Introduction

A DNS SERVFAIL (Server Failure, response code 2) indicates that the recursive resolver cannot obtain a valid response from the authoritative nameservers for a domain. This is fundamentally different from NXDOMAIN (which means the domain does not exist). SERVFAIL means the domain should exist but the authoritative servers are unreachable, misconfigured, or returning errors. This causes complete resolution failure for all records under the affected domain.

Symptoms

  • dig example.com returns SERVFAIL in the status line
  • dig example.com shows NOERROR but dig example.com @8.8.8.8 returns SERVFAIL
  • nslookup example.com returns ** server can't find example.com: SERVFAIL
  • Website unreachable with DNS_PROBE_FINISHED_NXDOMAIN (misleading - actually SERVFAIL)
  • All subdomains fail to resolve, not just a specific record

Common Causes

  • All authoritative nameservers for the domain are unreachable
  • DNS zone expired or was not transferred to secondary nameservers
  • NS records point to nameservers that no longer serve the zone
  • DNSSEC validation failure on the authoritative server
  • Glue records (A/AAAA for nameservers) missing or incorrect

Step-by-Step Fix

  1. 1.Verify the SERVFAIL is from the authoritative servers:
  2. 2.```bash
  3. 3.# Query Google's DNS
  4. 4.dig example.com @8.8.8.8 +noall +comments
  5. 5.# Query the authoritative server directly
  6. 6.dig example.com @ns1.example.com +noall +comments
  7. 7.`
  8. 8.Check the NS delegation chain:
  9. 9.```bash
  10. 10.# Start from the root
  11. 11.dig example.com NS +trace
  12. 12.# Shows the full resolution path from root to authoritative servers
  13. 13.# Look for where the chain breaks
  14. 14.`
  15. 15.Verify authoritative nameserver reachability:
  16. 16.```bash
  17. 17.# Get the NS records from the parent zone
  18. 18.dig example.com NS +short
  19. 19.# Test each NS server
  20. 20.for ns in $(dig example.com NS +short); do
  21. 21.echo "=== $ns ==="
  22. 22.dig example.com A @$ns +noall +comments +stats
  23. 23.done
  24. 24.`
  25. 25.Check for DNSSEC validation failures:
  26. 26.```bash
  27. 27.dig example.com DNSKEY +dnssec
  28. 28.dig example.com RRSIG +dnssec
  29. 29.# If DNSSEC is enabled but keys are invalid, SERVFAIL results
  30. 30.# Check with: dig +dnssec example.com @8.8.8.8
  31. 31.`
  32. 32.Check glue records for nameserver IPs:
  33. 33.```bash
  34. 34.dig ns1.example.com A +short
  35. 35.# If nameserver IPs are not registered as glue, resolution fails
  36. 36.# Fix at the domain registrar
  37. 37.`
  38. 38.Contact the DNS provider or registrar if authoritative servers are down:
  39. 39.- Check the DNS provider's status page
  40. 40.- Verify the zone is active and not expired
  41. 41.- Ensure NS records at the registrar match the DNS provider's nameservers

Prevention

  • Use at least 3 authoritative nameservers on different networks
  • Monitor DNS resolution from multiple geographic locations
  • Set up alerts when SERVFAIL responses are detected for your domains
  • Use secondary DNS providers for redundancy (primary/secondary setup)
  • Test DNS resolution after any nameserver or zone configuration change