Introduction

When a DNS resolver receives an NXDOMAIN response (domain does not exist), it caches this negative response just like a positive one. The duration is controlled by the SOA record's minimum TTL field or the response's TTL, whichever is lower. If the SOA minimum TTL is set to 86400 (24 hours), a newly created subdomain will not resolve for up to 24 hours for users whose resolvers cached the NXDOMAIN response. This is a common issue when creating new subdomains or services after initial DNS zone deployment.

Symptoms

  • New subdomain returns NXDOMAIN despite being created in DNS
  • dig new.example.com @authoritative-ns resolves correctly
  • dig new.example.com @8.8.8.8 returns NXDOMAIN
  • Record exists in DNS management console but does not resolve for users
  • dig +nocmd new.example.com +noall +comments shows status: NXDOMAIN

Common Causes

  • SOA record minimum TTL (the last field) set too high (e.g., 86400)
  • Client or ISP resolver cached the NXDOMAIN before the record was created
  • Negative cache TTL in Windows DNS server set to the default 1 hour
  • Application-level DNS cache holding stale NXDOMAIN entries
  • DNS resolver not respecting the updated record until negative cache expires

Step-by-Step Fix

  1. 1.Check the SOA record minimum TTL:
  2. 2.```bash
  3. 3.dig example.com SOA +noall +answer
  4. 4.# Output: example.com. 3600 IN SOA ns1.example.com. admin.example.com. (
  5. 5.# 2024010101 ; serial
  6. 6.# 3600 ; refresh
  7. 7.# 900 ; retry
  8. 8.# 604800 ; expire
  9. 9.# 86400 ) ; minimum TTL (NEGATIVE CACHE TTL)
  10. 10.# The last value (86400) is the negative cache TTL
  11. 11.`
  12. 12.Reduce the SOA minimum TTL for the zone:
  13. 13.```bash
  14. 14.# Edit the zone file
  15. 15.sudo nano /etc/bind/zones/example.com.zone
  16. 16.# Change the last value in the SOA record:
  17. 17.; SOA record
  18. 18.@ IN SOA ns1.example.com. admin.example.com. (
  19. 19.2024010102 ; serial (increment!)
  20. 20.3600 ; refresh
  21. 21.900 ; retry
  22. 22.604800 ; expire
  23. 23.300 ) ; minimum TTL - reduced to 5 minutes
  24. 24.sudo rndc reload example.com
  25. 25.`
  26. 26.Flush the negative cache on your DNS server:
  27. 27.```bash
  28. 28.# Windows DNS Server:
  29. 29.dnscmd /ClearCache

# BIND/named: sudo rndc flush

# Unbound: sudo unbound-control flush_zone example.com ```

  1. 1.Flush the negative cache on the client:
  2. 2.```bash
  3. 3.# Windows:
  4. 4.ipconfig /flushdns

# macOS: sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder

# Linux (systemd-resolved): sudo systemd-resolve --flush-caches sudo resolvectl flush-caches ```

  1. 1.Bypass caching resolvers to verify the record exists:
  2. 2.```bash
  3. 3.# Query the authoritative server directly
  4. 4.dig new.example.com @ns1.example.com +noall +answer
  5. 5.# If this returns the record, the issue is negative caching
  6. 6.`
  7. 7.For applications, restart or flush application-level DNS cache:
  8. 8.```bash
  9. 9.# Restart the application to clear its DNS cache
  10. 10.sudo systemctl restart myapp
  11. 11.# Or use the application's DNS cache flush command if available
  12. 12.`

Prevention

  • Set the SOA minimum TTL to 300 seconds (5 minutes) for zones that change frequently
  • Create DNS records before announcing them to users to avoid initial NXDOMAIN caching
  • Use DNS providers with low negative cache TTLs by default
  • Implement pre-creation of DNS records for planned services and subdomains
  • Monitor DNS resolution from multiple external resolvers to detect negative caching