DNS Not Resolving: 8 Causes and How to Fix

DNS Not Resolving: 8 Causes and How to Fix

When the browser shows DNS_PROBE_FINISHED_NXDOMAIN, SERVFAIL, or just "This site can't be reached", the root cause is almost always in DNS. The origin server may be perfectly healthy — but the resolver cannot translate the domain name into an IP, so users never make it there. These errors look like a full outage even when the infrastructure is fine.

This article walks through the eight most common reasons DNS stops resolving, with a practical diagnostic workflow. We go from the local browser cache all the way up to the authoritative chain, and for each cause we provide commands and tools you can run right now.

What "DNS not resolving" actually means

Every visit starts with a DNS Lookup: the client asks a recursive resolver for the A or AAAA record, and the resolver walks the root to TLD to authoritative chain. If any step breaks, there is no answer and the site "doesn't open".

NXDOMAIN

The domain doesn't exist — either unregistered or the authoritative servers claim it doesn't.

SERVFAIL

The resolver could not get a valid answer. Often DNSSEC validation failures or unreachable authoritative NS.

REFUSED

The server refused to answer — usually an ACL on the authoritative DNS.

Timeout

No response at all — network, firewall, or dead NS.

8 reasons DNS stops resolving

1. Stale local DNS cache

After changing an IP or NS, the browser and OS keep the old record until TTL expires. Users see 404s, connection refused, or a blank page.

dig example.com @8.8.8.8 +short
dig example.com @1.1.1.1 +short

If public resolvers return the right answer but the local machine does not, it is a cache issue.

2. Missing or wrong NS records

If the registrar publishes one set of nameservers but the zone lives on another, clients end up at dead servers. Very common during DNS provider migrations.

dig NS example.com +short
whois example.com | grep -i "name server"

The NS list at the registrar must match what dig NS returns.

3. Expired domain

When a domain expires, the registrar removes NS delegation. The domain enters redemption or pendingDelete, and every lookup returns NXDOMAIN. Check with WHOIS Lookup.

4. TTL too long during migration

If you don't lower TTL before switching IPs or NS, old records stick around for a day. This is the classic "works for us, broken for customers" scenario. See our DNS TTL best practices.

5. DNSSEC errors

If the zone is signed but the DS record at the registrar doesn't match the current KSK, validating resolvers return SERVFAIL. Common after zone transfers or key rollovers.

dig example.com +dnssec +multi
dig DS example.com @1.1.1.1 +short

6. DNS traffic blocked (port 53)

Corporate firewalls, guest Wi-Fi, or some ISPs block outbound UDP/TCP 53 to third-party resolvers. Clients become fully dependent on the local DNS, and if that breaks, sites stop resolving.

7. ISP resolver is down or overloaded

The ISP's recursive resolver may be temporarily unreachable or return partial answers. Switch to 1.1.1.1, 8.8.8.8, or 9.9.9.9.

8. Zone errors: dangling CNAMEs or loops

CNAME pointing to a missing record, NS loops, or an MX with a CNAME target (forbidden by RFC 2181) all break resolution:

dig +trace example.com

5-minute diagnostic

1. Check a public resolver. Open DNS Lookup and inspect A, AAAA, NS, SOA.
2. Compare with local. Run dig example.com and dig example.com @8.8.8.8. If the answers differ, the problem is local.
3. Check propagation. Use DNS Propagation Checker across multiple regions.
4. WHOIS + NS. WHOIS Lookup shows the current registrar and NS.
5. Validate DNSSEC. DNSViz visualises the chain.

Fixes

Flush the local cache

Windows: ipconfig /flushdns. macOS: sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder. Linux: sudo systemd-resolve --flush-caches. Full guide: How to Flush DNS Cache.

Switch resolvers

Public resolvers — 1.1.1.1 (Cloudflare), 8.8.8.8 (Google), 9.9.9.9 (Quad9).

Align NS between registrar and DNS provider

Open the registrar panel and verify the Name Servers — they must exactly match what dig NS example.com returns.

Lower TTL 48h before migration

Set TTL = 300 at least 24h (ideally 48h) before migrating, then raise back to 3600-86400 after the switch.

Add DNS monitoring

Enterno.io supports DNS record monitoring with alerts via Telegram, email, Slack, and webhooks. Set it up in Monitors.

Prevention

• Use two independent DNS providers (secondary DNS) to survive provider outages.
• Enable domain auto-renew at the registrar.
• Monitor NS delegation consistency.
• Document your NS, TTL, and DNSSEC keys.
• Test migrations on a staging domain with short TTL.

FAQ

Why does the site work for some users but not others?

Different resolver caches with different TTL expiry. Wait for TTL to expire or switch resolvers.

Can Cloudflare cache NXDOMAIN?

Yes, per RFC 2308 resolvers cache negative responses based on the SOA minimum/TTL.

Glue records vs NS in zone — which wins?

Glue is only needed when an NS lives inside the same domain. It must match the NS host's A record or you get a lame delegation.

Can I skip DNSSEC?

Yes, but you're exposed to DNS spoofing. For critical services, DNSSEC is recommended.

Conclusion

Most "not resolving" issues fall into three buckets: cache, NS delegation, and TTL. Walk the checklist top-down — local cache, public resolver, propagation, WHOIS, DNSSEC — and you will localise the cause in ten minutes. For continuous protection, set up DNS monitoring in Enterno.io: we check A, AAAA, NS, MX, TXT, and CNAME from multiple regions and alert you the moment anything drifts.