REFUSED — DNS Query Refused — What It Means & How to Fix It

What Does This Error Mean?

REFUSED is a DNS response code meaning the DNS server received your query but deliberately refused to process it. Unlike SERVFAIL (an internal error) or NXDOMAIN (domain not found), REFUSED means the server is working fine — it just decided not to answer your question. This is usually a policy decision: the server is not configured to respond to requests from your IP address, or it has been told to block the domain you queried.

Affected Models

Windows
macOS
Linux
Android
iOS
All internet-connected devices
Network administrators

Common Causes

The DNS server has access control rules that prevent it from answering queries from your IP address
You are querying a private or corporate DNS server that only accepts queries from authorised networks
A DNS filtering service (like parental controls or corporate policy) has blocked the domain
Your DNS settings accidentally point to an authoritative DNS server rather than a recursive resolver
A firewall rule is blocking your DNS query before it reaches the server

How to Fix It

Switch to a public DNS server. Set your DNS to 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare). Public resolvers accept queries from everyone and will not return REFUSED for normal requests.

This is the fastest fix. Public DNS servers are open resolvers — they will answer your queries.
Check if parental controls or DNS filtering is active on your router. Log in to your router's admin page (usually 192.168.1.1 or 192.168.0.1) and look for content filtering, parental controls, or DNS blocking settings.

Many modern routers and ISPs offer DNS-level content filtering that can block specific domains.
Flush your DNS cache after switching DNS servers. Run ipconfig /flushdns on Windows or sudo dscacheutil -flushcache on Mac.

This ensures your device uses the new DNS server for all lookups.
Try using a VPN to route your DNS queries through a different network path. If the REFUSED is from a network-level block, a VPN may bypass it.

Keep in mind that some networks also block VPN traffic.
If you are a network administrator getting REFUSED on your own DNS server, check your named.conf or resolver configuration for allow-query and allow-recursion directives. Make sure client IP ranges are listed.

A common misconfiguration is allow-recursion being set to only localhost, blocking all external queries.

When to Call a Professional

If REFUSED started happening on a corporate or school network, contact your IT department. If you manage your own DNS server and see this error, check your server's access control list (ACL) to ensure your client IP ranges are allowed to query the server.

Frequently Asked Questions

What is the difference between REFUSED and SERVFAIL?

SERVFAIL means the DNS server tried to process your query but failed due to an internal error. REFUSED means the server did not even try — it rejected your query based on a policy or access control rule. REFUSED is intentional. SERVFAIL is an unintended failure.

Can REFUSED mean a domain is blocked?

Yes. Some DNS filtering systems return REFUSED instead of NXDOMAIN when blocking a domain. This is particularly common with corporate DNS servers, school networks, and some parental control systems. If you suspect a block, switch to an external DNS server to test.

Is it safe to query public DNS servers?

For general browsing, yes. Google (8.8.8.8) and Cloudflare (1.1.1.1) are both reliable and privacy-conscious. Cloudflare in particular has a strong privacy policy — they do not sell your query data. For corporate or sensitive environments, using your own internal DNS server is usually better for security.