RunbooksImages / domain not resolving

Runbook — Images / domain not resolving

First written after the 2026-06-29 hellobellocdn.com outage, when all CDN images stopped loading because the domain’s registration had lapsed.

Symptom

  • All (or many) images on the site fail to load — broken-image icons everywhere.
  • Or: an entire domain/feature is unreachable.
  • In the browser console / network tab, image requests fail at the connection stage, not with a 404 from the server.

How to confirm (in order)

  1. Resolve the host the broken assets point at. Get the real hostname from the failing <img> src/srcset — for images that’s hellobellocdn.com and/or media.hellobellocdn.com.

    dig +noall +comments <host> A | grep -o 'status: [A-Z]*'
dig +short <host> A
    • status: NOERROR + IPs returned → DNS is fine; problem is elsewhere (origin, Cloudflare config).
    • status: NXDOMAIN + no IPs → the domain isn’t in DNS at all. Go to step 2.

  2. Check the registration / domain status with WHOIS:

    whois <domain> | grep -iE "status:|expir|name server"

    Look for:

    • clientHold → the registrar has pulled the domain from DNS (this is the NXDOMAIN cause).
    • A registration/expiration date in the recent past → a lapsed renewal.
⚠️

Don’t get distracted by the URL path or cdn-cgi/image params — if the host is NXDOMAIN, the path is irrelevant. The truncated URL and the full URL fail identically. The failure is at the domain level, upstream of everything.

Root cause (the 2026-06-29 case)

hellobellocdn.com is registered at Squarespace (not GoDaddy like our other domains — see Domains). Its registration lapsed on 2026-06-26; Squarespace applied clientHold, which removes the domain from DNS → NXDOMAIN → every image host on that domain (resizer and origin) became unreachable.

Fix

  1. Identify the registrar from Domains (here: Squarespace) — not where DNS is hosted (Cloudflare). They’re different accounts.

  2. Log into that registrar and renew / settle payment to clear clientHold.

  3. Once the hold clears, the domain’s nameservers (henry/linda.ns.cloudflare.com) serve the zone again. Re-check:

    dig +short hellobellocdn.com A   # expect Cloudflare IPs (104.26.x / 172.67.x)

  4. DNS recovers within minutes; a hard refresh clears any stale negative-DNS / broken-image cache in the browser.

Prevention

  • Turn on auto-renew for the domain and confirm the card on file is current (Subscriptions).
  • Make sure the domain is listed in Domains with its renewal date so it’s on the radar before it lapses.
  • When the company card changes, run the Company card changed checklist — domains included.
OverviewCompany card changed