NXDOMAIN — Domain Does Not Exist
Síntomas
- `dig example.com` returns `status: NXDOMAIN` with an empty ANSWER section
- Browser shows `DNS_PROBE_FINISHED_NXDOMAIN` or `ERR_NAME_NOT_RESOLVED`
- `curl` returns `Could not resolve host: example.com`
- Application log: `socket.gaierror: [Errno -2] Name or service not known`
- `nslookup example.com` returns `** server can't find example.com: NXDOMAIN`
- Browser shows `DNS_PROBE_FINISHED_NXDOMAIN` or `ERR_NAME_NOT_RESOLVED`
- `curl` returns `Could not resolve host: example.com`
- Application log: `socket.gaierror: [Errno -2] Name or service not known`
- `nslookup example.com` returns `** server can't find example.com: NXDOMAIN`
Causas raíz
- Domain is not registered or registration has expired
- Typo in the hostname (e.g., 'app.eaxmple.com' instead of 'app.example.com')
- DNS record (A, AAAA, CNAME) for the specific subdomain was never created or was deleted
- Nameserver delegation broken — domain's NS records point to a server with no zone data
- Negative TTL caching — NXDOMAIN was cached and stale after records were added
Diagnóstico
**Step 1 — Query the domain with dig**
```bash
dig example.com ANY +noall +answer
# NXDOMAIN = no records exist for this exact name
# Also check the authoritative answer flag
dig example.com SOA +authority
# Look for NXDOMAIN in the status line and SOA record in authority section
```
**Step 2 — Verify the domain is registered and not expired**
```bash
whois example.com | grep -E 'Expiry Date|Expiration Date|Status'
# Expired or clientHold status = domain suspended
```
**Step 3 — Check nameserver delegation**
```bash
# Find which NS servers are authoritative
dig example.com NS +short
# Query the authoritative NS directly
NS=$(dig example.com NS +short | head -1)
dig @$NS example.com A +noall +answer
# NXDOMAIN from authoritative = record missing on that NS
# SERVFAIL = NS has no zone loaded
```
**Step 4 — Confirm the specific subdomain record exists**
```bash
dig app.example.com A +short
dig app.example.com CNAME +short
# If empty and dig returns NXDOMAIN, the A/CNAME record is missing
```
**Step 5 — Flush DNS cache to rule out stale NXDOMAIN**
```bash
# macOS
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches
# Verify cache was flushed
dig app.example.com A
```
```bash
dig example.com ANY +noall +answer
# NXDOMAIN = no records exist for this exact name
# Also check the authoritative answer flag
dig example.com SOA +authority
# Look for NXDOMAIN in the status line and SOA record in authority section
```
**Step 2 — Verify the domain is registered and not expired**
```bash
whois example.com | grep -E 'Expiry Date|Expiration Date|Status'
# Expired or clientHold status = domain suspended
```
**Step 3 — Check nameserver delegation**
```bash
# Find which NS servers are authoritative
dig example.com NS +short
# Query the authoritative NS directly
NS=$(dig example.com NS +short | head -1)
dig @$NS example.com A +noall +answer
# NXDOMAIN from authoritative = record missing on that NS
# SERVFAIL = NS has no zone loaded
```
**Step 4 — Confirm the specific subdomain record exists**
```bash
dig app.example.com A +short
dig app.example.com CNAME +short
# If empty and dig returns NXDOMAIN, the A/CNAME record is missing
```
**Step 5 — Flush DNS cache to rule out stale NXDOMAIN**
```bash
# macOS
sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder
# Linux (systemd-resolved)
sudo systemd-resolve --flush-caches
# Verify cache was flushed
dig app.example.com A
```
Resolución
**Fix 1 — Create the missing DNS record**
```bash
# Cloudflare API example — add A record
CF_TOKEN='your_api_token'
ZONE_ID='your_zone_id'
curl -X POST \
'https://api.cloudflare.com/client/v4/zones/'"$ZONE_ID"'/dns_records' \
-H "Authorization: Bearer $CF_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"type":"A","name":"app.example.com","content":"203.0.113.1","ttl":300}'
```
**Fix 2 — Renew the expired domain**
Log in to your registrar (Namecheap, GoDaddy, Google Domains) and renew the domain. DNS propagation after renewal typically takes 15–60 minutes.
**Fix 3 — Fix broken NS delegation**
```bash
# At your registrar, update the NS records to match your DNS provider
# e.g., Cloudflare: ns1.cloudflare.com, ns2.cloudflare.com
# Verify propagation (allow 24–48h for NS changes)
dig example.com NS @8.8.8.8 +short
dig example.com NS @1.1.1.1 +short
```
**Fix 4 — Wait for negative TTL to expire**
```bash
# Check SOA NXTTL (minimum TTL for negative caching)
dig example.com SOA +short
# Last field is the negative TTL in seconds
# e.g.: ns1.example.com. admin.example.com. 2024010101 3600 900 604800 300
# ^^^ 300s = 5 min
```
```bash
# Cloudflare API example — add A record
CF_TOKEN='your_api_token'
ZONE_ID='your_zone_id'
curl -X POST \
'https://api.cloudflare.com/client/v4/zones/'"$ZONE_ID"'/dns_records' \
-H "Authorization: Bearer $CF_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"type":"A","name":"app.example.com","content":"203.0.113.1","ttl":300}'
```
**Fix 2 — Renew the expired domain**
Log in to your registrar (Namecheap, GoDaddy, Google Domains) and renew the domain. DNS propagation after renewal typically takes 15–60 minutes.
**Fix 3 — Fix broken NS delegation**
```bash
# At your registrar, update the NS records to match your DNS provider
# e.g., Cloudflare: ns1.cloudflare.com, ns2.cloudflare.com
# Verify propagation (allow 24–48h for NS changes)
dig example.com NS @8.8.8.8 +short
dig example.com NS @1.1.1.1 +short
```
**Fix 4 — Wait for negative TTL to expire**
```bash
# Check SOA NXTTL (minimum TTL for negative caching)
dig example.com SOA +short
# Last field is the negative TTL in seconds
# e.g.: ns1.example.com. admin.example.com. 2024010101 3600 900 604800 300
# ^^^ 300s = 5 min
```
Prevención
- Enable auto-renew for all registered domains and add calendar reminders 60 days before expiry
- Use Infrastructure as Code (Terraform Cloudflare provider) for DNS records to prevent accidental deletion
- Set a low SOA minimum TTL (300s) to reduce NXDOMAIN caching duration
- Add monitoring alerts for NXDOMAIN using UptimeRobot or a synthetic DNS check
- Test DNS records in staging with the same tooling used in production before deploying
- Use Infrastructure as Code (Terraform Cloudflare provider) for DNS records to prevent accidental deletion
- Set a low SOA minimum TTL (300s) to reduce NXDOMAIN caching duration
- Add monitoring alerts for NXDOMAIN using UptimeRobot or a synthetic DNS check
- Test DNS records in staging with the same tooling used in production before deploying