reference
DNS Response Codes
Complete reference of DNS response codes (RCODEs) — from NOERROR and NXDOMAIN to extended EDNS codes, with meanings and troubleshooting guidance
Every DNS response tells you what happened
The RCODE (Response Code) field in the DNS header tells the querier whether the lookup succeeded, and if not, why it failed. Understanding response codes is essential for debugging DNS issues.
Base response codes (4-bit, RFC 1035)
The original DNS specification defines a 4-bit RCODE field in the header, supporting values 0-15. These are the codes you will encounter most often.
NOERROR (0)
Query completed successfully. The most common response code. The answer may contain records, or it may be empty.
An empty answer with NOERROR is called NODATA — the name exists but has no records of the requested type. Example: querying for an AAAA record on a domain that only has an A record. NODATA is not a formal RCODE but a condition (NOERROR with ANCOUNT=0).
FORMERR (1) — Format Error
The server could not interpret the query. The DNS message was malformed. Common causes:
- EDNS incompatibility between client and server
- Corrupted DNS packet
- Unsupported query features
If you see FORMERR consistently for a specific domain, the authoritative server may not support EDNS. The DNS Flag Day 2019 enforced EDNS compliance, making this less common.
SERVFAIL (2) — Server Failure
The server encountered an internal error. The most common operational headache. Causes include:
- DNSSEC validation failure — expired signatures, missing DS records, algorithm mismatches
- Authoritative server timeout — the recursive resolver could not reach the authoritative server
- Lame delegation — NS records point to servers that do not serve the zone
- Software bugs in the authoritative server
- Rate limiting — some resolvers return SERVFAIL when rate limits are exceeded
SERVFAIL is the DNS equivalent of an HTTP 500 — something went wrong on the server side, but the code does not tell you what.
NXDOMAIN (3) — Non-Existent Domain
The queried domain name does not exist. The strongest negative assertion in DNS. Per RFC 8020, NXDOMAIN means no names exist at or below the queried name.
Resolvers cache NXDOMAIN responses (negative caching, RFC 2308) for the duration specified in the SOA MINIMUM field. This prevents repeated queries for names that do not exist.
Common causes of unexpected NXDOMAIN:
- Typo in the domain name
- Domain expired or was not renewed
- Domain was seized by law enforcement
- DNS censorship — some censoring resolvers return NXDOMAIN for blocked domains
- Incorrect NS delegation — parent zone points to wrong name servers
NOTIMP (4) — Not Implemented
The server does not support the requested OPCODE. Rarely seen in normal operation. May appear when querying an authoritative-only server with a recursive query, or when using an unsupported opcode like IQUERY (obsoleted in 2002).
REFUSED (5) — Query Refused
The server refuses to perform the operation, typically for policy reasons. Common causes:
- A client outside the allowed network queries a non-public recursive resolver
- An authoritative server receives a query for a zone it does not serve
- Rate limiting or access control policies are in effect
- The server is configured to refuse recursive queries from unauthorized clients
Dynamic update codes (6-10, RFC 2136)
These codes are used with DNS dynamic updates (OPCODE 5) and are rarely seen in normal query/response exchanges.
| RCODE | Name | Meaning |
|---|---|---|
| 6 | YXDOMAIN | Name exists when it should not |
| 7 | YXRRSET | RR set exists when it should not |
| 8 | NXRRSET | RR set that should exist does not |
| 9 | NOTAUTH | Server not authoritative for the zone, or not authorized for the update |
| 10 | NOTZONE | Update name is outside the zone specified in the Zone section |
Extended response codes (EDNS)
EDNS extends the RCODE to 12 bits by placing the upper 8 bits in the OPT record’s TTL field. The full RCODE is computed as:
full_rcode = (EDNS_extended_rcode shifted left 4 bits) OR header_rcodeAn extended RCODE of 0 in the OPT record means the 4-bit header RCODE is the complete code.
BADVERS (16) — Bad OPT Version
The server does not support the EDNS version requested by the client. Currently the only defined EDNS version is 0. Also used as BADSIG for TSIG signature verification failure.
TSIG/TKEY codes (17-22)
| RCODE | Name | Meaning |
|---|---|---|
| 17 | BADKEY | TSIG key not recognized |
| 18 | BADTIME | TSIG timestamp outside acceptable range |
| 19 | BADMODE | Error in TKEY mode field |
| 20 | BADNAME | Duplicate TKEY key name |
| 21 | BADALG | TSIG/TKEY algorithm not supported |
| 22 | BADTRUNC | TSIG MAC is too short |
BADCOOKIE (23, RFC 7873)
Server cookie validation failed. The client should retry with the server cookie from the response. DNS cookies provide lightweight transaction authentication against off-path spoofing and amplification attacks.
Private use (3841-4095)
Reserved for private or experimental use per RFC 6895.
Troubleshooting guide
SERVFAIL checklist
- Check DNSSEC: Is the domain signed? Are signatures expired? Is the DS record in the parent zone correct? Use
dig +dnssecto inspect. - Check authoritative servers: Can the recursive resolver reach them? Are they responding? Use
dig @ns1.example.com example.comto test directly. - Check delegation: Do NS records in the parent zone match the NS records in the child zone? Mismatches cause lame delegation.
- Check software: Is the authoritative server software up to date? Known bugs can cause SERVFAIL.
- Try a different resolver: If one resolver returns SERVFAIL but another returns NOERROR, the problem may be resolver-specific (caching a bad result, DNSSEC policy differences).
NXDOMAIN when the domain should exist
- Check the parent zone: Does the parent zone have correct NS records delegating to the right authoritative servers?
- Query the authoritative server directly:
dig @ns1.example.com example.com— if this returns the correct answer, the problem is in the delegation chain. - Check domain registration: Has the domain expired? Use WHOIS to verify.
- Check for censorship: Some ISP resolvers return NXDOMAIN for censored domains. Try querying a public resolver (1.1.1.1, 8.8.8.8).
REFUSED when querying
- Are you allowed to query this resolver? Many recursive resolvers only serve queries from authorized networks.
- Is the server authoritative for this zone? An authoritative server will REFUSE queries for zones it does not serve.
- Is recursion enabled? Some servers are configured as authoritative-only and will REFUSE recursive queries.
The NODATA condition
NODATA is not an RCODE — it is a condition where the server returns NOERROR with an empty answer section. The name exists, but not with the requested record type.
Example: example.com has an A record but no AAAA record. Querying for the AAAA returns NOERROR with zero answers. The authority section contains the SOA record, which provides the negative cache TTL.
NODATA is often confused with NXDOMAIN, but they mean different things:
| Condition | RCODE | Answer | Meaning |
|---|---|---|---|
| Success | NOERROR (0) | Records present | Name exists, records found |
| NODATA | NOERROR (0) | Empty | Name exists, but not with this type |
| NXDOMAIN | NXDOMAIN (3) | Empty | Name does not exist at all |
This distinction matters for negative caching, wildcard matching, and DNSSEC authenticated denial of existence.