PublicDNS.info Live-tested public DNS
Retested every 72 hours.

DNS Status Codes Explained

Every resolver in our directory is tested with two DNS queries. The status you see on each server reflects the outcome of those tests.

OK Healthy resolver

The server answered both test queries correctly. It returned the right A-record for a known domain, and it returned NXDOMAIN for a domain that does not exist.

This is the result you want to see. An OK server is working as expected and safe to use as your DNS resolver.

NX_HIJACK NXDOMAIN hijacking detected

The server passed the A-record test but failed the NXDOMAIN test. Instead of confirming that a non-existent domain does not exist, it returned an IP address — typically pointing to a search page or advertising landing page.

Why does this happen?

Some ISPs and DNS providers intercept mistyped domains and redirect them to their own servers. This practice is sometimes called "DNS hijacking" or "NXDOMAIN redirection." The motivation is usually advertising revenue or providing a branded search experience.

Should you worry?

NX_HIJACK resolvers still work for normal browsing. However, they can cause problems for software that depends on proper NXDOMAIN responses — mail servers checking SPF records, for example, or security tools verifying domain ownership. If you value clean DNS behaviour, choose a server marked OK instead.

TIMEOUT No response

The server did not answer within the test window (5 seconds). We sent the query but received nothing back.

Common causes

  • Server is down — the machine or service is offline.
  • Firewall rules — the server only accepts queries from certain networks.
  • Rate limiting — the server throttled our probe because it detected too many queries.
  • Geo-restriction — the server only responds to queries originating from specific regions or countries.

A TIMEOUT does not necessarily mean the server is broken. It may work fine from your location even if our probe cannot reach it.

BAD Unexpected response

The server responded, but the answer was wrong or incomplete. This can mean:

  • Wrong RCODE — the server returned SERVFAIL, REFUSED, or another error code instead of NOERROR.
  • Missing answer section — the response had no A-records despite using a valid query.
  • Wrong IP — the server returned an IP address that does not match the expected answer for our test domain.

BAD servers are unreliable. They may be misconfigured, compromised, or intentionally returning incorrect data. We recommend avoiding them.

How we test

Our probe system runs two queries against each server:

  1. A-record lookup — We query a well-known domain and check whether the returned IP matches the expected value.
  2. NXDOMAIN lookup — We query a domain that is guaranteed not to exist and verify that the server returns NXDOMAIN (RCODE 3).

Both queries use a 5-second timeout. The combined result determines the server's status. We run these tests on a rolling schedule, re-checking over 90,000 resolvers every 72 hours. Only servers above our reliability threshold appear in the live directory.

Frequently asked questions

What does OK mean for a DNS server?

OK means the server responded correctly to both a standard A-record query and an NXDOMAIN query. It returned the expected IP address for a known domain and properly indicated that a non-existent domain does not exist.

Is NX_HIJACK dangerous?

NX_HIJACK is not inherently dangerous, but it means the server redirects non-existent domains to its own IP instead of returning NXDOMAIN. This is common with ISP resolvers that show search pages for mistyped domains. It can break software that relies on NXDOMAIN responses and may expose your queries to third-party advertising.

Why does a server show TIMEOUT?

TIMEOUT means the server did not respond within the test window (typically 5 seconds). Common causes include the server being offline, a firewall blocking the request, rate limiting applied to our probe, or geo-restrictions that block queries from our test location.

What counts as a BAD response?

BAD means the server responded but with unexpected results: wrong RCODE (e.g. SERVFAIL or REFUSED instead of NOERROR), missing answer records, or a completely incorrect IP address for the test domain.

How often does PublicDNS.info test each server?

We test over 90,000 resolvers on a rolling basis. Most servers are re-checked at least once every 72 hours. Only servers that pass our reliability threshold are published in the live directory.