Skip to main content
Skip table of contents

3531 - Troubleshooting DNS REFUSED and delegation in NIOS


You are the DNS administrator of a small coffee company. Your company has recently started a new division for Hawaii's Kona Coffee. Before going public, your company is staging servers internally for the time being. The recursive resolver for the company is ADA ( Your main DNS server NS1 ( is authoritative for the internal zone coffee.corp. A delegation has been setup, to delegate the zone to NS2 ( located at the Hawaii branch office. An entry has already been added to NS2 for the new server, However, users are complaining that they are unable to resolve this name. Please analyze the information provided and find the root cause or root causes.

For your reference, this is the diagram drawn by the technical team in the Hawaii branch office:

Estimate Completion Time

  • 30 to 45 minutes






Grid Manager UI




  • None

Course References

  • 3011 - DNS Troubleshooting Methodology


Task 1: Troubleshoot REFUSED error message

User reports that he is unable to resolve a domain name, with a screenshot attached. Please investigate the root cause. (Hint: look at the spelling carefully)

Task 2: Troubleshoot unexpected result

User is still unable to resolve, and provided a new screenshot. Please investigate the root cause.


Task 1 Solution: Troubleshoot REFUSED error message

Root Cause

Misspelled domain name, should be corp not crop.

Detailed Analysis

The REFUSED response code usually is an indication that server has some access control list (ACL) or other mechanism that denies the query. The clue can be seen in the screenshot submitted by the user, there is a line below the header section that reads:

WARNING: recursion requested but not available

To test this, you may execute other queries against NS1 ( to see if it accepts any other domain names, such as  The root cause, however, is because the name was misspelled. The name server NS1 ( is not authoritative for the coffee.crop domain name, and must resolve it using recursion. Since recursion is not enabled, we receive the REFUSED response code.

Task 2 Solution: Troubleshoot unexpected result

Root Cause

Client should not be using authoritative server to resolve delegated domain name. Point to instead.

Detailed Analysis

The response is known as a REFERRAL in DNS, although it is not its own type of return code. This is normal behavior from authoritative name server, in response to a query that asks for a name that has been delegated. The authoritative name server NS1 ( sends back the response that contains the NS record and the glue record, informing the client to query NS2 ( 

At this point the client (desktop) is expected to perform a follow-up iterative query to NS2 (, to "chase down the answer". The proper solution is to introduce a recursive name server for the client to use, to perform all of the iterative queries to chase down the answer on behalf of the client. 

In summary, this is expected behavior when a stub resolver (client) queries the authoritative severs directly. The fix is an architectural change: the client or stub resolver should stop querying authoritative servers directly; client needs to query a intermediary server that has recursion enabled, aka a recursive resolver. In our scenario, the recursive resolver is 

On the desktop, execute the same query, point it to ADA ( instead of NS1 (

dig @ A

This should resolve correctly. For reference, this is the updated network diagram:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.