NXDOMAIN stands for Non-Existent Domain. It is the DNS response code (RCODE 3) that a DNS server returns when the queried domain name does not exist in the DNS hierarchy. When you see an NXDOMAIN response, the DNS server is telling you authoritatively: "I checked, and this domain genuinely does not exist."
If you have ever mistyped a URL and seen a "this site can't be reached" or "server not found" error, an NXDOMAIN response was almost certainly behind it. It is one of the most common DNS responses you will encounter, and understanding it is essential for troubleshooting DNS issues and recognizing certain types of DNS attacks.
How NXDOMAIN Works
When your browser or application needs to resolve a domain name, it sends a query to a DNS resolver. The resolver walks the DNS hierarchy — root servers, TLD servers, authoritative servers — to find the answer.
If the authoritative server for a zone confirms that the queried name does not exist within that zone, it returns an NXDOMAIN response. This response propagates back through the chain to your device.
$ dig nonexistent-domain-xyz.com A
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12345
;; QUESTION SECTION:
;nonexistent-domain-xyz.com. IN A
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. ...
The key field is status: NXDOMAIN. The authority section shows that the .com TLD server responded — it checked its records and confirmed that nonexistent-domain-xyz.com is not a registered domain.
Common Causes of NXDOMAIN
1. The Domain Is Not Registered
The most straightforward cause. The domain name was never registered, has expired, or has been deleted by the registrar.
# Check if a domain is registered
whois example-test-domain.com
# If you see "No match for domain" or similar, it is not registered
2. Typo in the Domain Name
A misspelled domain triggers NXDOMAIN because the misspelled version does not exist:
dig gogle.com A # Typo — may or may not exist
dig google.com A # Correct — resolves normally
This is one of the most common reasons users encounter NXDOMAIN in daily browsing.
3. The Subdomain Does Not Exist
The parent domain exists, but the specific subdomain you queried does not:
dig nonexistent-subdomain.example.com A
# NXDOMAIN — example.com exists, but this subdomain does not
This is different from a missing A record. NXDOMAIN means the name itself does not exist in the zone. If the name exists but has no A record, you get NOERROR with an empty answer section instead.
4. DNS Propagation Delay
If you recently registered a domain or changed nameservers, some resolvers may still return NXDOMAIN until the changes propagate. DNS propagation can take anywhere from minutes to 48 hours depending on TTL values and caching.
Use the Propagation Checker to see whether your domain resolves from different nameservers around the world.
5. Expired Domain
When a domain registration expires and passes through the grace period, the registry removes it. Queries for an expired domain return NXDOMAIN. If you suspect this, check the domain's WHOIS record for expiration dates.
6. DNS Server Misconfiguration
If your authoritative nameserver is misconfigured — for example, missing a zone file or having an incorrect zone definition — it may return NXDOMAIN for domains it should be serving.
NXDOMAIN vs. Other DNS Response Codes
Understanding the difference between NXDOMAIN and other DNS responses helps with troubleshooting:
| Response Code | Meaning | What It Tells You |
|---|---|---|
| NOERROR | Success | The domain exists. Check the answer section for records. |
| NXDOMAIN | Non-Existent Domain | The domain name does not exist at all. |
| SERVFAIL | Server Failure | The resolver encountered an error (timeout, DNSSEC failure, etc.). The domain may or may not exist — the server could not determine. |
| REFUSED | Query Refused | The server refused to answer (access control, not configured for recursion, etc.). |
| NOERROR + empty answer | No records of this type | The domain exists but has no records of the queried type (e.g., no AAAA record). |
The distinction between NXDOMAIN and NOERROR with an empty answer is important. NXDOMAIN means the name does not exist at all. An empty NOERROR means the name exists but does not have the specific record type you asked for.
How to Troubleshoot NXDOMAIN
Step 1: Verify the Domain Name
Double-check spelling. This sounds obvious but accounts for a large percentage of NXDOMAIN errors.
Step 2: Query Different Resolvers
dig example.com A @8.8.8.8 # Google
dig example.com A @1.1.1.1 # Cloudflare
dig example.com A @9.9.9.9 # Quad9
dig example.com A @your-resolver # Your local resolver
If some resolvers return NXDOMAIN and others return a valid response, you are likely dealing with a caching or propagation issue. If all return NXDOMAIN, the domain genuinely does not exist or is not configured.
Step 3: Check the Authoritative Server Directly
# Find the nameservers
dig NS example.com +short
# Query the authoritative server directly
dig example.com A @ns1.example.com
If the authoritative server returns NXDOMAIN, the problem is in the zone configuration. If it returns a valid response but your resolver returns NXDOMAIN, the issue is caching or resolution path.
Step 4: Check Domain Registration
whois example.com
Verify the domain is registered, not expired, and has correct nameserver entries.
Step 5: Inspect with DNS Inspector
Use the DNS Inspector to query your domain across all record types and see exactly what each nameserver returns.
Step 6: Check for DNSSEC Issues
If you have DNSSEC enabled, a misconfigured DS record or expired RRSIG can cause some resolvers to return SERVFAIL (not NXDOMAIN). But if DNSSEC is configured for a domain that has been re-delegated, stale DS records can cause issues that manifest as resolution failures. Learn more in What Is DNSSEC and Why Should You Enable It.
Negative Caching: How NXDOMAIN Responses Are Cached
When a resolver receives an NXDOMAIN response, it caches it as a negative cache entry. The cache duration is determined by the minimum TTL in the SOA record of the authority section.
$ dig nonexistent.example.com A
;; AUTHORITY SECTION:
example.com. 3600 IN SOA ns1.example.com. admin.example.com. ...
# ^^^^
# This TTL (3600 seconds = 1 hour) is how long the NXDOMAIN is cached
This means that even after you create a new subdomain record, resolvers that have cached the NXDOMAIN may continue to return it for up to the SOA TTL. This is a common source of confusion: "I added the record, but it still says the domain doesn't exist."
How to mitigate: If you know you will be adding subdomains frequently, consider lowering the SOA minimum TTL. For most zones, 300-600 seconds (5-10 minutes) is a reasonable negative cache TTL.
NXDOMAIN and Security
NXDOMAIN responses are not just a troubleshooting concern — they play a role in several DNS security scenarios:
NXDOMAIN Attacks
Attackers can flood DNS resolvers with queries for nonexistent domains, forcing the resolver to perform full recursion for each query and exhausting its resources. This is a form of denial-of-service attack that exploits the resolver's obligation to process every query. For a detailed explanation, see NXDOMAIN Attack: How Nonexistent Domain Floods Exhaust DNS Resolvers.
NXDOMAIN in Water Torture Attacks
The DNS water torture attack targets authoritative nameservers by sending queries for random subdomains that generate NXDOMAIN responses. Monitoring your NXDOMAIN response ratio is a key detection method for both attack types.
NXDOMAIN and Subdomain Takeover
When a CNAME record points to a target that returns NXDOMAIN, it may indicate a subdomain takeover vulnerability. An attacker can claim the unconfigured resource and serve content on your subdomain.
DNSSEC and Authenticated NXDOMAIN
DNSSEC provides authenticated denial of existence through NSEC or NSEC3 records. When a validating resolver receives an NXDOMAIN for a DNSSEC-signed zone, the NSEC/NSEC3 records cryptographically prove that the name does not exist — preventing an attacker from forging NXDOMAIN responses to deny access to legitimate domains. However, this mechanism can also expose zone contents through zone walking.
NXDOMAIN Hijacking by ISPs
Some ISPs intercept NXDOMAIN responses and redirect them to their own search or advertising pages. This is called NXDOMAIN hijacking or DNS hijacking at the ISP level. While not an attack in the traditional sense, it breaks applications that depend on receiving genuine NXDOMAIN responses and can interfere with email delivery and other DNS-dependent services.
Using encrypted DNS (DoH or DoT) or a third-party resolver like Cloudflare (1.1.1.1) or Google (8.8.8.8) bypasses ISP-level NXDOMAIN hijacking.
When NXDOMAIN Is Expected
Not every NXDOMAIN is a problem. Some common cases where NXDOMAIN is the correct response:
- Anti-spam checks: Email servers query DNS for sender domains. NXDOMAIN is expected for nonexistent sender domains and correctly triggers spam rejection.
- DNSBL lookups: DNS-based blocklists return NXDOMAIN for IPs that are not listed (i.e., not blocked). This is the "clean" result.
- Certificate validation: Some certificate authorities query specific DNS names during domain validation. NXDOMAIN is expected when those challenge records are not present.
- Subdomain scanning defense: When security researchers or attackers probe for subdomains, NXDOMAIN for nonexistent names is the correct, expected response.
For more foundational DNS knowledge, see Understanding DNS Record Types and What Is DNS Propagation?. For security implications of NXDOMAIN, see the Complete Guide to DNS Attacks and DNS Security.