sfw/fix
Awaiting External DNS high

Netlify "Awaiting External DNS" / DNS Verification Failed

Netlify can't confirm your custom domain points at it, so it stalls and won't issue the Let's Encrypt certificate.

What you see

Awaiting External DNS
Check DNS configuration
Your site doesn't have a valid certificate because DNS verification failed.

What’s actually happening

The domain sits in 'Awaiting External DNS' in the Netlify dashboard and never goes green. Because verification is stuck, the Let's Encrypt cert never provisions, so browsers throw cert errors (ERR_TLS_CERT_ALTNAME_INVALID / ERR_CERT_COMMON_NAME_INVALID) while Netlify keeps serving the default `*.netlify.app` cert. The site may resolve but show the wrong certificate. Provisioning can hang for hours or days until DNS is correct and caches expire.

Common causes

  • A/AAAA or CNAME records point somewhere other than Netlify (old host or wrong load-balancer IP)
  • An unexpired TTL keeps resolvers handing back the previous records
  • An inactive Netlify DNS zone (you delegated NS to Netlify but the zone never went active)
  • Traffic still routed through another proxy like Cloudflare, masking the real origin from Netlify's check
  • Apex domain using a CNAME where the registrar doesn't support CNAME flattening, so the record is ignored

How to fix it

  1. Set the records Netlify actually expectsFor the apex, use Netlify's load balancer A record `75.2.60.5`; for `www` or subdomains, CNAME to `<your-site>.netlify.app`. If you use Netlify DNS, delegate the registrar's nameservers to the dns1-4.p0X.nsone.net values Netlify shows.
  2. Verify what's live, not what you typedRun `dig +short yourdomain.com` and `dig +short www.yourdomain.com` against a public resolver. Confirm the answer is Netlify's IP/target and nothing else. Old A records are the most common cause.
  3. Turn off the competing proxyIf the domain is behind Cloudflare, set the record to DNS-only (grey cloud) or remove it. While another proxy answers, Netlify's HTTP-01 validation can't reach the domain and verification fails.
  4. Wait for the TTL, then re-triggerOld records cache for their full TTL. After it expires, go to Domain settings -> HTTPS and click 'Verify DNS configuration' / 'Renew certificate' to force a fresh check.
  5. Activate or fix the Netlify DNS zoneIf using Netlify DNS, confirm the zone shows active and the registrar's NS records match Netlify's exactly. An inactive zone blocks automatic Let's Encrypt issuance even when records look right.

Stop it recurring

Drop record TTLs to 300s before migrating, point DNS at Netlify's documented targets, and remove any other proxy first.

Related errors

Safari "Can't Find the Server"

medium

Safari couldn't resolve the domain to an IP address — its plain-language equivalent of NXDOMAIN or name-not-resolved.

Cloudflare Error 1016: Origin DNS Error

critical

Cloudflare can't resolve your origin's address because the DNS record it needs is missing or points nowhere.

Dangling DNS Record / Subdomain Takeover

critical

A DNS record still points at a deprovisioned host, letting anyone who re-claims that target hijack your subdomain.

DNS_PROBE_FINISHED_NXDOMAIN

critical

NXDOMAIN means the domain name couldn’t be resolved to an IP — the browser literally can’t find your server.