≡ Menu

What are the common DNS return codes, like NXDOMAIN?

If you do a DNS query, the DNS server will return the status of the query like NXDOMAIN or NOERROR. All of these return codes have a specific meaning. For example, NXDOMAIN means that the domain name does not exist. NOERROR means that the query completed successfully. REFUSED means that the DNS server refused to answer for the query that was sent to it.

You can get DNS error codes using dig on the command line. The command dig is part of a package called bind-utils. It is installed by default on most systems, but if it gives command not found, you can install it by installing the package bind-utils.

yum install bind-utils

Now that you have dig installed, you can check the error code (status) of each query that you use dig for.

For example, I will query ns1.google.com for the domain name google.com:

[root@server ~]# dig @ns1.google.com google.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.google.com google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55730
;; flags: qr aa rd; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       74.125.228.98
google.com.             300     IN      A       74.125.228.105
google.com.             300     IN      A       74.125.228.99
google.com.             300     IN      A       74.125.228.100
google.com.             300     IN      A       74.125.228.103
google.com.             300     IN      A       74.125.228.102
google.com.             300     IN      A       74.125.228.97
google.com.             300     IN      A       74.125.228.96
google.com.             300     IN      A       74.125.228.104
google.com.             300     IN      A       74.125.228.110
google.com.             300     IN      A       74.125.228.101

;; Query time: 22 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu Sep 19 14:43:50 2013
;; MSG SIZE  rcvd: 204

See the bolded text. It says the the status of the query was NOERROR, which means that the query completed successfully.

Now I will query the name server ns1.google.com for a domain name which it does not know about, like asdf.com:

[root@server ~]# dig @ns1.google.com asdf.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @ns1.google.com asdf.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9516
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;asdf.com.                      IN      A

;; Query time: 21 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Thu Sep 19 14:45:16 2013
;; MSG SIZE  rcvd: 26

The return code (status) of this query is REFUSED. This means that the name server refused to answer for the query asdf.com. This is expected because asdf.com is not a zone on ns1.google.com.

Now if you query an open recursive, like Google Public DNS (8.8.8.8), you will get an answer for any DNS query:

[root@server ~]# dig @8.8.8.8 asdf.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @8.8.8.8 asdf.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59263
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;asdf.com.                      IN      A

;; ANSWER SECTION:
asdf.com.               3865    IN      A       69.163.203.254

;; Query time: 18 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 19 14:47:03 2013
;; MSG SIZE  rcvd: 42

Now if you query an open recursive, like Google Public DNS (8.8.8.8) for a non-existent domain name, you get the error code (status) as NXDOMAIN:

[root@server ~]# dig @8.8.8.8 asdf8787asdf.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @8.8.8.8 asdf8787asdf.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53786
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;asdf8787asdf.com.              IN      A

;; AUTHORITY SECTION:
com.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1379587695 1800 900 604800 86400

;; Query time: 123 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 19 14:48:35 2013
;; MSG SIZE  rcvd: 107

So now you know about three DNS error codes: NXDOMAIN, REFUSED and NOERROR. There are other DNS return codes (status codes) which are explained as follows:

NOERROR (RCODE:0) : DNS Query completed successfully
FORMERR (RCODE:1) : DNS Query Format Error
SERVFAIL (RCODE:2) : Server failed to complete the DNS request
NXDOMAIN (RCODE:3) : Domain name does not exist
NOTIMP (RCODE:4) : Function not implemented
REFUSED (RCODE:5) : The server refused to answer for the query
YXDOMAIN (RCODE:6) : Name that should not exist, does exist
XRRSET (RCODE:7) : RRset that should not exist, does exist
NOTAUTH (RCODE:9) : Server not authoritative for the zone
NOTZONE (RCODE:10) : Name not in zone

So the above is a list of status codes that dig or any other DNS utility will return when you perform DNS queries. The status field in the response of dig will, in most cases, contain one of these return codes. If you use a DNS library like Net_DNS2, the error codes will be in the exception that the PHP library throws. More on this in another post!

Incoming search terms:

  • dns probe finished nxdomain (104)
  • dns probe finished no internet (48)
  • DNS_PROBE_FINISHED_NXDOMAIN (27)
  • Error code: DNS_PROBE_FINISHED_NXDOMAIN (17)
  • yhs-default (12)
  • what does DNS status code -137 mean (4)
  • status nxdomain (1)
  • posix NXDOMAIN (1)
  • nxdomain reply (1)
  • nxdomain linux (1)

Comments on this entry are closed.