Introduction

When a Windows DNS server receives an NXDOMAIN response (domain does not exist) from an upstream server, it caches this negative response. If the domain is subsequently registered and begins resolving, the DNS server continues to return the cached NXDOMAIN until the negative cache TTL expires. This causes clients to see DNS_PROBE_FINISHED_NXDOMAIN in browsers even though the domain is valid and resolving correctly from external resolvers.

Symptoms

  • nslookup newdomain.com returns Non-existent domain from internal DNS
  • External resolvers (8.8.8.8) resolve the domain correctly
  • dnscmd /enumrecords shows NXDOMAIN cached entry
  • Application fails to connect to newly provisioned services by hostname
  • Test-NetConnection fails with NameResolutionFailure

Common Causes

  • DNS queried for domain before it was registered, caching NXDOMAIN
  • Negative cache TTL (MaxNegativeCacheTtl) set too high (default 900 seconds / 15 minutes)
  • DNS server configured with stale upstream responses during migration
  • Clients using Windows DNS as primary resolver with no fallback
  • DNS cache locking preventing immediate invalidation

Step-by-Step Fix

  1. 1.Verify the issue is stale cache by checking authoritative servers:
  2. 2.```powershell
  3. 3.nslookup newdomain.com 8.8.8.8
  4. 4.# This should resolve correctly
  5. 5.nslookup newdomain.com 127.0.0.1
  6. 6.# This may still return NXDOMAIN from cache
  7. 7.`
  8. 8.Clear the DNS server cache:
  9. 9.```powershell
  10. 10.Clear-DnsServerCache
  11. 11.# Or using dnscmd
  12. 12.dnscmd /ClearCache
  13. 13.`
  14. 14.Clear client DNS cache as well:
  15. 15.```powershell
  16. 16.ipconfig /flushdns
  17. 17.# Verify cache is cleared
  18. 18.ipconfig /displaydns
  19. 19.`
  20. 20.Reduce the negative cache TTL to minimize future impact:
  21. 21.```powershell
  22. 22.Set-DnsServerCache -MaxNegativeCacheTtl 60
  23. 23.# Reduces from default 900 seconds to 60 seconds
  24. 24.# Verify
  25. 25.Get-DnsServerCache | Select-Object MaxNegativeCacheTtl
  26. 26.`
  27. 27.Enable cache locking to prevent cache poisoning:
  28. 28.```powershell
  29. 29.Set-DnsServerCache -LockingPercent 75
  30. 30.# Cache records cannot be overwritten for 75% of their TTL
  31. 31.`
  32. 32.Verify resolution after cache clear:
  33. 33.```powershell
  34. 34.Resolve-DnsName newdomain.com -Server 127.0.0.1
  35. 35.# Should now return the correct A record
  36. 36.`

Prevention

  • Set MaxNegativeCacheTtl to 60 seconds or less on DNS servers that serve development environments
  • Include DNS cache clearing as a step in domain registration and DNS change runbooks
  • Monitor DNS resolution with automated checks that compare internal vs external resolution
  • Configure conditional forwarders for internal domains to avoid caching issues
  • Use DNS policies to route specific domain queries to authoritative servers directly