Custom domain yonstudent.com returns 421 "Forbidden host" — edge routing stuck

Hi Vercel team,

Project: vize-danismanlik (team: maiieriks-projects)

Custom domains: yonstudent.com + www.yonstudent.com

Latest production deployment URL: https://vize-danismanlik-h6zv6x16t-maiieriks-projects.vercel.app

Both custom domains consistently return HTTP 421 with body “Forbidden host” from all regions. The canonical project URL

(vize-danismanlik-ecru.vercel.app) works correctly.

What I verified:

• vercel domains inspect yonstudent.com → verified: true, assigned to vize-danismanlik project

• API GET /v9/projects/{projectId}/domains → returns both domains as verified

• DNS resolves to Vercel anycast IPs (216.198.79.65, 64.29.17.1) via Google + Cloudflare resolvers

• NS migrated to ns1.vercel-dns.com / ns2.vercel-dns.com (also resolves correctly)

• SSL certificate active (Let’s Encrypt CN=yonstudent.com)

• Latest production deployment aliased to both domains (vercel alias ls confirms)

• No firewall rules configured (GET /v1/security/firewall/config returns no active rules)

• Multiple fresh production deploys triggered — no change

What I tried:

1. vercel domains rm + re-add (blocked because using Vercel NS)

2. vercel alias set on latest deployment (success, but 421 persists)

3. vercel deploy --prod --force (success, but 421 persists)

4. Updated NEXT_PUBLIC_SITE_URL env to https://yonstudent.com

5. Waited 1+ hours after NS migration

The “Forbidden host” body comes from the Vercel edge — Next.js itself never emits this string. This suggests the edge routing table

didn’t pick up the project binding after NS migration + multiple alias rebinds.

Please force an edge config refresh for these domains or advise next steps. Customer delivery is scheduled and the canonical URL

works, but the custom domain is required.

Thanks.

The domain troubleshooting guide can help with most custom domain configuration issues. You might be able to use that guide to solve it before a human is available to help you. Then you can come back here and share the answer for bonus points.

You can also use v0 to narrow down the possibilities.

Hi Vercel team,

Project: vize-danismanlik (team: maiieriks-projects)

Custom domains: yonstudent.com + www.yonstudent.com

Latest production deployment URL: https://vize-danismanlik-h6zv6x16t-maiieriks-projects.vercel.app

Both custom domains consistently return HTTP 421 with body “Forbidden host” from all regions. The canonical project URL

(vize-danismanlik-ecru.vercel.app) works correctly.

What I verified:

• vercel domains inspect yonstudent.com → verified: true, assigned to vize-danismanlik project

• API GET /v9/projects/{projectId}/domains → returns both domains as verified

• DNS resolves to Vercel anycast IPs (216.198.79.65, 64.29.17.1) via Google + Cloudflare resolvers

• NS migrated to ns1.vercel-dns.com / ns2.vercel-dns.com (also resolves correctly)

• SSL certificate active (Let’s Encrypt CN=yonstudent.com)

• Latest production deployment aliased to both domains (vercel alias ls confirms)

• No firewall rules configured (GET /v1/security/firewall/config returns no active rules)

• Multiple fresh production deploys triggered — no change

What I tried:

1. vercel domains rm + re-add (blocked because using Vercel NS)

2. vercel alias set on latest deployment (success, but 421 persists)

3. vercel deploy --prod --force (success, but 421 persists)

4. Updated NEXT_PUBLIC_SITE_URL env to https://yonstudent.com

5. Waited 1+ hours after NS migration

The “Forbidden host” body comes from the Vercel edge — Next.js itself never emits this string. This suggests the edge routing table

didn’t pick up the project binding after NS migration + multiple alias rebinds.

Please force an edge config refresh for these domains or advise next steps. Customer delivery is scheduled and the canonical URL

works, but the custom domain is required.

Thanks.

Update: Disabled ssoProtection via API (was all_except_custom_domains) — direct deployment URLs now serve normally (200),

▎ confirming SSO change took effect. yonstudent.com still returns 421 from edge despite this, so SSO was not the cause. The custom
▎ domain → project routing in your edge tables appears stale or stuck.

Hi Maiierik,

Based on what you’ve already checked, I’d try to prove whether this is still DNS propagation or whether the hostname binding at the edge is the failing part.

These tests should help separate that:

curl -I https://yonstudent.com
curl -I https://www.yonstudent.com

curl -I --resolve yonstudent.com:443:216.198.79.65 https://yonstudent.com/
curl -I --resolve www.yonstudent.com:443:216.198.79.65 https://www.yonstudent.com/

dig NS yonstudent.com +short
dig A yonstudent.com +short
dig CNAME www.yonstudent.com +short

If the normal curl and the --resolve version both return the same 421 Forbidden host, that mostly rules out public DNS propagation and points more toward the custom hostname not being matched to the project at Vercel’s edge.

I’d also make sure both yonstudent.com and www.yonstudent.com are explicitly added to the same Vercel project/environment, rather than relying on an automatic redirect between apex and www. Vercel usually handles that redirect after the domain is configured, but for debugging I’d want both hostnames present and valid in the project’s Domains page.

If you reply with the response headers from one failing curl -I request, especially x-vercel-id, plus whether the --resolve test also returns 421, that should give staff/community members a much clearer signal that DNS is no longer the issue.