DNS SERVFAIL Explained — DNS Panopticon

Short Description

SERVFAIL means a resolver could not return a usable answer even when a name may exist.

It causes partial outages and can indicate DNSSEC trust-chain mistakes that only affect validating resolvers.

Upstream timeout, broken delegation, malformed authority responses, or DNSSEC validation failures can all trigger SERVFAIL.

Use dig against multiple resolvers, then run dig +trace and compare where the chain fails; query with +dnssec to isolate validation issues.

Verify delegation, repair DS/DNSKEY/RRSIG alignment, remove stale parent DS when needed, and retest across validating resolvers.

After a provider migration, stale DS records caused validating resolvers to return SERVFAIL while permissive resolvers still answered.

DNSSEC chain checks, multi-resolver comparison, and delegation-health findings in Domain Explorer and Zone Analyzer.

Relevant checks: Delegation integrity, resolver consistency, DNSSEC health, and suspicious record-pattern checks.
Severity mapping: Informational, medium/high, or critical based on exploitability and user impact.
Score impact: Reliability and security scoring dimensions are reduced according to blast radius.
Related findings users will see: NS drift, validation failure, orphaned CNAMEs, wildcard exposure, and policy misconfiguration alerts.

Verify behavior from at least two public resolvers and one resolver inside your own network before making changes.
Make one change at a time, capture before/after query output, and wait for TTL windows to clear so you can confirm impact.
Document the root cause and the final fix in your runbook to shorten future incidents.