Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nevan
Staff
Staff

Created on ‎11-18-2025 02:54 AM

Article Id 418721

Technical Tip: Understanding 'DNS_PROBE_FINISHED_NXDOMAIN' in Chrome

Description This article describes the error message 'DNS_PROBE_FINISHED_NXDOMAIN' in Google Chrome when attempting to access websites.
Scope FortiGate, Google Chrome.
Solution

While accessing a site or any page of a site, the following error may appear in Google Chrome.

chrome-dns-error.png

 

This message indicates a DNS resolution failure, meaning that the client’s DNS query could not find a corresponding IP address for the requested domain. The issue is commonly seen when the setup is deployed with private DNS servers or when DNS filtering features are enabled.

This can be caused by one or more of the following:


Private DNS Server Misconfiguration.

  • Missing or incorrect DNS forwarders on the internal DNS server.

  • DNS recursion is disabled or not functioning.

  • DNS server unreachable due to firewall or routing issues.

FortiGate DNS Handling.

  • DNS Proxy is enabled with incorrect settings.

  • DNS Filter is blocking certain domains.

  • FortiGate is using DNS servers that are not reachable or not forwarding correctly.

Chrome Secure DNS (DNS over HTTPS).

  • Chrome may use public DNS over HTTPS (DoH), bypassing local DNS servers.

  • Internal domains may fail to resolve if not available publicly.

 

It is also recommended to test with FortiGuard DNS or any public DNS servers (e.g., '96.45.45.45' or '8.8.8.8') to bypass the existing DNS and test the connection again. From the endpoint, verify the DNS server for the domain with 'nslookup www.example.com'. 

The DNS proxy debugs can also help to identify the root cause.

CLI:

diagnose debug reset

diagnose debug application dnsproxy -1
diagnose debug console timestamp enable
diagnose debug enable

 

To disable:

diagnose debug disable

diagnose debug reset

 

Packet Sniffer:

diagnose sniffer packet any "host x.x.x.x and host y.y.y.y and port 53" 6 0 a

 

Here 'x.x.x.x' is the client IP and 'y.y.y.y' is the DNS server IP. Look for the captured packets body under 'Domain Name System (response)', the flag 'Standard query response, No such name'. 

 

Example Output:

 

Flags: 0x8183 Standard query response, No such name
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0011 = Reply code: No such name (3)

 

 

Related article:
Technical Tip: FortiGate Troubleshooting DNS commands
72
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.