NXDOMAIN vs SERVFAIL: What Each DNS Error Means
NXDOMAIN and SERVFAIL both prevent a normal DNS answer, but they describe very different failures. NXDOMAIN is a completed response saying the name does not exist. SERVFAIL means the resolver could not obtain or validate a usable answer.
NXDOMAIN: the name does not exist
An authoritative DNS server or cached negative response states that the queried name does not exist. This can be expected for a typo or an unpublished hostname.
A newly created record may temporarily return NXDOMAIN from resolvers that cached the previous absence.
dig @1.1.1.1 missing.example.com A
dig missing.example.com SOASERVFAIL: resolution could not be completed
SERVFAIL does not say the name is absent. It indicates that the recursive resolver encountered a failure while following the delegation, contacting authoritative servers or validating DNSSEC.
Typical causes include unreachable nameservers, lame delegation, inconsistent responses, expired signatures and an incorrect DS record.
dig @8.8.8.8 example.com A +dnssec
dig +trace example.com A
dig example.com DS +shortHow to distinguish them
- NXDOMAIN normally includes an SOA record used for negative caching.
- SERVFAIL often changes between validating and non-validating resolvers.
- NXDOMAIN for only one hostname can be a missing record; NXDOMAIN for the whole domain can indicate delegation or expiry issues.
- SERVFAIL across many resolvers requires checking authoritative reachability and DNSSEC before waiting for propagation.
Common diagnostic mistakes
Treating SERVFAIL as propagation
A persistent validation or delegation failure will not resolve simply by waiting.
Testing only one resolver
Resolver policy and cached state can hide the wider pattern.
Ignoring the complete FQDN
A record can exist at example.com but not at www.example.com, or vice versa.
Disabling DNSSEC without removing DS
The parent DS record can continue causing validation failures.