Home › Glossary › NXDOMAIN

NXDOMAIN

NXDOMAIN ("non-existent domain") is the DNS response code that says: the name you queried does not exist at all. It's RCODE 3 in the DNS protocol.

When you'll see NXDOMAIN

• The domain isn't registered, or has expired
• The subdomain you queried doesn't exist (even if the parent domain does)
• A typo: exmaple.com vs example.com
• Recently-deleted records that haven't fully propagated to the resolver you're using

NXDOMAIN vs NODATA vs SERVFAIL

These three look similar but mean very different things:

• NXDOMAIN: the name doesn't exist at all.
• NODATA: the name exists, but not the record type you asked for. Looking up an AAAA on an IPv4-only host returns NODATA, not NXDOMAIN. (Many tools render NODATA as an empty-result NOERROR, which adds to the confusion.)
• SERVFAIL: the resolver couldn't get an authoritative answer. Often a DNSSEC validation failure, a broken delegation, or unreachable nameservers.

Worked example: a stuck NXDOMAIN after creation

You add a new subdomain app.example.com at 10:00. You test from your laptop at 10:01 and get NXDOMAIN. Panic. You re-check the DNS console: the record is there. What's happening?

Some resolver in the path (your ISP, your office DNS, or one of the public resolvers your OS is using) queried app.example.com shortly before 10:00 — maybe a coworker testing the same thing, or your own browser's DNS prefetch. It got NXDOMAIN. It cached "no such record" for the negative-caching TTL: typically 3600 seconds, governed by the SOA "minimum" field. Until that expires, the cache returns NXDOMAIN even though the record now exists.

Fixes: wait it out (max 1 hour), switch your laptop to a resolver that hasn't cached it (1.1.1.1 on a fresh machine), or run the lookup through WhereIsDNS against the 14 public resolvers — if some return "ok" and others NXDOMAIN, you've confirmed it's negative caching, not a real publish failure.

Lowering negative TTL

The negative-caching window is controlled by the last field of your SOA record. Lower it to 300 in advance if you're about to create a lot of new subdomains. Most DNS providers default to 3600 (1 hour), some to 86400 (24 hours). Worth checking yours before you need it.

Verify on WhereIsDNS

If WhereIsDNS shows NXDOMAIN across most resolvers but a few say "ok," the record was probably just created and most resolvers have stale negative caches. If most say "ok" but a few say NXDOMAIN, those few are the ones with stale negative caches — they'll catch up within the negative TTL window.

Related: TTL · SOA records · resolver.