What does SERVFAIL (RCODE 2) actually mean?

SERVFAIL means the name server could not process the query because of an internal problem. Common causes are an unreachable upstream, a misconfigured zone, or a DNSSEC validation failure on the resolver.

How is NXDOMAIN different from a NoError empty answer?

NXDOMAIN (RCODE 3) asserts the queried name does not exist at all. A NoError response with zero answer records means the name exists but has no record of the requested type — for example an A query against a name that only has MX records.

Why are RCODEs above 15 called extended?

The DNS header field for RCODE is only 4 bits, so it can hold 0–15. Codes 16 and up are carried in the EDNS0 OPT record or in TSIG/TKEY data, which is why they only appear when those extensions are in use.

What causes a BADTIME (RCODE 18) error?

BADTIME is a TSIG failure meaning the request timestamp fell outside the allowed fudge window. It almost always indicates clock skew between the client and the server, so syncing both to NTP usually fixes it.

Is REFUSED a failure of my query or the server's policy?

REFUSED (RCODE 5) is a policy decision: the server understood the query but declined to answer. Typical reasons are recursion being disabled for your IP or a zone transfer being denied to an unauthorised client.

DNS Response Codes (RCODE)

DNS response codes — RCODEs — are the small numeric status returned in every DNS reply telling you whether the lookup succeeded and, if not, why. Reading them correctly is the fastest way to tell a missing record apart from a broken resolver or a deliberate policy block. This reference lists the standard codes from the DNS header plus the extended values carried by EDNS and TSIG, each with its RFC and a diagnostic note.

How it works

The original DNS header reserves only 4 bits for the RCODE, so values 0–15 fit inside a normal response. Anything larger is an extended RCODE: the high bits live in the EDNS0 OPT pseudo-record (RFC 6891) or in TSIG/TKEY signature data (RFC 8945). That is why a tool like dig only shows codes such as BADVERS or BADTIME when EDNS or transaction signatures are present.

The most common everyday codes are NOERROR (0), SERVFAIL (2), NXDOMAIN (3) and REFUSED (5). Note that value 16 is overloaded: in an EDNS context it means BADVERS (unsupported OPT version), and in a TSIG context it means BADSIG (signature failure).

Tips and examples

When debugging, map the code to a cause before changing anything:

NXDOMAIN  -> the name genuinely does not exist (check for typos / delegation)
SERVFAIL  -> resolver problem: upstream down or DNSSEC validation failed
REFUSED   -> policy: recursion off, ACL, or zone-transfer denied
NOERROR + 0 answers -> name exists but not for that record type

A frequent DNSSEC pitfall: a validating resolver returns SERVFAIL for a zone with a broken signature, while a non-validating resolver returns the records normally — the difference points straight at a DNSSEC misconfiguration rather than the records themselves.

DNS Response Codes (RCODE)

Email me this result

How it works

Tips and examples