DNS Return Codes

DNS Return Codes

There are many reasons why a DNS query may succeed or fail.

Below is a list of the return codes and what they mean.  You can filter for DNS response codes in your DigitalStakeout Securd DNS Dashboard and Log Analytics.

0: NoError. This indicates that the DNS query was successful and that the requested information was returned.

1: FormErr. This indicates that the DNS query was malformed and could not be processed.

2: ServFail. This indicates that the DNS server encountered an error while attempting to process the query.

3: NXDomain. This indicates that the domain name in the query does not exist.

4: NotImp. This indicates that the DNS server does not support the query type that was requested.

5: Refused. This indicates that the DNS server refuses to process the query for policy reasons.

6: YXDomain. This indicates that the domain name in the query exists when it should not.

7: YXRRSet. This indicates that a resource record set (RRset) exists when it should not.

8: NXRRSet. This indicates that a resource record set (RRset) that should exist does not.

9: NotAuth. This indicates that the DNS server is not authoritative for the requested domain.

10: NotZone. This indicates that the name in the query is not contained within the DNS server's zone of authority.

11: DSOTYPENI. This indicates that the DSO-TYPE (Dynamic Shared Object) is not implemented by the DNS server.

16: BADVERS. This indicates that the OPT (Extended DNS) version is bad or unrecognized.

16: BADSIG. This indicates that the TSIG (Transaction Signature) signature is invalid or fails verification.

17: BADKEY. This indicates that the key specified in the query is not recognized by the DNS server.

18: BADTIME. This indicates that the TSIG signature is outside of the acceptable time window for validation.

19: BADMODE. This indicates that the TKEY (Transaction Key) mode is invalid or unsupported.

20: BADNAME. This indicates that the key name specified in the query is a duplicate.

21: BADALG. This indicates that the algorithm specified in the query is not supported by the DNS server.

22: BADTRUNC. This indicates that the reply was truncated or incomplete due to a length limit.

23: BADCOOKIE. This indicates that the Server Cookie specified in the query is invalid or missing.


    • Related Articles

    • DNS Acronyms

      These acronyms and terms are frequently used when discussing securing DNS. DNS: Domain Name System. This is a system that translates human-readable domain names (such as www.example.com) into numerical IP addresses that computers can use to ...

    • Understanding Anycast Recursive DNS

      Introduction When you're using the internet, every website you visit starts with a DNS (Domain Name System) query. Anycast Recursive DNS is a powerful technology that helps to speed up these queries, making your internet experience faster and more ...

    • Syslog Fowarding DNS Logs

      Securd supports real-time log syslog forwarding. Log forwarding is a real-time fork of your DNS log data to a target syslog server. We do the hard work by enriching and annotating your logs with contextual information. DNS logs are known to very ...

    • What is a DNS Firewall?

      A DNS firewall is a security tool that helps to protect networks and devices from cyber threats. It works by analyzing DNS (Domain Name System) traffic and identifying requests that match patterns or rules associated with malicious activity. If a ...

    • HTTP Log Forwarding DNS Logs

      Securd supports real-time log HTTP forwarding. Log forwarding is a real-time fork of your DNS log data to a target HTTP webhook endpoint. We do the hard work by enriching and annotating your logs with contextual information. DNS logs are known to ...