Introduction

When a domain uses custom nameservers (e.g., ns1.example.com), the domain's registrar must have glue records (A records) that point those nameserver hostnames to actual IP addresses. If the glue records at the registrar do not match the actual nameserver IP addresses -- due to server migration, IP change, or misconfiguration -- the domain becomes unreachable because DNS resolvers cannot find the authoritative nameservers.

Symptoms

  • Domain does not resolve -- dig returns SERVFAIL or no records
  • Website and email are completely unreachable
  • dig NS example.com returns the nameserver names but they do not resolve
  • WHOIS shows nameservers but dig ns1.example.com returns NXDOMAIN
  • Error message: DNS resolution failed: no glue records found

Common Causes

  • Server migration changed nameserver IP addresses but glue records were not updated
  • Registrar lock on the domain preventing glue record updates
  • Typo in the glue record IP address at the registrar
  • Nameserver software reconfigured on a different IP without updating registrar
  • TLD registry cache not updated after glue record change

Step-by-Step Fix

  1. 1.Verify the glue record mismatch: Compare registrar records with actual IPs.
  2. 2.```bash
  3. 3.# Check glue records at the TLD level
  4. 4.whois example.com | grep "Name Server"
  5. 5.# Check if nameserver hostnames resolve
  6. 6.dig ns1.example.com A +short
  7. 7.dig ns2.example.com A +short
  8. 8.# Compare with the actual nameserver IPs
  9. 9.`
  10. 10.Update glue records at the registrar: Correct the IP addresses.
  11. 11.`
  12. 12.# Log in to the domain registrar's control panel
  13. 13.# Navigate to DNS Management or Nameserver Settings
  14. 14.# Update the glue records (A records) for ns1.example.com and ns2.example.com
  15. 15.# Set to the correct server IP addresses
  16. 16.`
  17. 17.Verify the nameservers are responding on the correct IPs: Confirm connectivity.
  18. 18.```bash
  19. 19.# Test nameserver responses
  20. 20.dig @ns1.example.com example.com SOA
  21. 21.dig @ns2.example.com example.com SOA
  22. 22.# Both should return valid responses
  23. 23.`
  24. 24.Wait for DNS propagation and verify resolution: Confirm the fix works.
  25. 25.```bash
  26. 26.# Check from multiple DNS resolvers
  27. 27.dig example.com A @8.8.8.8
  28. 28.dig example.com A @1.1.1.1
  29. 29.# Use DNS propagation checker
  30. 30.# https://dnschecker.org
  31. 31.`
  32. 32.Verify website and email are accessible: Confirm full service restoration.
  33. 33.```bash
  34. 34.curl -I https://example.com
  35. 35.# Should return HTTP 200
  36. 36.`

Prevention

  • Update glue records at the registrar simultaneously with any nameserver IP changes
  • Document all nameserver hostnames and their IP addresses in a DNS registry
  • Use third-party DNS providers (Cloudflare, Route 53) to avoid glue record dependencies
  • Verify glue record consistency after any server migration or IP change
  • Monitor DNS resolution from external locations to detect glue record issues quickly
  • Include glue record verification in the post-migration checklist