sfw/fix
ERR_ICANN_NAME_COLLISION medium

ERR_ICANN_NAME_COLLISION (127.0.53.53)

A hostname you expected to be internal resolved to the ICANN collision signal 127.0.53.53, so Chrome blocked it.

What you see

This site can't be reached
The webpage at http://hostname/ might be temporarily down or it may have moved permanently to a new web address.
ERR_ICANN_NAME_COLLISION

What’s actually happening

A short intranet name like `http://crm/` or `http://intranet/` that used to work suddenly fails, often right after a new gTLD got delegated or a network change. The resolved address is 127.0.53.53, a loopback IP ICANN reserved specifically as a tripwire. Chrome detects that address and refuses to connect, since loading the public site instead of your internal one could leak credentials. The page never reaches a real server.

Common causes

  • A bare single-label hostname (`crm`, `wiki`) that DNS search-suffix logic expanded into a now-public TLD
  • A formerly private TLD (e.g. `.dev`, `.app`, `.corp`-style names) becoming a real delegated gTLD that returns the collision signal
  • A proxy auto-config (PAC) or VPN that resolves internal names against public DNS when off-network
  • A hosts-file or split-horizon misconfiguration so the internal zone isn't authoritative for that name
  • A captive/upstream resolver returning 127.0.53.53 for names it considers colliding

How to fix it

  1. Use the fully qualified internal nameStop typing the short label. Use the FQDN your internal DNS is authoritative for, e.g. `http://crm.corp.example.com/` instead of `http://crm/`. This bypasses search-suffix expansion into public DNS entirely.
  2. Fix the DNS search suffix / split-horizon zoneOn the resolver or DHCP scope, set the correct search domain so single-label names resolve internally. If you run split-horizon DNS, confirm the internal view is authoritative and returns the right A record, not a forwarded public answer.
  3. Verify what the name actually resolves toRun `nslookup crm` or `dig +short crm.`. If you see 127.0.53.53 you've confirmed a collision; trace which resolver returned it via `dig @<resolver-ip> crm`.
  4. Add an explicit hosts entry as a stopgapMap the name to the real internal IP in `/etc/hosts` (or `C:\Windows\System32\drivers\etc\hosts`), e.g. `10.20.0.15 crm`. This is a per-machine patch, not a fleet fix.
  5. Rename internal namespaces off public TLDsLong term, move internal services to a domain you actually own (a real subdomain) and retire reserved/ambiguous names like `.corp`, `.home`, or bare labels that collide with delegated gTLDs.

Stop it recurring

Use fully qualified names under a domain you own for internal services; never rely on bare labels or made-up TLDs.

Related errors

DNS_PROBE_FINISHED_BAD_RESPONSE

medium

A DNS server answered the query, but the reply was malformed or unexpected, so Chrome discarded it and the page failed.

Safari "Can't Find the Server"

medium

Safari couldn't resolve the domain to an IP address — its plain-language equivalent of NXDOMAIN or name-not-resolved.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.