NXDOMAIN Errors — What They Mean and How to Fix Them
Learn what NXDOMAIN means, why your DNS query returned 'name does not exist', and how to diagnose and fix common causes including typos, missing records, propagation lag, and DNSSEC validation failures.
TL;DR
NXDOMAIN means 'this name does not exist' — the authoritative nameserver answered, and the answer was 'no record by that name'. Common causes: typo in the hostname, the record was deleted or never created, you're querying before propagation completed, or DNSSEC validation failed and the resolver is treating that as nonexistent. Diagnose with `dig <name> @ns1.dnscale.eu` to query authoritative directly, bypassing caches.
What you'll learn
- Understand what an NXDOMAIN response actually signals at the DNS protocol level
- Distinguish NXDOMAIN from other failure modes (SERVFAIL, REFUSED, timeout)
- Walk through the systematic diagnostic procedure for each common cause
- Recognise DNS_PROBE_FINISHED_NXDOMAIN in browsers and map it back to the root cause
If you're here, something is returning NXDOMAIN and you need to fix it. This page explains what NXDOMAIN actually means, the half-dozen common causes, and a systematic diagnostic procedure that finds the real one in under five minutes.
What NXDOMAIN actually means
NXDOMAIN is a specific DNS response code — RCODE 3 in the DNS protocol — that an authoritative nameserver returns when the queried name has no records of any type. It's a definitive answer:
- NXDOMAIN: "I am authoritative for this zone, and I confirm this name has no records." Different name, type doesn't matter.
- NOERROR + empty answer: The name exists, but no records of the queried type. (e.g., querying TXT for a name that has only A records.)
- SERVFAIL: The authoritative server is broken, or DNSSEC validation failed. See SERVFAIL explained.
- REFUSED: The server explicitly refused to answer (often access-control or wrong server).
- timeout: The server didn't respond at all.
NXDOMAIN is the cleanest possible "no" — it doesn't mean the network is broken, just that the name isn't there.
The five common causes
1. Typo in the hostname
By far the most common cause. wwww.example.com instead of www.example.com. example.con instead of example.com.
Diagnose: Re-read the hostname character by character. Try the parent domain: dig example.com — if that resolves but wwww.example.com returns NXDOMAIN, the typo is in the subdomain. Use the dashboard or dig +trace example.com to list the actual records present.
2. The record was deleted or never created
Someone removed the record (intentionally or by mistake), or it was never set up for that subdomain in the first place.
Diagnose: Query the authoritative server directly:
dig www.example.com @ns1.dnscale.euIf authoritative returns NXDOMAIN, the record genuinely isn't there. Check the zone in the DNScale dashboard. Restore it if needed.
3. You're querying before propagation completed
You just added the record. Some resolvers haven't picked it up yet, especially if you previously queried the name and got NXDOMAIN — that negative answer is now cached.
Diagnose:
- Authoritative returns the record (
dig @ns1.dnscale.eu) - A public resolver still returns NXDOMAIN (
dig @8.8.8.8)
That's negative-caching. Wait for the SOA's negative-cache TTL (often 300–3600 seconds) and retry. To avoid this in the future: don't query a name until you've confirmed the record exists in your zone.
See DNS propagation explained.
4. DNSSEC validation failure
If your zone is DNSSEC-signed and the signature chain is broken, validating resolvers (Google 8.8.8.8, Cloudflare 1.1.1.1, and most modern resolvers) will refuse the answer. This usually surfaces as SERVFAIL, but in some failure modes the resolver may behave as if the name doesn't exist.
Diagnose:
dig +cd www.example.com @8.8.8.8 # checking-disabled — bypasses DNSSEC validation
dig www.example.com @8.8.8.8 # default — validates DNSSECIf the first returns the record and the second returns NXDOMAIN/SERVFAIL, DNSSEC is broken. Common causes: missing or wrong DS record at the registrar, expired signatures (zone hasn't been re-signed), KSK/ZSK rollover gone wrong. See DNSSEC key management.
5. Local resolver problem (browser-only NXDOMAIN)
If only your machine returns NXDOMAIN but other machines work fine, the issue is local: corrupted resolver cache, hosts-file override, VPN-injected DNS, browser-internal cache, or a malfunctioning ISP resolver.
Diagnose:
- Flush local cache: see how to flush DNS cache.
- Bypass local resolver:
dig www.example.com @1.1.1.1. If that works, the problem is your local resolver. - Check
/etc/hosts(Linux/macOS) orC:\Windows\System32\drivers\etc\hosts(Windows) for a stale entry. - Try a different network (mobile hotspot, home vs office) to isolate ISP-resolver issues.
The systematic diagnostic procedure
Run this in order. The first step that succeeds tells you the cause.
# 1. Authoritative direct (bypasses all caches)
dig www.example.com @ns1.dnscale.eu
# 2. A major public resolver
dig www.example.com @8.8.8.8
# 3. Another public resolver
dig www.example.com @1.1.1.1
# 4. Your local default
dig www.example.com
# 5. Check the parent zone delegation
dig +trace www.example.com
# 6. Check DNSSEC if zone is signed
dig +cd www.example.com @8.8.8.8
# 7. Check the SOA negative-cache TTL
dig SOA example.com @ns1.dnscale.euInterpretation:
| Step 1 (authoritative) | Step 2 (public resolver) | Likely cause |
|---|---|---|
| NXDOMAIN | NXDOMAIN | Record doesn't exist (typo, deleted, never created) |
| Returns record | NXDOMAIN | Negative-caching; wait for TTL |
| Returns record | SERVFAIL | DNSSEC validation broken; check DS / signatures |
| Returns record | Returns record | Cache or local resolver issue |
| SERVFAIL | varies | Authoritative is broken — escalate to DNS provider |
Browser-specific NXDOMAIN errors
Major browsers surface NXDOMAIN with framework-specific error pages:
- Chrome / Edge:
DNS_PROBE_FINISHED_NXDOMAIN - Firefox: "Hmm. We're having trouble finding that site." with
MOZILLA_PKIX_ERROR_INTERNAL_FAILUREin some variants - Safari: "Safari can't find the server"
These are the same underlying DNS error. The browser doesn't know — it just gets back NXDOMAIN from the OS resolver and renders an error page. The diagnostic procedure above applies regardless of browser.
For the specific case where your browser shows the error but other devices work, see the local resolver section above and fix DNS_PROBE_FINISHED_NO_INTERNET.
Common mistakes when fixing
- Adding the record but not waiting for propagation, then assuming it's broken when a resolver still returns NXDOMAIN. Wait at least the negative-cache TTL.
- Forgetting the trailing dot in zone-file format.
www.example.com(without dot) means relative;www.example.com.(with dot) means absolute. DNScale's dashboard handles this; if you're editing zone files directly, be precise. - CNAME at the apex. Setting a CNAME at example.com (rather than www.example.com) creates a configuration that some resolvers reject, returning NXDOMAIN-like behaviour. Use A records or ALIAS at the apex. See DNS CNAME record.
- Wildcard collisions. A wildcard
*.example.commatches subdomains, but explicit subdomain entries override it. If you have*.example.com → 192.0.2.1and someone queriesmistake.example.com, the wildcard answers — there's no NXDOMAIN. If you removed the wildcard expecting a name-not-found response and got an unexpected answer, this is why. - Hosts-file override. A stale
/etc/hostsentry can mask DNS-level fixes. Always check.
When NXDOMAIN is the right answer
It's worth remembering that NXDOMAIN isn't always a bug. Legitimate uses:
- Subdomain takeover protection: explicitly leaving subdomains as NXDOMAIN to prevent attackers from claiming them via a third-party service.
- NXDOMAIN as deletion signal: removing a record is the correct way to retire a service.
- DNSSEC NSEC/NSEC3 proofs: signed authoritative nameservers prove negative answers cryptographically; the NXDOMAIN response carries signed denial-of-existence records.
If you confirm a name is supposed to be NXDOMAIN, leave it alone.
Related guides
- SERVFAIL errors — causes and fixes
- DNS propagation explained
- How to flush DNS cache
- Fix DNS_PROBE_FINISHED_NO_INTERNET
- DNS TTL best practices
- DNSSEC key management
References
- IETF RFC 2308 — Negative caching of DNS queries
- IETF RFC 5155 — DNSSEC NSEC3 hashed authenticated denial of existence
- IETF RFC 8499 — DNS terminology
Frequently asked questions
- What does NXDOMAIN mean exactly?
- NXDOMAIN is shorthand for 'Non-Existent Domain'. It's a specific DNS response code (RCODE 3) returned by an authoritative nameserver when the queried name has no records of any type. It's a definitive answer — different from SERVFAIL (server failure) or a timeout (no answer at all).
- Why does Chrome show DNS_PROBE_FINISHED_NXDOMAIN?
- Chrome's DNS_PROBE_FINISHED_NXDOMAIN error means Chrome's DNS lookup completed and the resolver returned NXDOMAIN. The browser surfaces the underlying DNS response as a user-facing error. Causes are the same as any NXDOMAIN: typo, missing record, propagation lag, DNSSEC failure, or local resolver issue.
- Why is dig returning NXDOMAIN but my browser still works?
- Cache state differs. Your browser may be using a different resolver (or its own internal cache) that still has the old positive answer. dig may be hitting a resolver that already cleared the cache, or pointing at the authoritative server that returns the new state. To compare: run `dig @8.8.8.8`, `dig @1.1.1.1`, and `dig @ns1.dnscale.eu` and see which return NXDOMAIN.
- Can DNSSEC cause NXDOMAIN?
- Indirectly, yes. If DNSSEC signatures are invalid or the chain of trust is broken, validating resolvers (like Google 8.8.8.8 and Cloudflare 1.1.1.1) will refuse the answer — sometimes returning SERVFAIL, sometimes a synthesised NXDOMAIN-like state depending on the specific failure. Run `dig +cd <name>` (checking-disabled) — if it returns the answer when normal dig returns NXDOMAIN/SERVFAIL, DNSSEC is the cause.
- How do I know if NXDOMAIN is real or stale cache?
- Bypass caches: `dig <name> @ns1.dnscale.eu`. If the authoritative nameserver returns NXDOMAIN, the record genuinely doesn't exist. If authoritative returns the record but a public resolver still returns NXDOMAIN, that's a cache issue — usually negative-caching (the resolver cached a previous NXDOMAIN response for the negative-cache TTL set in the SOA).
- How long does an NXDOMAIN response stay cached?
- By the SOA's negative-cache TTL (the last field of the SOA record). Most zones set this to 300–3600 seconds. If you create a record after a resolver cached an earlier NXDOMAIN, the new record won't be visible to that resolver until the negative-cache TTL expires. Keep negative-cache TTL modest to avoid this trap.
Related guides
DNS A Record Explained — What It Is and How to Use It
Learn what a DNS A record is, how it maps domain names to IPv4 addresses, and how to create, query, and troubleshoot A records with practical dig command examples.
DNS AAAA Record Explained — IPv6 Address Mapping
Learn what a DNS AAAA record is, how it maps domain names to IPv6 addresses, and how to set up dual-stack DNS with practical dig command examples.
DNS CNAME Record Explained — Aliases and Canonical Names
Learn how DNS CNAME records create domain aliases, when to use them over A records, and how to avoid common pitfalls like apex restrictions and CNAME chains.
DNS MX Record Explained — Mail Exchange Configuration
Learn how DNS MX records route email to mail servers, configure priority-based failover, and set up MX records for Google Workspace, Microsoft 365, and self-hosted mail.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free