no response at all, the packet was sent but nothing came back.

Common causes:

• The nameserver is offline or has crashed.
• A firewall is silently dropping UDP or TCP packets on port 53.
• Network connectivity issues between the resolver and the nameserver.
• The nameserver's IP has changed but the resolver still has the old IP cached from a glue record.

How to diagnose: check if the nameserver is reachable:

ping ns1.hosted-server.net

Test port 53 specifically:

dig @ns1.hosted-server.net yourdomain.com A +time=5

If the nameserver is reachable but DNS queries timeout, port 53 may be blocked by a firewall.

NODATA (NOERROR with Empty Answer)

What it means: the domain exists and the nameserver responded successfully (NOERROR), but there is no record of the type you requested. The answer section is empty. This is sometimes called NODATA to distinguish it from NXDOMAIN.

Common causes:

• Querying for AAAA (IPv6) when the domain only has an A (IPv4) record.
• Querying for a TXT record type that hasn't been created yet (e.g. looking for a DKIM record before adding it).
• The record type exists at a different level, for example, looking up an MX record for a subdomain when MX is only set at the root domain.

How to fix: create the missing record if it's supposed to exist. If you're looking up AAAA and your server is IPv4 only, NODATA is expected and correct, the domain simply has no IPv6 address configured.

FORMERR, Format Error

What it means: the nameserver received a query it couldn't parse. The query packet itself was malformed.

Common causes: a software bug in the DNS client, or a mismatch in EDNS (Extension Mechanisms for DNS) support between the client and an older nameserver.

How to diagnose: try disabling EDNS in your dig query to see if that resolves it:

dig +noedns yourdomain.com A

If removing EDNS gets a valid response, the nameserver is very old and doesn't support EDNS extensions. FORMERR is rarely encountered in normal use and almost always indicates a software or compatibility issue rather than a DNS configuration problem.

CNAME Loop

What it means: a CNAME record points to another hostname, which points back to the first, creating an infinite loop. Resolvers detect and break these loops, returning an error.

Example: a.example.com CNAME b.example.com and b.example.com CNAME a.example.com.

How to fix: audit your CNAME records and ensure the chain terminates at an A or AAAA record. Chains longer than 3 to 4 hops should be simplified, they add lookup latency even when they don't loop.