DNS 5 REFUSED vs 10 NOTZONE
Both DNS 5 (REFUSED) and 10 (NOTZONE) belong to the DNS Response Codes (RCODEs) category. 5 indicates that query refused. The name server refuses to perform the requested operation for policy reasons. Meanwhile, 10 means that name not contained in zone. A name used in the Prerequisite or Update section is not within the zone denoted by the Zone section.
Description
Query refused. The name server refuses to perform the requested operation for policy reasons.
When You See It
The server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
How to Fix
Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service.
Description
Name not contained in zone. A name used in the Prerequisite or Update section is not within the zone denoted by the Zone section.
When You See It
Your dynamic update tried to modify a record that falls outside the zone specified in the update message (e.g., updating foo.example.org in the example.com zone).
How to Fix
Ensure all names in the update are within the target zone. Check for typos in the zone name or the records being updated.
Key Differences
DNS 5: Query refused. The name server refuses to perform the requested operation for policy reasons.
DNS 10: Name not contained in zone. A name used in the Prerequisite or Update section is not within the zone denoted by the Zone section.
You encounter 5 when the server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
You encounter 10 when your dynamic update tried to modify a record that falls outside the zone specified in the update message (e.g., updating foo.example.org in the example.com zone).
When to Use Which
For 5 (REFUSED): Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service. For 10 (NOTZONE): Ensure all names in the update are within the target zone. Check for typos in the zone name or the records being updated.