Fix DNS NS Records Incorrect - Nameserver Delegation Problems

Introduction

NS (nameserver) records define which DNS servers are authoritative for your domain. When these records are incorrect, your domain essentially becomes unreachable because resolvers cannot find the servers that hold your DNS records. NS record problems manifest as partial failures, inconsistent behavior across resolvers, or complete domain resolution failure. The complexity comes from NS records existing at two levels: the parent zone (TLD servers) and your own zone file.

Symptoms

Domain resolves from some networks but not others
DNS checkers show different nameservers than what you configured
dig returns SERVFAIL or delegation errors
Your DNS provider shows correct configuration but external queries fail
Mail delivery fails with "domain not found" errors
SSL certificate validation fails intermittently
WHOIS shows different nameservers than your DNS zone

Common Causes

NS records at registrar don't match NS records in the zone file
Glue records missing for nameservers within your own domain
NS records point to nameservers that don't actually serve your zone
Typographical errors in nameserver hostnames
NS delegation to servers that haven't loaded your zone
Mismatch between parent delegation and child zone NS records
Expired or inactive nameserver domains

Step-by-Step Fix

1.Query the parent zone (TLD servers) to see what NS records are delegated.

```bash # Find the authoritative servers for your TLD dig yourdomain.com NS @a.gtld-servers.net

# For .com/.net domains, use gtld-servers dig example.com NS @a.gtld-servers.net

# For .org domains dig example.org NS @a0.org.afilias-nst.info

# For country-code domains, find their TLD servers dig example.uk NS @ns1.nic.uk

# Look for the NS records in the authority section # These are what the parent zone thinks your nameservers are ```

1.Query your own authoritative servers to see their advertised NS records.

```bash # Query each nameserver listed by the parent for ns in $(dig example.com NS @a.gtld-servers.net +short); do echo "NS records according to $ns:" dig @${ns%.} example.com NS +short done

# Or if you know your expected nameservers dig @ns1.yourdnsprovider.com example.com NS +short dig @ns2.yourdnsprovider.com example.com NS +short ```

1.Compare parent delegation with child zone NS records for mismatches.

```bash # Get parent delegation echo "Parent delegation (TLD servers):" parent_ns=$(dig example.com NS @a.gtld-servers.net +short | sort) echo "$parent_ns"

# Get child zone NS records echo -e "\nChild zone NS (authoritative servers):" child_ns=$(dig @ns1.yourprovider.com example.com NS +short | sort) echo "$child_ns"

# Compare - they should match exactly echo -e "\nComparison:" diff <(echo "$parent_ns") <(echo "$child_ns") ```

1.Check for missing glue records when nameservers are within your domain.

```bash # If your nameservers are ns1.example.com and ns2.example.com # You need glue A records at the parent zone

# Check for glue records at TLD dig example.com NS @a.gtld-servers.net +additional

# The ADDITIONAL section should contain A records for ns1.example.com # Example output: # ;; ADDITIONAL: # ns1.example.com. 172800 IN A 192.0.2.1 # ns2.example.com. 172800 IN A 192.0.2.2

# If missing, you need to add them at your registrar ```

1.Verify your nameservers actually respond authoritatively for your zone.

```bash # Check each nameserver responds with authoritative answer for ns in $(dig example.com NS +short); do echo "Testing ${ns%.}:" result=$(dig @${ns%.} example.com SOA) echo "$result" | grep -E "flags:.*aa" && echo " Authoritative: YES" || echo " Authoritative: NO" echo "$result" | grep "status:" done

# The response should have the "aa" (authoritative answer) flag # And status should be NOERROR ```

1.Test resolution from external resolvers to see real-world behavior.

```bash # Test from multiple public DNS providers echo "Google DNS resolution:" dig @8.8.8.8 example.com +trace

echo "Cloudflare DNS resolution:" dig @1.1.1.1 example.com +trace

# The +trace flag shows the full delegation path # Watch for: # - Correct delegation at each level # - Nameservers responding properly # - No LAME delegation (server not authoritative) ```

1.Check for lame delegation where servers are listed but don't serve your zone.

```bash # Lame delegation test dig example.com @listed-but-wrong-server.com SOA

# Look for LAME response in dig output # "lame server" messages in BIND logs indicate this problem

# Or use dnswalk to check delegation dnswalk example.com.

# Lame delegation symptoms: # - Response without aa flag # - Refused response # - SERVFAIL ```

1.Verify nameserver domain names resolve and are reachable.

bash

# Check nameserver hostname resolution
for ns in $(dig example.com NS +short); do
    echo "Can we reach ${ns%.}?"
    # Resolve nameserver hostname
    ns_ip=$(dig ${ns%.} A +short | head -1)
    if [ -n "$ns_ip" ]; then
        echo "  Resolves to: $ns_ip"
        # Test connectivity
        ping -c 1 -W 2 $ns_ip >/dev/null && echo "  Reachable: YES" || echo "  Reachable: NO"
    else
        echo "  Resolution FAILED"
    fi
done

1.Fix NS record mismatch by updating either registrar or zone file.

```bash # If parent delegation is wrong (registrar side): # 1. Log into your domain registrar # 2. Find nameserver/NS settings # 3. Update to match your actual DNS provider's nameservers

# If child zone NS records are wrong: # Update your zone file:

# BIND zone file format: example.com. 86400 IN NS ns1.yourprovider.com. example.com. 86400 IN NS ns2.yourprovider.com. example.com. 86400 IN NS ns3.yourprovider.com.

# After updating, reload the zone rndc reload example.com

# For DNS provider control panels: # Navigate to NS records section # Ensure NS records match what's delegated at the parent ```

1.Add glue records if using nameservers within your own domain.

```bash # At your registrar, configure glue records: # These are A records for nameservers that are subdomains

# Example: ns1.example.com and ns2.example.com as nameservers # Glue records needed: ns1.example.com IN A 192.0.2.1 ns2.example.com IN A 192.0.2.2

# Most registrars have a "Host Names" or "Glue Records" section # separate from regular DNS management ```

Verification

After fixing NS records, verify complete resolution:

```bash # Check the full delegation chain dig example.com +trace

# Verify all nameservers agree on NS records for ns in $(dig example.com NS +short); do echo "NS per ${ns%.}:" dig @${ns%.} example.com NS +short done

# Check authoritative response dig @$(dig example.com NS +short | head -1) example.com SOA

# Verify from external resolvers dig @8.8.8.8 example.com A +short dig @1.1.1.1 example.com A +short ```

Allow up to 48 hours for NS changes to fully propagate due to NS record caching at parent zones.

How to Fix DNS NS Records Incorrect

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Verification

Share this guide

More DNS Troubleshooting Guides

Fix DNS RPZ Reaction NSDNAME Not Blocking Queries

Fix DNS DDNS GSS-TSIG Kerberos Authentication

Fix DNS SVCB HTTPS Record Service Binding

Fix DNS ZONEMD Record Integrity Validation Failing

Fix DNS CDS CDNSKEY Automatic DS Update Not Working

Fix DNS NAPTR Record ENUM Translation Failure