Common DNS Errors and What They Mean

A complete reference guide for DNS error codes and common problems including NXDOMAIN, SERVFAIL, REFUSED, and browser-level DNS errors with causes and fixes.

Last updated: 2026-02-17

DNS errors are among the most common causes of website unreachability and email delivery failures. When something goes wrong with DNS resolution, the error codes and messages you encounter can be cryptic. This reference explains every DNS error you are likely to encounter, what causes it, and how to resolve it.

DNS Response Codes (RCODE)

Every DNS response includes a status code in the header. Understanding these codes is the foundation of DNS troubleshooting.

RCODENameMeaning
0NOERRORQuery completed successfully
1FORMERRQuery format error
2SERVFAILServer failed to complete the query
3NXDOMAINDomain name does not exist
4NOTIMPQuery type not implemented
5REFUSEDServer refused the query

NXDOMAIN (Non-Existent Domain)

What it means: The domain name queried does not exist in the DNS. The authoritative server for the zone has confirmed that no records exist for this name.

Common causes:

  • Typo in the domain name
  • Domain registration has expired
  • Domain was never registered
  • Subdomain was deleted or never created
  • NS records point to servers that are not authoritative for the zone
1

Verify the domain name

Double-check the spelling. A single character difference means a completely different domain in DNS.
2

Check domain registration

Use WHOIS or RDAP to verify the domain is still registered and has not expired.
3

Confirm DNS records exist

Log into your DNS provider's control panel and verify that the expected records are published for the queried name.
4

Check NS delegation

Verify that the NS records at the registrar match your DNS hosting provider. Mismatched delegation is a frequent cause of NXDOMAIN for subdomains.

NXDOMAIN hijacking

Some ISPs intercept NXDOMAIN responses and redirect them to search or advertising pages. This can mask legitimate NXDOMAIN errors. Using a public DNS resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8) avoids this problem.

SERVFAIL (Server Failure)

What it means: The DNS server attempted to process your query but encountered an error. This is a catch-all error indicating the server could not provide an authoritative answer.

Common causes:

  • DNSSEC validation failure (the most frequent cause in modern networks)
  • Authoritative name server is unreachable or timing out
  • Misconfigured zone file on the authoritative server
  • Network connectivity issues between recursive resolver and authoritative servers
  • Overloaded or crashed DNS server
1

Test with DNSSEC validation disabled

Query using a resolver with DNSSEC disabled (e.g., dig +cd example.com). If this succeeds, the issue is a DNSSEC misconfiguration.
2

Query authoritative servers directly

Use dig to query each authoritative name server individually and see which ones respond.
3

Check server health

If you control the authoritative server, check its logs, resource usage, and network connectivity.
4

Wait and retry

Transient SERVFAIL errors often resolve themselves within minutes. If the error persists, the underlying cause needs investigation.

REFUSED

What it means: The DNS server received your query but actively refused to answer it. This is a policy decision by the server, not a technical failure.

Common causes:

  • Querying a server that is not configured to serve the requested zone
  • Access control lists (ACLs) blocking your IP address
  • Recursive queries sent to a server that only allows recursion for authorized clients
  • Server configured to refuse zone transfers (AXFR) from unauthorized sources

How to fix: Ensure you are querying the correct server. If you are querying a recursive resolver, verify that your IP is within its allowed range. For authoritative queries, check that the NS records are pointing to the right servers.

TIMEOUT (No Response)

What it means: The DNS query was sent but no response was received within the allowed time period. This is not a DNS response code but rather a network-level failure.

Common causes:

  • DNS server is down or unreachable
  • Firewall blocking UDP port 53 or TCP port 53
  • Network routing issues between your resolver and the authoritative server
  • Server is overloaded and dropping packets
  • DDoS attack against the DNS infrastructure

Detect DNS failures before your users do

DNS Monitor continuously checks your domains and alerts you the moment resolution fails.

How to fix: Test connectivity to the DNS server using multiple network paths. Check firewall rules. Verify the server is running and listening on port 53. If the issue is with a third-party provider, check their status page.

NOERROR with Empty Answer

What it means: The DNS server responded successfully (RCODE 0), but the answer section contains no records. The domain exists, but no records of the requested type are published.

Common causes:

  • Querying for a record type that does not exist (e.g., requesting an AAAA record when only an A record is published)
  • Records were deleted but the domain and zone still exist
  • Wildcard records not configured, and the specific subdomain has no records

How to fix: Verify which record types are published for the domain. If you expect a specific record type to exist, check your DNS provider's control panel to confirm it is configured.

FORMERR (Format Error)

What it means: The DNS server could not interpret the query because it was malformed or used unsupported features.

Common causes:

  • Client sending EDNS queries to a server that does not support EDNS
  • Malformed query packets from buggy DNS software
  • Incompatible DNS protocol extensions

How to fix: Try querying without EDNS (dig +noedns example.com). Update your DNS client software. If the issue is on the server side, upgrade the DNS server software.

Browser-Level DNS Errors

Browsers translate DNS failures into user-facing error pages with their own naming conventions. Understanding these helps you identify the underlying DNS issue.

DNS_PROBE_FINISHED_NXDOMAIN

Browser: Chrome, Edge (Chromium-based) Underlying error: NXDOMAIN

The domain does not exist in DNS. This is the browser's way of showing an NXDOMAIN response. Follow the NXDOMAIN troubleshooting steps above.

DNS_PROBE_FINISHED_NO_INTERNET

Browser: Chrome, Edge Underlying error: Network connectivity failure

Your device has no internet connection, so DNS queries cannot be sent at all. Check your network connection, Wi-Fi, or ethernet cable.

DNS_PROBE_FINISHED_BAD_CONFIG

Browser: Chrome, Edge Underlying error: DNS resolver misconfiguration

Your device's DNS settings are incorrect or the configured resolver is not responding. Check your network adapter's DNS settings and try switching to a public DNS provider.

Quick browser fix

For Chrome DNS errors, try clearing the browser's DNS cache by navigating to chrome://net-internals/#dns and clicking "Clear host cache." This resolves issues caused by stale cached entries in the browser itself.

Server Not Found / Hmm. We're having trouble finding that site.

Browser: Firefox Underlying error: NXDOMAIN or resolution failure

Firefox uses this generic message for most DNS failures. Check whether the domain resolves using command-line tools like dig or nslookup to identify the specific DNS error.

ERR_NAME_NOT_RESOLVED

Browser: Chrome, Edge Underlying error: General DNS resolution failure

A catch-all error when the browser cannot resolve the hostname. May be caused by NXDOMAIN, SERVFAIL, TIMEOUT, or local DNS configuration issues.

Operating System DNS Errors

"The DNS name does not exist" (Windows Event 11001)

Equivalent to NXDOMAIN. The Windows DNS client could not find the hostname. Check spelling, DNS configuration, and domain registration.

"Request timed out" (nslookup/dig)

No response from the DNS server. Check server availability, firewall rules, and network connectivity.

"Connection refused" (dig)

The DNS server actively rejected the TCP connection. The server may not be running or may be blocking your IP.

Diagnosing DNS Errors

When you encounter a DNS error, follow this general troubleshooting approach:

1

Identify the exact error

Use dig or nslookup to get the precise RCODE rather than relying on browser error messages, which can be ambiguous.
2

Test from multiple locations

A DNS error from one location may not occur from another. Use online tools or different DNS resolvers to test.
3

Query authoritative servers directly

Bypass recursive resolvers and query the authoritative name servers to determine if the issue is at the source or in the resolution chain.
4

Check for caching issues

If you recently made DNS changes, old cached records may still be in play. Compare responses from different resolvers with different cache states.
5

Review recent changes

Many DNS errors follow a recent change. Check if any DNS records, nameserver delegations, or domain settings were modified.

Error Quick Reference

ErrorMost Likely CauseFirst Action
NXDOMAINDomain does not exist or expiredCheck registration and spelling
SERVFAILDNSSEC failure or server issueTest with +cd flag in dig
REFUSEDQuerying wrong server or ACL blockVerify correct nameservers
TIMEOUTServer down or firewall blockingCheck server status and port 53
NOERROR (empty)Record type not publishedVerify record exists in zone
FORMERRProtocol incompatibilityTry without EDNS extensions

Catching DNS errors early prevents them from cascading into outages. Automated monitoring gives you the visibility to act before your users are affected.

Stop finding out about DNS errors from your users

DNS Monitor checks your domains continuously and alerts you at the first sign of trouble.