Status Code
523 Origin Is Unreachable
Cloudflare-specific error when the origin server's IP address is unreachable. Learn about DNS and routing issues causing 523 errors.
TL;DR: Cloudflare can’t reach your origin server’s IP address due to DNS or routing issues. Verify your DNS records point to the correct public IP.
What is 523 Origin Is Unreachable?
A 523 Origin Is Unreachable is a Cloudflare-specific status code that indicates Cloudflare cannot reach your origin server because the IP address cannot be resolved or routed to. Think of it like trying to mail a letter to an address that doesn’t exist—the postal service can’t deliver it because the destination is unreachable.
This error typically occurs due to DNS resolution failures, incorrect network routing, or infrastructure configuration issues.
When Does This Happen?
You’ll see a 523 Origin Is Unreachable error in these situations:
1. DNS Resolution Failure
Cloudflare tries to resolve origin hostname
→ DNS query fails or returns no IP
→ Can't determine where to connect
→ Returns 5232. Incorrect Origin IP Configuration
Cloudflare DNS points to non-existent IP
→ IP address doesn't route anywhere
→ Network unreachable
→ 523 error3. Origin Behind Unreachable Network
Origin IP is in private range (10.x, 192.168.x)
→ Not publicly routable
→ Cloudflare can't reach it
→ Returns 5234. Network Routing Issues
BGP routing problems
→ IP prefix not announced
→ No path to origin network
→ 523 unreachable5. Recently Changed DNS
DNS records just updated
→ Not yet propagated to all resolvers
→ Some Cloudflare edges can't resolve
→ Temporary 523 errorsExample Responses
Basic 523 Response:
HTTP/1.1 523 Origin Is Unreachable
Server: cloudflare
Date: Sat, 18 Jan 2026 10:00:00 GMT
Content-Type: text/html
CF-RAY: 7d1234567890abcd-LAX
<!DOCTYPE html>
<html>
<head>
<title>523: Origin is unreachable</title>
</head>
<body>
<h1>Origin is unreachable</h1>
<p>Cloudflare cannot reach the origin server.</p>
<p>Ray ID: 7d1234567890abcd</p>
</body>
</html>
```text
**Detailed Cloudflare Error Page:**
```http
HTTP/1.1 523 Origin Is Unreachable
Server: cloudflare
CF-RAY: 7d1234567890abcd-SJC
CF-Cache-Status: DYNAMIC
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error 523 - Origin is unreachable</title>
<style>
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
max-width: 900px;
margin: 50px auto;
padding: 20px;
line-height: 1.6;
color: #333;
}
.error-code {
font-size: 80px;
color: #dc3545;
font-weight: bold;
margin: 20px 0;
}
.alert {
background: #fff3cd;
border-left: 4px solid #ffc107;
padding: 20px;
margin: 20px 0;
}
.info-box {
background: #f8f9fa;
padding: 20px;
border-radius: 5px;
margin: 20px 0;
}
.ray-id {
background: #212529;
color: #fff;
padding: 15px;
font-family: 'Courier New', monospace;
margin: 20px 0;
border-radius: 3px;
}
code {
background: #e9ecef;
padding: 2px 6px;
border-radius: 3px;
font-family: 'Courier New', monospace;
}
</style>
</head>
<body>
<div class="error-code">523</div>
<h1>Origin is unreachable</h1>
<p>Cloudflare was unable to reach your origin server. This means the IP address
configured in your DNS settings cannot be contacted or routed to.</p>
<div class="alert">
<h2>⚠️ What happened?</h2>
<p>Cloudflare attempted to contact your origin server at the IP address specified
in your DNS records, but that IP address is unreachable. This is different from a
timeout—the IP address cannot be reached at all.</p>
</div>
<div class="info-box">
<h2>Common Causes:</h2>
<ol>
<li>
<strong>DNS resolution failure</strong>
<ul>
<li>Your origin hostname cannot be resolved to an IP address</li>
<li>DNS AAAA record exists but IPv6 is not configured</li>
</ul>
</li>
<li>
<strong>Incorrect origin IP address</strong>
<ul>
<li>The A/AAAA record points to the wrong IP</li>
<li>IP address is in a private range (10.x.x.x, 192.168.x.x, 172.16-31.x.x)</li>
<li>IP address doesn't exist or is not assigned to any server</li>
</ul>
</li>
<li>
<strong>Network routing issues</strong>
<ul>
<li>BGP routing problems preventing access to the IP</li>
<li>Origin's hosting provider has network issues</li>
<li>IP prefix not announced to the internet</li>
</ul>
</li>
<li>
<strong>Recent DNS changes</strong>
<ul>
<li>You just updated DNS and it hasn't propagated yet</li>
<li>DNS records were deleted or misconfigured</li>
</ul>
</li>
</ol>
</div>
<div class="info-box">
<h2>What can I do?</h2>
<p><strong>If you're a visitor:</strong></p>
<ul>
<li>Wait a few minutes and try again (may be temporary DNS propagation)</li>
<li>Contact the website owner if the problem persists</li>
</ul>
<p><strong>If you're the website owner:</strong></p>
<ol>
<li>
<strong>Verify your DNS records in Cloudflare:</strong>
<ul>
<li>Log into Cloudflare Dashboard → DNS</li>
<li>Check that A/AAAA records point to correct public IP</li>
<li>Ensure IP is not a private address (10.x, 192.168.x, 172.16-31.x)</li>
</ul>
</li>
<li>
<strong>Test DNS resolution:</strong>
<ul>
<li>Run: <code>dig your-domain.com</code></li>
<li>Run: <code>nslookup your-domain.com</code></li>
<li>Verify the returned IP is correct and public</li>
</ul>
</li>
<li>
<strong>Verify origin IP is reachable:</strong>
<ul>
<li>Run: <code>ping your-origin-ip</code></li>
<li>Run: <code>traceroute your-origin-ip</code></li>
<li>Check if IP responds from outside your network</li>
</ul>
</li>
<li>
<strong>Check for recent changes:</strong>
<ul>
<li>Did you recently change DNS records?</li>
<li>Did your hosting provider change your IP?</li>
<li>Wait 5-10 minutes for DNS propagation</li>
</ul>
</li>
<li>
<strong>Disable IPv6 if not configured:</strong>
<ul>
<li>If you have AAAA record but no IPv6 support, remove it</li>
<li>Cloudflare will try IPv6 first if AAAA exists</li>
</ul>
</li>
</ol>
</div>
<div class="ray-id">
Cloudflare Ray ID: 7d1234567890abcd<br>
Your IP: 203.0.113.42<br>
Timestamp: 2026-01-18 10:00:00 UTC<br>
Data Center: LAX (Los Angeles)
</div>
<div>
<p>
<a href="https://www.cloudflare.com/5xx-error-landing">Learn more about Cloudflare errors</a> |
<a href="https://community.cloudflare.com">Cloudflare Community</a> |
<a href="https://dash.cloudflare.com">Cloudflare Dashboard</a>
</p>
</div>
</body>
</html>Real-World Example
Imagine you recently migrated your website to a new server but misconfigured the DNS:
Client Request:
GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0...
```text
**Cloudflare Attempts to Resolve Origin:**
```json
[10:00:00] Cloudflare receives request for www.example.com
[10:00:00] Looking up origin IP from Cloudflare DNS settings
[10:00:00] Found A record: 192.168.1.100 (PRIVATE IP!)
[10:00:00] Attempting to route to 192.168.1.100
[10:00:01] Network unreachable - private IP address
[10:00:01] Cannot establish route to destination
```text
**Cloudflare Returns 523:**
```http
HTTP/1.1 523 Origin Is Unreachable
Server: cloudflare
Date: Sat, 18 Jan 2026 10:00:01 GMT
Content-Type: text/html; charset=UTF-8
CF-RAY: 7d1234567890abcd-LAX
<!DOCTYPE html>
<html>
<head><title>523: Origin Is Unreachable</title></head>
<body>
<h1>Error 523: Origin Is Unreachable</h1>
<p>Cloudflare cannot reach your origin server's IP address.</p>
<div class="diagnosis">
<h2>🔍 Diagnosis</h2>
<dl>
<dt>Domain:</dt>
<dd>www.example.com</dd>
<dt>Origin IP (from DNS):</dt>
<dd>192.168.1.100</dd>
<dt>Problem:</dt>
<dd>⚠️ This is a private IP address (RFC 1918)</dd>
<dt>Explanation:</dt>
<dd>Private IP addresses (10.x.x.x, 192.168.x.x, 172.16-31.x.x) are not
routable on the public internet. Cloudflare cannot connect to private IPs.</dd>
</dl>
</div>
<div class="solution">
<h2>✅ Solution</h2>
<ol>
<li>Log into Cloudflare Dashboard</li>
<li>Navigate to DNS settings</li>
<li>Update A record to your server's <strong>public IP address</strong></li>
<li>To find your public IP, run on your server: <code>curl ifconfig.me</code></li>
<li>Wait 5 minutes for DNS propagation</li>
</ol>
</div>
<div class="technical">
<h2>Technical Details</h2>
<ul>
<li><strong>Error Type:</strong> Network Unreachable</li>
<li><strong>Ray ID:</strong> 7d1234567890abcd</li>
<li><strong>Timestamp:</strong> 2026-01-18 10:00:01 UTC</li>
<li><strong>Edge Location:</strong> LAX (Los Angeles)</li>
</ul>
</div>
</body>
</html>523 vs Other Cloudflare Connection Errors
| Code | Issue | DNS Works | IP Routable | Connection Works |
|---|---|---|---|---|
| 523 | Origin unreachable | May fail | No | N/A |
| 522 | Connection timeout | Yes | Yes | Times out |
| 521 | Web server down | Yes | Yes | Refused |
| 520 | Unknown error | Yes | Yes | Gets invalid response |
| 524 | Timeout occurred | Yes | Yes | Too slow |
Important Characteristics
Network Layer Issue:
523 = Cannot route to IP address
Fails before TCP connection attempt
Problem is at network/routing levelDNS vs Routing:
Can be either:
1. DNS cannot resolve hostname → no IP
2. IP exists but cannot be reached → no routePrivate IP Detection:
Cloudflare rejects:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 127.0.0.0/8 (localhost)Immediate Failure:
522: Tries to connect, times out (15s)
523: Knows immediately it's unreachable (<1s)Common Causes and Solutions
1. Private IP in DNS:
# Check your Cloudflare DNS settings
# If you see private IP:
# Find your public IP
curl ifconfig.me
curl icanhazip.com
ip addr show # Look for public IP
# Update Cloudflare DNS to public IP
# Dashboard → DNS → Edit A record → Use public IP
```text
**2. DNS Resolution Failure:**
```bash
# Test DNS resolution
dig example.com
nslookup example.com
# Check nameservers
dig example.com NS
# Ensure Cloudflare nameservers are used
dig example.com NS @8.8.8.8
# Should show:
# example.com. IN NS xxx.ns.cloudflare.com3. IPv6 Misconfiguration:
# Check if you have AAAA record without IPv6 support
dig example.com AAAA
# If it returns IPv6 but your server doesn't support it:
# Remove AAAA record from Cloudflare DNS
# Test IPv6 connectivity on server
ping6 google.com
curl -6 https://ipv6.google.com
```text
**4. Incorrect Origin IP:**
```bash
# Verify what IP Cloudflare is trying to reach
# Check Cloudflare Dashboard → DNS
# Test if that IP is your server
ssh your-configured-ip
# If wrong, update to correct IP
# Get correct IP from hosting provider
# Or run on server: curl ifconfig.me5. Network Routing Issues:
# Test routing to your IP
traceroute your-origin-ip
mtr your-origin-ip
# Check BGP routing (from outside perspective)
# Use online tools:
# - https://bgp.he.net/
# - https://www.robtex.com/
# Contact hosting provider if routing issues
```text
## Troubleshooting Guide
**Step 1: Verify Cloudflare DNS Configuration**
```bash
# Check what IP Cloudflare has for your domain
dig @1.1.1.1 example.com
# Check both IPv4 and IPv6
dig @1.1.1.1 example.com A
dig @1.1.1.1 example.com AAAA
# Compare with your actual server IP
curl ifconfig.me # Run on your serverStep 2: Validate IP Address
# Ensure IP is public, not private
# Private ranges (NOT valid for Cloudflare):
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255
# 127.0.0.0 - 127.255.255.255
# Your IP should be outside these ranges
```nginx
**Step 3: Test Connectivity**
```bash
# From external location (not your server):
ping your-origin-ip
traceroute your-origin-ip
# Should be reachable
# If "Network is unreachable" → routing issueStep 4: Check Recent Changes
# Did you recently:
# - Change DNS records?
# - Migrate servers?
# - Update hosting provider?
# If yes, wait 5-10 minutes for propagation
```text
**Step 5: Verify Nameservers**
```bash
# Ensure domain uses Cloudflare nameservers
dig example.com NS
# Should return something like:
# example.com. 300 IN NS xxx.ns.cloudflare.com.
# example.com. 300 IN NS yyy.ns.cloudflare.com.
# If not, update at your domain registrarPrevention Best Practices
Always Use Public IPs:
# Get your server's public IP
curl ifconfig.me
curl -4 ifconfig.me # IPv4 only
curl -6 ifconfig.me # IPv6 only
# Use this IP in Cloudflare DNS, never:
# ✗ 192.168.x.x (private)
# ✗ 10.x.x.x (private)
# ✗ 172.16-31.x.x (private)
# ✗ 127.0.0.1 (localhost)
```http
**Document Your Infrastructure:**
```yaml
# infrastructure.yml
domain: example.com
cloudflare:
nameservers:
- xxx.ns.cloudflare.com
- yyy.ns.cloudflare.com
dns_records:
- type: A
name: '@'
content: 203.0.113.42 # Public IP
proxied: true
- type: A
name: 'www'
content: 203.0.113.42
proxied: true
origin_server:
public_ipv4: 203.0.113.42
public_ipv6: 2001:db8::1 # If supported
provider: DigitalOcean
region: nyc3Monitor DNS Configuration:
// Node.js DNS monitor
const dns = require('dns')
function checkDNS() {
dns.resolve4('example.com', (err, addresses) => {
if (err) {
console.error('DNS resolution failed:', err)
alert('DNS issue detected!')
return
}
const expectedIP = '203.0.113.42'
if (!addresses.includes(expectedIP)) {
alert(`DNS misconfiguration! Expected ${expectedIP}, got ${addresses}`)
}
// Check if private IP
addresses.forEach((ip) => {
if (isPrivateIP(ip)) {
alert(`Private IP detected in DNS: ${ip}`)
}
})
})
}
function isPrivateIP(ip) {
const parts = ip.split('.').map(Number)
return (
parts[0] === 10 ||
parts[0] === 127 ||
(parts[0] === 172 && parts[1] >= 16 && parts[1] <= 31) ||
(parts[0] === 192 && parts[1] === 168)
)
}
setInterval(checkDNS, 300000) // Check every 5 minutes
```text
**Automate DNS Updates:**
```bash
#!/bin/bash
# update-cloudflare-dns.sh
# Updates Cloudflare DNS when server IP changes
ZONE_ID="your-zone-id"
RECORD_ID="your-record-id"
AUTH_EMAIL="your@email.com"
AUTH_KEY="your-api-key"
# Get current public IP
CURRENT_IP=$(curl -s ifconfig.me)
# Get IP from Cloudflare DNS
CF_IP=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "X-Auth-Key: $AUTH_KEY" \
| jq -r '.result.content')
# Update if different
if [ "$CURRENT_IP" != "$CF_IP" ]; then
echo "IP changed from $CF_IP to $CURRENT_IP, updating DNS..."
curl -X PUT "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records/$RECORD_ID" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "Content-Type: application/json" \
--data "{\"type\":\"A\",\"name\":\"example.com\",\"content\":\"$CURRENT_IP\",\"proxied\":true}"
echo "DNS updated successfully"
else
echo "DNS already up to date"
fiImplementation Examples
Pre-Flight DNS Check:
import socket
import ipaddress
def validate_origin_ip(ip_str):
"""Validate that IP is public and routable"""
try:
ip = ipaddress.ip_address(ip_str)
# Check if private
if ip.is_private:
return False, f"{ip_str} is a private IP address"
# Check if localhost
if ip.is_loopback:
return False, f"{ip_str} is a loopback address"
# Check if reserved
if ip.is_reserved:
return False, f"{ip_str} is a reserved address"
return True, "IP is valid and public"
except ValueError:
return False, f"{ip_str} is not a valid IP address"
# Usage
ip = "192.168.1.100"
valid, message = validate_origin_ip(ip)
if not valid:
print(f"❌ {message}")
print("This will cause 523 errors with Cloudflare!")
```javascript
**DNS Health Check:**
```javascript
const dns = require('dns').promises
async function validateDNS(domain) {
try {
// Resolve A record
const addresses = await dns.resolve4(domain)
console.log(`DNS resolution successful: ${addresses.join(', ')}`)
// Validate each IP
for (const ip of addresses) {
if (isPrivateIP(ip)) {
console.error(`⚠️ Private IP detected: ${ip}`)
console.error('This will cause 523 errors!')
return false
}
}
return true
} catch (error) {
console.error(`DNS resolution failed: ${error.message}`)
return false
}
}
validateDNS('example.com')Try It Yourself
Visit our request builder to learn about 523 errors:
- Understand DNS resolution issues
- Learn private vs public IP addresses
- Review troubleshooting steps
- Test DNS validation
Related Status Codes
- 520 Web Server Returned an Unknown Error - Invalid response
- 521 Web Server Is Down - Origin offline
- 522 Connection Timed Out - Connection timeout
- 524 A Timeout Occurred - Response timeout
- 502 Bad Gateway - Standard gateway error
Frequently Asked Questions
What does Cloudflare error 523 mean?
A 523 error means Cloudflare cannot reach your origin server at all. This is typically a DNS or routing issue where the origin IP address is unreachable.
How do I fix a 523 error?
Verify your DNS records in Cloudflare point to the correct origin IP, check that your origin server IP is publicly routable, and ensure no network issues between Cloudflare and your server.
What causes 523 errors?
Common causes include incorrect origin IP in DNS settings, origin server IP changed, network routing issues, or origin server on a private network not accessible from internet.
How do I check my Cloudflare DNS settings?
Log into Cloudflare dashboard, go to DNS settings, and verify the A or AAAA record for your domain points to your actual origin server IP address.