How can you detect NXDOMAIN and other DNS failure responses?

Understanding DNS failure indicators in Wireshark comes down to the DNS response code (rcode) in the DNS header. When a DNS query is answered, the server includes an rcode that signals the result of the resolution. NXDOMAIN means the domain name does not exist in the DNS namespace, while SERVFAIL indicates the DNS server failed to process the request (often due to internal issues or upstream problems). In Wireshark, you can see this clearly in the DNS section of a captured packet—the rcode field shows NXDOMAIN or SERVFAIL, and you can filter the capture to display only such responses. This approach is the most direct way to detect DNS failures. Other options don’t indicate DNS failure specifically: HTTP 5xx responses belong to the HTTP layer, not DNS; TCP zero window probes are a TCP-level condition unrelated to DNS resolution results; UDP length errors point to transport or fragmentation issues rather than the DNS resolution outcome.