Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  4. CNAME chain ends in NXDOMAIN

Author: Government Digital Service

Last updated: 2025-06-27

CNAME chain ends in NXDOMAIN

Impact: Critical
Common error ID:
internal-cname-chain-nxdomain
hardenize-DNS1001
hardenize-DNS2001
detectify-potential-subdomain-takeover

Why this is a problem

This issue can lead to several critical problems:

  • Service unavailability – the intended resource becomes unreachable, potentially causing service outages.
  • Increased DNS lookup time – each step in the CNAME chain requires an additional DNS query, slowing down the resolution process.
  • Security risks – malicious actors could potentially exploit this misconfiguration to take over the subdomain.
  • Negative user experience – users may encounter errors or long loading times when trying to access the affected resource.

How to check if the problem is still there

Use dig to query the CNAME record for the subdomain.

Example

dig cname subdomain.example.gov.uk +short

subdomain.supplier.co.uk

Check if the CNAME record resolves to a non-existing page. Take the output of the previous command and check for a further CNAME record.

dig CNAME subdomain.example.gov.uk +short

sudomain.anothersupplier.co.uk

Keep following the CNAME chain until you don’t get a response for the CNAME query. When you reach a domain without a CNAME check for an A record.

dig a subdomain.example.gov.uk

If the response is `NXDOMAIN` (Non-Existent Domain), it indicates that the domain does not exist.

You may also be able to check by visiting the service web page and checking if it responds.

How to fix it

Use the following steps:

  • Identify the broken link – determine which CNAME in the chain is pointing to a non-existent domain.
  • Update or remove the faulty record – either update the CNAME to point to a valid domain or remove it if it’s no longer needed.
  • Simplify the CNAME chain – where possible, reduce the number of CNAME records in the chain to improve performance and reduce the risk of future issues.

By addressing this issue promptly, you can ensure the reliability of your DNS infrastructure, improve performance, and mitigate potential security risks associated with broken CNAME chains.

References

https://snapshot.internetx.com/en/dns-cname-records/ 

https://vercara.com/resources/whats-this-nxdomain-dns-query-response-and-why-do-i-have-them

https://activedirectorypro.com/dns-best-practices/

https://github.com/coredns/coredns/issues/4288

https://datatracker.ietf.org/doc/rfc8020/

https://datatracker.ietf.org/doc/draft-ietf-dnsop-nxdomain-cut/00/

https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/10-Test_for_Subdomain_Takeover

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now