DNS RCODE (Response Code)
What it is (Definition)
RCODE is the DNS response code that tells you how a DNS query was handled. When a resolver or authoritative server answers a query, RCODE indicates whether the answer is valid, the name does not exist, the server refused the query, or an error occurred. In practice, RCODE is one of the fastest ways to distinguish “DNS is slow” from “DNS is returning a deliberate negative answer.”
Many user-facing problems (“website down”, “API unreachable”, “login broken”) reduce to a DNS result. RCODE helps identify whether the problem is a real absence (NXDOMAIN), a policy/permission decision (REFUSED), or a server-side problem (SERVFAIL).
Where it appears in the stack
RCODE is part of the DNS message header. You see it in the DNS layer when DNS is carried over UDP/TCP (classic DNS), and in application-level views when DNS is carried over modern transports (DoT/DoH), depending on where you capture.
What RCODE tells you
- Whether the server considered the query valid.
- Whether the name exists (or not).
- Whether the server could complete resolution.
- Whether the server refused due to policy or configuration.
RCODE is not the whole story: you often need to correlate it with the query name/type, flags (RD/RA), and which server answered. But as a first pass, RCODE is “the headline” of the response.
Common values (Value table)
| RCODE | Name | Meaning | Common notes |
|---|---|---|---|
| 0 | NOERROR | Query processed successfully | May still have empty answer section (e.g., NODATA) |
| 2 | SERVFAIL | Server failure while processing | Often upstream resolution failure, DNSSEC issues, or timeouts |
| 3 | NXDOMAIN | Name does not exist | Strong signal of typo, missing record, or split-horizon mismatch |
| 4 | NOTIMP | Not implemented | Server does not support requested operation/type |
| 5 | REFUSED | Server refused the query | Policy decision, ACLs, recursion disabled, or rate limiting |
How it looks in Wireshark
Display filter example:
dns.flags.rcode == 3What you typically see:
- RCODE displayed in the DNS response header details.
- NXDOMAIN responses often paired with SOA in authority section (negative caching behavior).
- SERVFAIL bursts during upstream outages or misconfiguration.
Quick read tip: When debugging “can’t reach a site,” first check whether you are getting NXDOMAIN, SERVFAIL, or no response at all. Those three outcomes point to very different root causes.
Common troubleshooting patterns
NXDOMAIN for a name that “should exist”
NXDOMAIN indicates the server believes the name does not exist. Common causes include typos, missing records, wrong DNS view (split-horizon internal vs external), or querying the wrong resolver. Confirm by comparing the queried name and which server responded.
SERVFAIL spikes after a change
SERVFAIL usually means the resolver could not complete the lookup. This can happen due to upstream timeouts, DNSSEC validation failures, or unreachable authoritative servers. In captures, correlate SERVFAIL with response timing and which resolver generated it.
Related pages (internal links)
- Back to Fields Index
- Dictionary: DNS overview
- Topics Index (DNS timeout analysis — Soon)
- Dictionary Index