A DNS error means your browser or device could not translate a domain name (like example.com) into the IP address it needs to connect to the actual server. The request never reaches the website because name resolution fails first. DNS errors can come from your own network (your ISP, router, or device), from the authoritative DNS servers for the domain, or from the domain itself being misconfigured or no longer registered.

What does DNS_PROBE_FINISHED_NXDOMAIN mean?

DNS_PROBE_FINISHED_NXDOMAIN is Chrome’s way of surfacing the DNS response code NXDOMAIN, which means "this name does not exist." Either you mistyped the URL, the domain expired, or the authoritative DNS servers are returning a definitive "no such record." The DNS lookup succeeded, the answer was simply negative.

What is the difference between NXDOMAIN and SERVFAIL?

NXDOMAIN is a definite answer: the name does not exist. SERVFAIL is an inconclusive answer: the resolver could not complete the lookup, usually because the authoritative server timed out, returned garbage, or failed DNSSEC validation. NXDOMAIN points at the domain, SERVFAIL points at the DNS infrastructure serving it.

Why does my browser say "DNS error" but other sites work fine?

If one site fails and every other site resolves, the problem is specific to that site’s DNS, not your network. Possibilities: the domain owner deleted or mistyped a DNS record, DNSSEC is failing for that zone, a recent DNS change has not propagated yet, or the authoritative DNS provider for that domain is down. Check with dig @1.1.1.1 example.com to see what the authoritative answer actually is.

Can a DNS error cause "your connection is not private"?

Yes, indirectly. If a DNS hijack or DNS spoofing points the hostname at the wrong IP, the TLS certificate presented by that IP will not match, and the browser will block the connection with a certificate name-mismatch error. The surface symptom is an SSL warning, but the root cause is DNS. Verify with dig or nslookup that the returned IP matches what the real origin should be serving.

How do I fix a DNS error on PS5 or Xbox?

On PS5, go to Settings > Network > Settings > Set Up Internet Connection, pick your connection, press Options > Advanced Settings, set DNS Settings to Manual, and enter Primary DNS 1.1.1.1 and Secondary 8.8.8.8. On Xbox, Settings > Network settings > Advanced settings > DNS settings > Manual, same values. Save and run the connection test. Switching from the console’s default ISP DNS to a public resolver fixes most console DNS errors.

How can site owners prevent DNS errors?

Keep registrar auto-renew on, use at least two geographically distributed authoritative DNS providers, avoid single-NS-provider failure modes, lower TTL before planned changes and raise it back after, and monitor DNS records continuously. A DNS monitoring service resolves your domain from multiple global regions every minute and alerts when records change, NS becomes unreachable, or the TTL suddenly spikes, well before users start seeing errors.

What is the difference between a DNS error and "DNS server not responding"?

"DNS server not responding" is one specific flavor of DNS error, where your own configured resolver is unreachable (ISP DNS down, router DNS relay stuck, firewall blocking port 53). A DNS error is the broader category that also includes NXDOMAIN (the name does not exist), SERVFAIL (the authoritative server failed), REFUSED (the authoritative server refused to answer), and timeouts anywhere in the resolution chain.

Back to Blog

DevOps Guide

What Is a DNS Error? Meaning, Causes, and How to Fix It

A DNS error means the step that turns a domain name into an IP address failed before the request ever left your network. This guide covers the real DNS response codes (NXDOMAIN, SERVFAIL, REFUSED), the Chrome surface messages (DNS_PROBE_FINISHED_NXDOMAIN, ERR_NAME_NOT_RESOLVED), the overlap with “your connection is not private,” and how to fix one whether you are a visitor, a site owner, or on a PS5.

Rai Ansar · DevOps Engineer, Founder & Lead DeveloperApril 19, 202612 min read

I run production monitoring on bare metal and spend a lot of time looking at DNS logs. “DNS error” is one of the most overloaded phrases in web support. It covers at least six different underlying failures, each with a different fix, and browsers do a mediocre job of telling you which one you just hit.

I wrote a companion piece on DNS server not responding which covers the specific case where your own resolver is unreachable. This guide is broader: everything the phrase “DNS error” can actually mean, how to read the error message you were given, and how to fix it from the right layer instead of blindly flushing a cache that was never the problem.

1. What a DNS Error Actually Is

Every time you type a domain name, your device has to translate it into an IP address before any bytes of HTTP can flow. That translation is the Domain Name System. A DNS error is any failure during that translation step. The request never reaches the website, because the device literally does not know where to send it yet.

Four servers are usually in the picture for a single lookup:

The stub resolver on your device (the operating-system DNS client).
A recursive resolver you are configured to use (your ISP, your router, or a public resolver like 1.1.1.1).
The root and TLD servers, which point the resolver toward whoever is authoritative for a zone.
The authoritative server for the domain itself, which actually holds the A, AAAA, MX, TXT, CNAME, and NS records.

A DNS error can originate at any of those layers. That is why the fix depends on which layer broke, and why “just flush your DNS cache” works one time in five. The browser collapses all of those failure modes into a single short string, so the first job when you hit a DNS error is to figure out which layer the message actually came from.

2. The Six DNS Response Codes You Actually See

RFC 1035 defines the DNS response codes (RCODEs) that every authoritative server uses to answer a query. There are sixteen in the registry, but only six are common in the wild. Everything browsers, consoles, and operating systems call a “DNS error” maps back to one of these.

RCODE	Meaning	What it actually points at
NOERROR (0)	Success	The lookup worked. If the browser still errors, the DNS layer is fine and something else broke (TCP, TLS, HTTP).
FORMERR (1)	Format error	The query itself was malformed. Almost always a client or library bug, not something a visitor triggers.
SERVFAIL (2)	Server failure	The resolver could not complete the lookup. Authoritative server timed out, returned junk, or failed DNSSEC validation. Points at DNS infra, not the domain.
NXDOMAIN (3)	Name does not exist	Definite answer: this name is not registered or has no records. Domain expired, typo, or deleted record.
NOTIMP (4)	Not implemented	The authoritative server does not support the query type (rare in modern DNS). Retry with a different record type or resolver.
REFUSED (5)	Refused	The authoritative server refused to answer. Usually ACLs, firewall rules, or the server simply is not authoritative for the zone you queried.

Two of these do most of the damage in practice. NXDOMAIN means the domain’s authoritative answer was “this does not exist,” which is a content problem, not an infrastructure problem. SERVFAIL means the resolver could not get a useful answer back, which is an infrastructure problem, not a content problem. Treating them the same is how a five-minute incident becomes a three-hour one.

3. Chrome Error Messages and What They Really Mean

Chrome (and the rest of Chromium: Edge, Brave, Opera) dresses DNS failures with its own error names. The surface text does not always match the underlying RCODE cleanly. Here is how to translate the most common Chrome messages back to what the DNS layer actually said.

DNS_PROBE_FINISHED_NXDOMAIN

The authoritative DNS answered NXDOMAIN. The name does not exist. Check typos, domain registration status, and whether an A/AAAA record is missing.

DNS_PROBE_FINISHED_NO_INTERNET

Chrome tried to resolve the name, the underlying connection never came back, and Chrome cannot reach any DNS at all. Most often the device is offline or the resolver is blocked.

DNS_PROBE_FINISHED_BAD_CONFIG

Chrome decided the configured DNS setup on the machine is broken. Switching to a public resolver (1.1.1.1 or 8.8.8.8) fixes most of these.

ERR_NAME_NOT_RESOLVED

The generic Chromium error for "no address came back." Underlying cause is the same as NXDOMAIN or a resolver timeout; the message just drops the specifics.

ERR_CONNECTION_TIMED_OUT (after DNS)

Not a DNS error strictly. DNS returned an IP, but the TCP connection to that IP never opened. Common when DNS is pointing at an old or misconfigured origin. Worth checking after ruling out DNS.

NET::ERR_CERT_COMMON_NAME_INVALID

SSL error on the surface, DNS-shaped underneath. The IP returned by DNS is serving a certificate for a different hostname. Classic symptom of a stale A record or DNS hijack.

Firefox and Safari use different wording (“Server not found,” “Safari can’t find the server”) but sit on top of the same resolver APIs. The underlying DNS layer is the same regardless of browser. When Chrome says DNS_PROBE_FINISHED_NXDOMAIN and Firefox says “Server not found” on the same URL, you are looking at one DNS failure, not two.

4. DNS Errors That Look Like “Your Connection Is Not Private”

A huge category of “DNS errors” people report actually surface as SSL warnings. The browser says “your connection is not private” or shows NET::ERR_CERT_COMMON_NAME_INVALID, and the obvious instinct is to blame the certificate. In a large fraction of these cases the certificate is fine, and the DNS layer is pointing at the wrong server entirely.

The sequence goes like this. DNS resolves example.com to an IP. The browser connects to that IP. The server at that IP presents a TLS certificate. The browser checks whether the certificate matches the hostname the user typed. If it does not match, the browser aborts and surfaces a certificate warning. The DNS step “succeeded” in the sense that it returned an answer, but it returned the wrong answer, and the downstream damage is visible as an SSL problem.

Three patterns cause this:

Stale A record. The site moved to a new host but the DNS still points at the old one. The old IP is now serving a different site entirely, with a certificate for a different hostname.
DNS hijack at the network layer. A compromised router, a malicious ISP DNS, or a captive portal rewrites DNS answers. The browser gets pointed at an IP the attacker chose.
Split-horizon mismatch. An internal DNS returns a private IP that resolves to something other than the real public origin, common on corporate networks using SSL-inspection proxies.

If the SSL warning goes away when you query a different DNS resolver, the root cause was DNS, not TLS. Worth checking before reissuing a certificate for a site whose cert was already valid. For the pure certificate cases, my SSL error guide covers the full matrix.

5. If You’re a Visitor: What You Can Actually Do

Most visitor-side DNS errors are local (your device, router, or resolver), not the site’s fault. Work through these in order. Each step either fixes it or narrows the cause.

Step 1. Try the site on a different network

Tether off mobile data. If the site loads on cellular but not your WiFi, the problem is your home router, ISP, or local resolver, not the site.

Step 2. Flush your OS and browser DNS cache

A stale negative cache (your machine remembering “this name did not exist”) can survive long after the site is reachable again.

# macOS
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Windows (admin CMD)
ipconfig /flushdns

# Chrome internal cache
chrome://net-internals/#dns  ->  Clear host cache

Step 3. Switch to a public resolver

Set your device or router DNS to Cloudflare (1.1.1.1, 1.0.0.1) or Google (8.8.8.8, 8.8.4.4). This single change fixes most ISP-resolver and “DNS server not responding” cases in one shot. Cloudflare is usually the fastest; Google is usually the most tolerant of odd zones.

Step 4. Test resolution with dig or nslookup

Force a lookup against a known-good resolver. If this works but your browser still errors, the problem is local caching or HSTS, not DNS.

dig @1.1.1.1 example.com
nslookup example.com 8.8.8.8

Step 5. Restart the router, then the modem

Unplug both, wait 30 seconds, plug the modem in first, wait for it to fully come up, then the router. A stuck DNS-proxy state in consumer router firmware is far more common than it should be.

Step 6. Disable VPN, proxy, and browser extensions temporarily

VPN clients, DNS-over-HTTPS extensions, and some adblockers intercept DNS. If turning them off clears the error, one of those is rewriting your lookups or pointing at a broken resolver.

6. If You Run the Site: Where to Look First

If visitors are hitting DNS errors, the diagnosis tree looks different. You need to know whether the authoritative DNS is answering correctly, and if it is, whether the answer has reached the resolvers users actually hit.

Start with the authoritative layer. Query the nameservers listed for your zone directly, not through a recursive resolver:

# Get the NS records for your zone
dig NS example.com +short

# Ask each NS directly for the A record
dig @ns1.example.com A example.com
dig @ns2.example.com A example.com

# Check SERVFAIL signals (DNSSEC, delegation)
dig example.com +dnssec
dig example.com +trace

A few concrete patterns account for most site-owner DNS errors:

Expired domain. Nothing fixes this except renewing at the registrar. NXDOMAIN across every resolver, everywhere.
Broken DNSSEC. A signing mistake, a rolled key not picked up by the parent, or a mismatched DS record produces SERVFAIL on validating resolvers (1.1.1.1, 8.8.8.8) but may still work on non-validating ones. Users on major resolvers see the error; you on your workstation might not.
Missing or mistyped record. Someone edited the zone and removed the A record for the apex, or pointed a CNAME at a name that no longer exists. Verify with dig A example.com directly against the authoritative NS.
TTL timebomb. A record was changed, but the old TTL was a day long. Users with fresh lookups see the new answer; users with cached old answers see the old IP (now dead) and get errors until the TTL expires.
NS delegation drift. The registrar’s glue records point at different NS hostnames than your provider actually uses. Lookups chase the bad delegation and time out.
Single NS provider outage. All your authoritative NS are at one provider, and that provider is having a day. This is why “use two NS providers” is standard advice for anyone past hobby scale.

Once the authoritative answer is right, verify propagation. A tool like dnschecker.org queries recursive resolvers around the world. If 90% of regions return the new record and 10% still return the old one, you are mid-propagation and the answer is simply “wait out the TTL.”

7. PS5, Xbox, Smart TVs: DNS Errors on Consoles

Consoles and smart TVs fail at DNS more often than laptops do, for a simple reason: the device usually inherits whatever DNS the router handed out, and a lot of consumer routers hand out their own IP as the DNS server (a built-in DNS proxy that is often worse than the ISP’s upstream). Fix it by overriding DNS on the device.

PS5 DNS error fix

Settings → Network → Settings → Set Up Internet Connection
Pick your connection → Options → Advanced Settings
DNS Settings: Manual
Primary DNS: 1.1.1.1
Secondary DNS: 8.8.8.8
Save, then run the connection test

Xbox DNS error fix

Settings → Network settings → Advanced settings
DNS settings: Manual
Primary IPv4 DNS: 1.1.1.1
Secondary IPv4 DNS: 8.8.8.8
Save and restart the console

Wired Ethernet instead of WiFi also helps on consoles. Many “DNS error” reports on PS5 or Xbox turn out to be WiFi packet loss interacting badly with UDP DNS retries, not a real name resolution issue.

8. Diagnosing a DNS Error with dig and nslookup

Browser errors hide the useful data. dig shows you the actual RCODE, which resolver answered, the TTL, whether DNSSEC validated, and the full path of the lookup. If you only learn one diagnosis tool, learn this one.

# Basic A-record lookup against a specific resolver
dig @1.1.1.1 example.com

# Force a +trace to walk root -> TLD -> authoritative
dig example.com +trace

# Check if DNSSEC validation is the problem
dig example.com +dnssec +cd    # +cd disables validation
dig example.com +dnssec        # with validation; compare RCODEs

# Look up every record type at once
dig example.com ANY

# MX records (often broken independently of A records)
dig example.com MX

# Reverse DNS (sanity-check an IP belongs to the hostname)
dig -x 93.184.216.34

Read the output’s status: field. That is the RCODE. NOERROR means DNS succeeded, and any error you see is downstream. NXDOMAIN, SERVFAIL, and REFUSED each point at a different fix.

For Windows users without dig, nslookupships with the OS and gives you the essentials. PowerShell’s Resolve-DnsName example.com -Server 1.1.1.1is a closer match to dig’s output if you want structured detail.

9. How to See DNS Errors Before Your Users Do

The thing that makes DNS errors painful is not the error itself, it is the lag between the first user hitting one and someone on your team finding out. A broken DNS record can stay broken for hours before a human types the URL and notices. Continuous DNS monitoring closes that gap.

Catching DNS errors externally

Visual Sentinel resolves your domain from EU and US regions every check interval, tracks A, AAAA, MX, CNAME, TXT, and NS records, and alerts the moment a record changes, disappears, or stops resolving. Uptime checks identify as VisualSentinelBot/2.0 (whitelist-safe). Alerts fire to email, Slack, Discord, Telegram, WhatsApp, or webhook.

Set up free DNS monitoring

Structurally, the practices that cut DNS-error incidents over time: keep registrar auto-renew on, use two authoritative DNS providers on different infrastructure, lower TTLs 24 hours before planned record changes and raise them back afterwards, sign your zone with DNSSEC but test the signing chain before publishing DS records, and monitor NS reachability along with the records themselves. Most outages attributed to “DNS error” in a post-mortem trace back to one of those five missing.

10. Frequently Asked Questions

Related Guides

How to Fix DNS Server Not Responding

The deeper dive on the one specific DNS failure where your own resolver is unreachable. Step-by-step fixes for Windows, Mac, PS5, and WiFi.

What Is an SSL Error and How to Fix It

The companion to section 4 above. When “your connection is not private” really is a certificate issue, not a DNS one, start here.

What Is 502 Bad Gateway and How to Fix It

DNS returned an IP, the proxy reached the origin, and the origin broke. That is a 502, not a DNS error. Full diagnosis tree inside.

Common Website Error Codes Explained

4xx vs 5xx, when each one shows up, when to alert, and how each class reads in your monitoring dashboard.

Rai Ansar

DevOps Engineer, Founder of Visual Sentinel

I run production monitoring on bare metal and spend most of my time thinking about why DNS looks fine on my workstation while real users are hitting SERVFAIL. Visual Sentinel exists because “works for me” is the worst possible answer to a DNS incident, and external checks from multiple regions are the only reliable way to see what your users see. More from Rai.

GitHub LinkedIn More guides Visual Sentinel