Articles

Fix DNS "Unexpected RCODE SERVFAIL" While Resolving (2026)

April 16, 2026 6 min read

The DNS resolver is failing to get a valid response from an authoritative DNS server because the authoritative server is misconfigured or unreachable.

Here are the common causes and how to fix them:

  1. Incorrect NS Record on Parent Zone: The authoritative name server (NS) record for your domain on the parent zone (e.g., .com for example.com) is pointing to the wrong name server or an IP address that doesn’t host your domain.

    • Diagnosis: Use dig to query the parent zone for your NS records. For example.com, you’d run:
      dig NS example.com +short
      This will show you the names of the authoritative servers registered for your domain. Then, for each of those servers, query for its A record:
      dig A ns1.your-dns-provider.com +short
      Compare the IP addresses returned with what your DNS provider actually has configured for those name servers.
    • Fix: Log into your domain registrar or DNS provider’s control panel and correct the NS records for your domain to match the actual authoritative name servers provided by your DNS hosting service. Ensure the A/AAAA records for these NS records are also correctly registered with the registrar.
    • Why it works: The DNS hierarchy relies on parent zones pointing correctly to child zones’ authoritative servers. If these pointers are wrong, the resolver can’t find the server responsible for answering queries about your domain.

  2. Authoritative Server Not Responding on Correct IP/Port: The authoritative name server is running, but it’s not listening on the IP address or UDP/TCP port (usually 53) that the parent zone or the resolver is trying to reach. This can happen after an IP address change or a firewall rule modification.

    • Diagnosis: From a machine that can reach the internet, attempt to connect to the authoritative name server’s IP address on port 53 using telnet or nc (netcat):
      telnet your.auth.server.ip 53
      If it connects, you’ll see a blank screen or some garbage characters. If it times out, the server is unreachable on that port. Also, check the server’s own configuration (e.g., named.conf for BIND) to ensure it’s bound to the correct IP address and listening on port 53.
    • Fix: Ensure your authoritative DNS server is configured to listen on the correct IP address and that firewall rules on the server and network allow incoming traffic on UDP and TCP port 53. Restart the DNS service after making changes.
    • Why it works: The DNS protocol relies on being able to communicate with the authoritative server. If the server isn’t listening or is blocked by a firewall, it cannot respond to queries, leading to SERVFAIL.

  3. Authoritative Server Not Responding to Queries for the Specific Zone: The authoritative server is up and reachable, but it’s misconfigured and not serving the zone you’re querying for. This is common if you’ve added or removed zones without restarting the DNS service, or if the zone file itself has errors preventing it from loading.

    • Diagnosis: Use dig to query your authoritative server directly for a record in your zone:
      dig @your.auth.server.ip example.com A +short
      If this fails with a SERVFAIL or an empty answer, but queries for other zones on the same server work, the problem is with this specific zone. Check the DNS server’s logs for errors related to loading your zone file (e.g., named logs for BIND).
    • Fix: Ensure your zone file is syntactically correct and that the DNS server has loaded it successfully. Check the server’s configuration to make sure the zone is correctly defined (e.g., zone "example.com" { type master; file "db.example.com"; }; in BIND). Reload or restart the DNS service.
    • Why it works: The authoritative server must be able to parse and serve the zone data. If the zone file is malformed or the server isn’t configured to serve it, it can’t provide answers.

  4. DNSSEC Issues (NSEC/NSEC3 Record Mismatch or Signature Expiry): If DNSSEC is enabled, incorrect or expired DNSSEC records (like RRSIG, NSEC, NSEC3) or a mismatch between the Zone Signing Key (ZSK) and Key Signing Key (KSK) can cause SERVFAIL.

    • Diagnosis: Use dig +dnssec to query your zone and examine the DNSSEC records.
      dig @your.auth.server.ip example.com A +dnssec +short
      Look for expired signatures (RRSIG records with expiration dates in the past) or issues with NSEC/NSEC3 records indicating a broken chain of trust. Tools like dnsviz.net can also be invaluable for visualizing DNSSEC validation paths.
    • Fix: Re-sign your zone files with correct keys and ensure the DNSSEC configuration is consistent. If using automated tools for DNSSEC management, verify their operation and key rotation. Correct any expired signatures or cryptographic errors.
    • Why it works: DNSSEC validation requires a complete and valid chain of cryptographic signatures. If any part of this chain is broken or expired, validating resolvers will return SERVFAIL to indicate that the data cannot be trusted.

  5. Rate Limiting or IP Blocking by Authoritative Server: The authoritative server might be intentionally dropping or rejecting queries from specific IP addresses (like a recursive resolver’s IP) if it detects what it considers abusive traffic, or if there’s an overly aggressive firewall blocking.

    • Diagnosis: Check the logs on your authoritative DNS server for any entries indicating dropped queries, blocked IPs, or rate-limiting events corresponding to the IP address of the recursive resolver experiencing the SERVFAIL.
    • Fix: Adjust the rate-limiting configurations on your authoritative DNS server or firewall. If the recursive resolver’s IP has been mistakenly blocked, remove it from any blocklists.
    • Why it works: Some DNS servers implement security measures that can block legitimate queries if they appear to be part of a denial-of-service attack. Incorrect configuration here can lead to SERVFAIL for valid clients.

  6. Round Robin DNS Misconfiguration (or Lack of Redundancy): If you’re using round-robin DNS for multiple servers and one of the IP addresses listed for a record is actually unreachable or blackholed, queries for that record might intermittently fail if the resolver happens to pick the bad IP.

    • Diagnosis: List all A records for a hostname:
      dig example.com A +short
      Then, attempt to ping or telnet to each IP address returned to ensure they are all reachable and responding.
    • Fix: Remove any IP addresses from your DNS records that are not actively serving traffic or are otherwise unreachable. Ensure all listed IPs are valid and healthy.
    • Why it works: When multiple IPs are returned for a single hostname, resolvers often pick one at random. If one of those IPs is dead, queries directed to it will fail, potentially resulting in a SERVFAIL if the resolver cannot retry or get another IP.

The next error you’ll likely hit if you haven’t fixed the underlying issue is NXDOMAIN, as the resolver eventually gives up trying to find the domain information altogether.

Want structured learning?

Take the full Dns course →