DNS SERVFAIL (RCODE 2) vs REFUSED (RCODE 5)
DNS SERVFAIL and REFUSED both mean the resolver cannot answer, but for different reasons. SERVFAIL indicates an internal server error (DNSSEC failure, unreachable upstream), while REFUSED means the server deliberately rejected the query based on policy (ACLs, recursion restrictions).
Descrição
Server failure. The name server encountered an internal error while processing the query.
Quando você o vê
The recursive resolver could not get an authoritative answer — commonly caused by DNSSEC validation failures, unreachable upstream nameservers, or misconfigured zones.
Como corrigir
Try a different resolver (e.g., 8.8.8.8 or 1.1.1.1) to isolate the issue. If you control the zone, check DNSSEC signatures, SOA serial consistency, and nameserver reachability.
Descrição
Query refused. The name server refuses to perform the requested operation for policy reasons.
Quando você o vê
The server rejected your query due to access control — for example, a recursive resolver that only serves its own network, or a zone transfer blocked by ACL.
Como corrigir
Check the server's allow-query, allow-recursion, or allow-transfer ACLs. If you are not authorized to use this resolver, switch to a public DNS service.
Diferenças principais
SERVFAIL (2) is an internal error — the server tried but could not resolve the query (upstream unreachable, DNSSEC failure).
REFUSED (5) is a policy decision — the server can resolve but chose not to (client IP not in ACL, recursion disabled).
SERVFAIL may be transient and resolve if upstream nameservers recover; REFUSED is persistent for the same client.
SERVFAIL is common during DNSSEC validation failures; REFUSED is common when querying a non-recursive authoritative server.
Different resolvers may give SERVFAIL for the same domain; REFUSED depends on the specific server's configuration.
Quando usar qual
SERVFAIL occurs when the DNS server encounters an error while processing the query — try a different resolver (8.8.8.8, 1.1.1.1) to isolate whether it is a resolver issue or a zone issue. REFUSED occurs when the server's policy blocks your query — check if you are querying the correct resolver and if your IP is allowed. Authoritative servers REFUSE recursive queries by design.