When a DNS resolution error occurs, the website or service becomes unreachable even though the server may be running perfectly. DNS errors can originate at the client (your device), the resolver (your ISP or public DNS), or the authoritative nameserver. This guide walks through each layer and shows you how to diagnose and fix the problem.
Common DNS Resolution Error Messages
| Error Message | What It Means |
|---|---|
| DNS_PROBE_FINISHED_NXDOMAIN | The domain does not exist in DNS (NXDOMAIN) |
| DNS_PROBE_FINISHED_NO_INTERNET | Device has no network connectivity to reach any DNS server |
| DNS_PROBE_FINISHED_BAD_CONFIG | DNS is configured incorrectly on this device |
| ERR_NAME_NOT_RESOLVED | General DNS resolution failure |
| SERVFAIL | The resolver failed to get a valid response from authoritative servers |
| REFUSED | The queried nameserver refused to answer the query |
Step 1: Verify the Problem Is DNS
First, confirm the issue is DNS-related and not a network outage or server problem:
# Test if the domain resolves at all
nslookup example.com
# Try a direct IP connection to bypass DNS
ping 8.8.8.8 # If this works, you have internet but a DNS problem
# Try reaching the site by IP if you know it
curl -H "Host: example.com" http://93.184.216.34If ping 8.8.8.8 succeeds but nslookup example.com fails, the problem is DNS. If ping 8.8.8.8 also fails, you have a broader network connectivity issue.
Step 2: Test with a Different Resolver
Your ISP's resolver may have a problem. Test by querying a public resolver directly:
# Test with Google Public DNS
nslookup example.com 8.8.8.8
# Test with Cloudflare DNS
nslookup example.com 1.1.1.1
# Test with Quad9
nslookup example.com 9.9.9.9If the domain resolves via public resolvers but not via your default resolver, the problem is your ISP's resolver or your local DNS configuration. Consider changing your DNS server to 8.8.8.8 or 1.1.1.1 in your network settings.
Step 3: Flush Local DNS Cache
Your device may have a stale or corrupted DNS cache entry. Flush it:
# Windows
ipconfig /flushdns
# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo systemctl restart systemd-resolvedAfter flushing, try the lookup again. If it now resolves, the stale cache was the cause.
Step 4: Check Hosts File
An incorrect entry in your local hosts file can override DNS and cause resolution failures:
# Linux/macOS
cat /etc/hosts | grep example.com
# Windows
type C:WindowsSystem32driversetchosts | findstr example.comIf you find an incorrect or outdated entry for the domain, remove it with a text editor (run as administrator on Windows).
Step 5: Diagnose the Authoritative Nameserver
If the domain resolves from some locations but not others, or returns SERVFAIL, the problem may be with the authoritative nameserver. Use dig +trace to follow the full resolution path:
# Trace the full DNS resolution path
dig example.com A +trace
# Check SERVFAIL response details
dig example.com A +dnssec
# Query the authoritative nameserver directly
dig example.com A @ns1.example-dns.comCommon authoritative nameserver problems that cause SERVFAIL:
- DNSSEC validation failure: If DNSSEC is configured incorrectly, validating resolvers return SERVFAIL. Check with the DNSSEC Validator.
- Zone file error: A syntax error in the zone file can cause the nameserver to fail to load the zone, returning SERVFAIL for all queries.
- Nameserver unreachable: If all configured nameservers are offline, resolvers cannot get an authoritative answer.
- SOA serial mismatch: If secondary nameservers have an incorrect serial number, they may serve stale or incomplete zone data.
Step 6: Verify DNS Records Are Correct
Confirm that the A, CNAME, or other record actually exists and has the correct value:
# Check A record
dig example.com A +short
# Check CNAME
dig www.example.com CNAME +short
# Check all record types
dig example.com ANYUse the ShowDNS Check All DNS Records tool for a complete view of all records associated with the domain.
Step 7: Check for Domain Expiry
If a domain has expired, the registrar may suspend DNS, causing all records to stop resolving. Check domain expiry:
whois example.com | grep -i "expir"You can also use the ShowDNS Domain Expiry Checker to check when a domain expires.
Fixing NXDOMAIN Errors (Domain Not Found)
NXDOMAIN means the domain name does not exist in DNS. Causes and fixes:
- Typo in domain name: Double-check the URL for spelling errors.
- Missing DNS record: The A, CNAME, or other record was accidentally deleted. Re-add it in your DNS provider's dashboard.
- Wrong nameservers: The domain's nameservers are pointing to a DNS provider that doesn't have the zone configured. Fix the NS records at the registrar.
- Domain expired: Renew the domain at your registrar.
- TTL-cached NXDOMAIN: If a record was recently added, the negative cache TTL (from the SOA record) may be preventing the new answer from being seen. Wait for the TTL to expire or flush the resolver cache.
Frequently Asked Questions
Why does a domain resolve on one device but not another?
Different devices use different DNS resolvers and have separate local caches. One device may have a stale cached answer (NXDOMAIN or old IP) while another has a fresh answer. Flushing the cache on the problematic device usually fixes this.
Why does my domain resolve with dig but not in the browser?
Chrome has its own DNS cache (chrome://net-internals/#dns). Flush Chrome's DNS cache separately from the OS. Also check if a browser extension or proxy is intercepting DNS queries.
What is SERVFAIL and how do I fix it?
SERVFAIL means the resolver could not get a valid authoritative answer. Common causes: DNSSEC misconfiguration, all nameservers offline, zone file errors, or network issues between resolver and authoritative server. Use dig +trace to identify where the failure occurs.