HTTP 523 Origin Is Unreachable — Cloudflare Cannot Resolve Origin DNS
About HTTP 523 Origin Is Unreachable
Fix Cloudflare HTTP 523 error when the origin server's IP address cannot be resolved or routed to from Cloudflare's network. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: HTTP 523 means Cloudflare cannot reach the origin server because DNS resolution failed or the IP is unroutable. This differs from 521 (connection refused) — 523 means the server address itself cannot be found. Common after DNS changes, server migrations, or when the origin IP changes. Can also occur if the origin server's IP is in a private range not accessible from the internet. Cloudflare caches DNS records so changes may take time to propagate. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: DNS A/AAAA record pointing to an incorrect or decommissioned IP address. Origin server IP changed after migration without updating Cloudflare DNS records. Origin IP is in a private subnet (10.x, 172.16.x, 192.168.x) unreachable from the internet. Network routing issues between Cloudflare's data centers and the origin server. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Verify the origin IP in Cloudflare DNS settings matches your actual server IP. Ping the origin IP from an external location to confirm it is publicly reachable. If you recently migrated servers, update the A record in Cloudflare to the new IP. Check that the origin server has a valid public IP and is not behind a NAT without port forwarding. Purge Cloudflare cache and wait a few minutes for DNS propagation after making changes. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
How is 523 different from 521?
521 means the connection was actively refused (server is there but not accepting). 523 means the server cannot be found at all — DNS resolution failed or the IP is not routable.
Overview
Fix Cloudflare HTTP 523 error when the origin server's IP address cannot be resolved or routed to from Cloudflare's network.
Key Details
- HTTP 523 means Cloudflare cannot reach the origin server because DNS resolution failed or the IP is unroutable
- This differs from 521 (connection refused) — 523 means the server address itself cannot be found
- Common after DNS changes, server migrations, or when the origin IP changes
- Can also occur if the origin server's IP is in a private range not accessible from the internet
- Cloudflare caches DNS records so changes may take time to propagate
Common Causes
- DNS A/AAAA record pointing to an incorrect or decommissioned IP address
- Origin server IP changed after migration without updating Cloudflare DNS records
- Origin IP is in a private subnet (10.x, 172.16.x, 192.168.x) unreachable from the internet
- Network routing issues between Cloudflare's data centers and the origin server
Steps
- 1Verify the origin IP in Cloudflare DNS settings matches your actual server IP
- 2Ping the origin IP from an external location to confirm it is publicly reachable
- 3If you recently migrated servers, update the A record in Cloudflare to the new IP
- 4Check that the origin server has a valid public IP and is not behind a NAT without port forwarding
- 5Purge Cloudflare cache and wait a few minutes for DNS propagation after making changes