sfw/fix
InvalidDNSError high

GitHub Pages “InvalidDNSError” (Custom Domain)

GitHub Pages can’t retrieve your custom domain’s DNS records because the apex A or www CNAME doesn’t point at GitHub.

What you see

InvalidDNSError
Your site's DNS settings are using a custom subdomain, your-domain.com,
that's set up as an apex domain. Domain's DNS record could not be retrieved.

What’s actually happening

The custom domain box under Settings > Pages shows a red error instead of a green check. Pages either serves the old *.github.io content, 404s, or refuses to issue the Let’s Encrypt cert so “Enforce HTTPS” stays greyed out. The error sticks even after you re-save the domain, because GitHub is reading live DNS and not finding its own records.

Common causes

  • Apex domain isn’t using A records to 185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153 (or an ALIAS/ANAME to <user>.github.io on providers that support it).
  • www points to the wrong place — should be CNAME www <user>.github.io, not the repo URL or an A record.
  • The CNAME file in the repo is missing, misspelled, or has no trailing newline, so GitHub and the DNS disagree on the domain.
  • Two A records and a CNAME both set on the apex, or a stale A record from a prior host, leaving conflicting answers.
  • DNS changes haven’t propagated — GitHub says changes can take up to 24 hours.

How to fix it

  1. Set the four apex A recordsAt your DNS provider create four A records on @ pointing to 185.199.108.153, 185.199.109.153, 185.199.110.153, and 185.199.111.153. If your provider does CNAME flattening (Cloudflare) you can ALIAS/ANAME the apex to <user>.github.io instead, but the four A records are the documented path.
  2. Point www with a CNAME, not an A recordAdd CNAME www <user>.github.io (your GitHub username or org, no repo name, trailing dot if the provider wants an FQDN). Verify with dig +noall +answer www.example.com — it should chain to github.io and then the 185.199.x IPs.
  3. Fix the CNAME file in the repoThe repo root (or the Pages source branch) must contain a file named CNAME with one line — your domain — and a trailing newline. A missing newline or a stray https:// here is a classic cause. Re-saving the domain in Settings > Pages rewrites this file correctly.
  4. Remove conflicting recordsDelete any old apex A records from a previous host and any AAAA/CNAME that collide with the GitHub records. Don’t keep both a CNAME and A records on the apex.
  5. Re-run the DNS check and enforce HTTPSConfirm propagation with dig and dnschecker.org, then in Settings > Pages remove and re-add the domain to force GitHub to recheck. Once it goes green, tick Enforce HTTPS — the cert can take up to an hour to provision.

Stop it recurring

Enable “Verify domain” under your account’s Pages settings (the TXT _github-pages-challenge record) so the domain can’t be hijacked and GitHub trusts it before you flip the A records.

Related errors

Vercel “Invalid Configuration” (Custom Domain)

high

Vercel marks a custom domain “Invalid Configuration” when its DNS records don’t point at Vercel’s required A or CNAME targets.

curl: (6) Could Not Resolve Host / Temporary Failure in Name Resolution

high

curl, wget, or a cron job can’t turn a hostname into an IP because the box has no working DNS resolver.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.

DNS Server Not Responding

medium

Your OS can't reach the resolver it's configured to use, so no lookups complete at all.