Every DNS query receives a response, and most of the time, it works fine. You type a website name, and your browser loads the page. But sometimes, things don’t go as planned.
When that happens, the DNS server replies with a DNS return code to explain what went wrong.
This guide explains what DNS return codes (also called DNS response codes) are, what they mean, and how to understand them.
List of the Most Common DNS Return Codes (RCodes)
| Return Code | Return Message | Description | Common Causes/Examples |
|---|---|---|---|
| RCODE:0 | NOERROR | DNS query completed successfully Normal website loading, |
Normal website loading, successful DNS lookups |
| RCODE:1 | FORMERR | DNS query format error – request was formatted incorrectly |
Corrupted data packets, software bugs, network interference |
| RCODE:2 | SERVFAIL | Server failure – DNS server failed to complete the request |
DNS server overload, connectivity issues, server maintenance |
| RCODE:3 | NXDOMAIN | Non-existent domain – The domain name does not exist |
Mistyped website address, inactive domains |
| RCODE:4 | NOTIMP | Not implemented – DNS server doesn't support this query type |
Older DNS servers, unusual query types |
| RCODE:5 | REFUSED | The DNS server refused to process the query |
Permission restrictions, security policies, blocked requests |
| RCODE:6 | YXDOMAIN | Domain name exists when it should not |
Dynamic DNS updates, trying to create existing domains |
| RCODE:7 | YXRRSET | RR Set exists when it should not |
DNS updates, attempting to create existing records |
| RCODE:8 | NXRRSET | RR Set that should exist does not |
Trying to delete or modify non-existent DNS records |
| RCODE:9 | NOTAUTH | Not authorized – DNS server is not authoritative for the zone |
Asking the wrong DNS server for domain information |
| RCODE:10 | NOTZONE | Name not in zone – the query is outside the server’s zone |
Domain not part of the DNS zone the server manages |
You can find the full list of DNS return codes on the IANA website.
What Are DNS Return Codes?
DNS return codes (Rcodes) are numeric codes returned by DNS servers to indicate the result of a DNS query. The most common ones include 0 (No Error), 1 (Format Error), 2 (Server Failure), 3 (Name Error), and 5 (Refused). Each code helps diagnose why a DNS lookup succeeded or failed.
Think of them like status updates. When you ask "Where is example.com?" the DNS server might respond with code 0 (meaning "found it") or code 3 (meaning "that domain doesn't exist").
These codes are part of the DNS protocol, which is the system that translates human-readable domain names into IP addresses that computers can understand.
How DNS Return Codes Work
Every DNS query follows the same basic process:
- Your device sends a DNS query to a DNS server
- The DNS server processes your request
- The server sends back a response with a specific code
- Your device interprets the code and acts accordingly
The response code tells your device exactly what happened. Did the server find the answer? Was there a network error? Is the domain blocked? The code explains it all.
Why DNS Return Codes Matter
Troubleshooting Network Issues
DNS return codes help you identify why websites aren't loading. Instead of guessing, you can see exactly what's wrong:
- NXDOMAIN tells you the domain doesn't exist
- SERVFAIL indicates server problems
- REFUSED suggests access restrictions
Security and Monitoring
Many security tools use DNS return codes to detect threats:
- Unusual patterns of NXDOMAIN responses might indicate malware trying to contact command-and-control servers
- REFUSED responses can show blocked malicious domains
- Monitoring these codes helps identify network attacks
Network Performance
Response codes help measure DNS performance. High numbers of SERVFAIL responses might indicate overloaded DNS servers that need attention.
Common DNS Response Codes Explained
RCODE 0: NOERROR (Success)
This is what you want to see. The DNS server found the website's IP address and sent it back successfully. This happens millions of times per day as people browse the internet normally.
RCODE 3: NXDOMAIN (Domain Doesn't Exist)
This is the most common error code. It means the domain name you requested simply doesn't exist. You'll see this when you mistype a website address or try to visit a site that's been shut down.
Common causes:
- Typos in the website address
- Expired or deleted domains
- Links to websites that no longer exist
RCODE 2: SERVFAIL (Server Failure)
The DNS server couldn't complete your request due to internal problems. The website might exist, but the DNS server can't process your query right now.
Common causes:
- DNS server overload or maintenance
- Network connectivity issues
- Problems with the DNS server's configuration
How to fix: Wait a few minutes and try again, or switch to a different DNS provider like Control D.
RCODE 5: REFUSED (Query Refused)
The DNS server refuses to process your request. This often happens in corporate networks or when using DNS filtering services.
Common causes:
- Parental controls blocking websites
- Corporate firewall restrictions
- DNS filtering services are blocking malicious sites
- Using a DNS server you don't have permission to access
How to fix: Check if you're using the correct DNS server or if content filtering is blocking the site.
How to Check DNS Return Codes
Command Line Tools
On Windows, macOS, or Linux, you can use the following tools to perform DNS lookups and check return codes
nslookup: Basic DNS lookup tool
Platforms: Windows, macOS, Linux
Command: nslookup example.com
📌 Note: nslookup is basic and may not show return codes directly, but it's useful for testing if a domain resolves.
dig: More detailed DNS information (Linux/macOS)
Platforms: macOS, Linux (installable on Windows via WSL or third-party)
Command: dig example.com
📌 Note: dig provides more detailed output, including the return code (status:) in the header section (e.g., NOERROR, NXDOMAIN, etc.).
PowerShell: DNS lookups on Windows
Command: Resolve-DnsName example.com
📌 Note: Resolve-DnsName provides structured output, including QueryStatus, which shows the DNS return code (e.g., NOERROR, SERVFAIL).
Online Tools
Many websites offer DNS lookup tools that show response codes along with other DNS information.
Network Monitoring Software
Professional tools can track DNS return codes across your entire network, helping identify patterns and problems.
Final Thoughts
DNS return codes may look technical, but they’re simply status messages. Knowing what they mean can save you time when diagnosing DNS errors, setting up filtering, or managing a secure network.
If you want to take control of your DNS traffic, from privacy to performance, tools like Control D give you visibility and flexibility that traditional DNS resolvers don’t.
