Articles

Fix DNS "Timed Out Resolving" Errors (2026)

April 16, 2026 5 min read

A DNS resolver timed out because it couldn’t get a response from an upstream DNS server within its configured deadline.

This usually happens because the upstream server is unreachable, overloaded, or misconfigured, preventing the resolver from translating domain names into IP addresses.

Cause 1: Upstream DNS Server Unreachable

  • Diagnosis: Ping the upstream DNS server’s IP address from the machine running the DNS resolver.
    ping 8.8.8.8
    If you see "Request timed out" or a high packet loss percentage, the server is unreachable.
  • Fix: Verify network connectivity to the upstream server. Check firewall rules on both your network and the upstream server’s network. Ensure routing is correctly configured. For example, if your resolver is on 192.168.1.10 and the upstream is 8.8.8.8, ensure your gateway 192.168.1.1 knows how to route to 8.8.8.8.
  • Why it works: DNS resolution relies on the client and server being able to communicate. If the network path is broken, packets are dropped, and the timeout occurs because no response is received.

Cause 2: Upstream DNS Server Overloaded/Unresponsive

  • Diagnosis: Use dig or nslookup to query the upstream server directly and observe the response time.
    dig @8.8.8.8 google.com
    If the query takes longer than 5 seconds (the common default timeout for many resolvers) or fails with a timeout error, the upstream server is likely overloaded.
  • Fix: Switch to a different, more reliable upstream DNS server. Many public DNS providers exist, like Cloudflare (1.1.1.1, 1.0.0.1) or OpenDNS (208.67.222.222, 208.67.220.220). Update your resolver’s configuration to use these IPs. For BIND, this would be in named.conf’s options block:
    options {
    directory "/var/cache/bind";
    recursion yes;
    allow-query { any; };
    forwarders {
        1.1.1.1;
        1.0.0.1;
    };
    // ... other options
};
  • Why it works: By pointing your resolver to a less busy or more performant server, you reduce the chance of hitting the latency threshold that triggers the timeout.

Cause 3: Incorrect Upstream DNS Server Configuration

  • Diagnosis: Double-check the IP addresses of your configured upstream DNS servers in your resolver’s configuration file. A typo can lead to attempting to contact a non-existent IP. For example, in /etc/resolv.conf on Linux:
    nameserver 8.8.8.8
nameserver 1.1.1.1
    If 8.8.8.8 was mistyped as 8.8.8.0, it would fail.
  • Fix: Correct any typographical errors in the forwarders or nameserver directives in your DNS server’s configuration. After correcting, reload or restart the DNS service. For BIND:
    sudo systemctl reload named
    For dnsmasq:
    sudo systemctl reload dnsmasq
  • Why it works: DNS resolution requires valid IP addresses to query. Correcting misconfigured IPs ensures the resolver attempts to contact actual, functioning DNS servers.

Cause 4: Local Firewall Blocking Outbound DNS Traffic

  • Diagnosis: Use tcpdump or wireshark on the DNS resolver machine to capture outbound traffic on UDP port 53 (and TCP port 53, as DNS can use TCP).
    sudo tcpdump -i any udp port 53 -n
    If you see packets being sent but no corresponding replies, and you’ve confirmed the upstream server is reachable and responsive via other means, your local firewall might be blocking the replies.
  • Fix: Configure your local firewall (e.g., iptables, firewalld, ufw) to allow outbound UDP and TCP traffic on port 53 to your upstream DNS servers. For iptables:
    sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
  • Why it works: Firewalls can inadvertently block DNS responses. Allowing this traffic ensures that the replies from upstream servers can reach your resolver.

Cause 5: DNS Resolver Software Issues or Misconfiguration

  • Diagnosis: Check the logs of your DNS resolver software (e.g., BIND, Unbound, dnsmasq) for specific error messages related to upstream queries or timeouts. For BIND, check /var/log/syslog or /var/log/messages for named entries. For Unbound, check its log file.
  • Fix: Sometimes, the resolver’s internal timeout settings might be too aggressive for your network conditions. For Unbound, you can adjust the timeout option in unbound.conf:
    server:
    # ... other settings
    timeout: 10  # Increase timeout from default 5 seconds
    Restart the service after changes.
  • Why it works: The DNS resolver’s internal timeout value dictates how long it waits for a response. Increasing this value can accommodate slower network links or temporarily busy upstream servers, preventing false positives for timeouts.

Cause 6: Network Latency or Packet Loss

  • Diagnosis: Use mtr (My Traceroute) to check for packet loss or high latency along the path to your upstream DNS servers.
    mtr 8.8.8.8
    Look for a high percentage of packet loss or increasing latency as the packets hop through the network.
  • Fix: If significant packet loss or latency is identified on your network segment, troubleshoot your local network infrastructure (routers, switches, cabling). This might involve replacing faulty hardware or optimizing network traffic. If the issue is with your ISP, contact them.
  • Why it works: High latency or packet loss means DNS queries and their responses take too long to travel, exceeding the resolver’s timeout threshold. Improving network stability resolves this.

The next error you’ll likely encounter after fixing DNS timeouts is a "SERVFAIL" response, indicating that a DNS server received a query but could not provide a valid answer, often due to issues with authoritative servers or DNSSEC validation failures.

Want structured learning?

Take the full Dns course →