Is the Website Down for Everyone or Just You?
The single most useful first move is testing from a network that isn't yours. Your browser, your operating system's DNS cache, your router, and your ISP each sit between you and the site — any one of them can fake an "outage" that nobody else sees.
Run these checks in order; stop at the first one that disagrees with your browser:
-
Switch networks. Load the site on your phone with Wi-Fi turned off (mobile data only). If it loads, the site is up and the problem is inside your network or device.
-
Check DNS from multiple global locations. Enter the domain in the DNS Propagation Checker. If resolvers worldwide return an IP address, DNS is healthy globally. If they all return nothing, the domain itself is the problem — expired registration, deleted zone, or nameserver outage.
-
Test reachability of the resolved IP. Use the Ping Test against the domain. A response proves the server (or its CDN edge) is reachable; no response means the host is down or blocking ICMP — which is why ping alone is never conclusive and you continue to the HTTP check below.
-
Request the page over HTTP from a neutral vantage point. The HTTP Headers Check fetches the URL from DNSnexus infrastructure and shows the actual status code. A
200here while your browser fails is definitive proof the outage is local to you.
If steps 2–4 all fail from outside your network too, the site is down for everyone. Nothing on your side will fix it — but if it's your site, skip to What to Do When It's Your Own Website.
The 4 Layers Where a Website Can Fail
Every "site is down" symptom maps to a failure in one of four layers, and each layer produces a distinct browser error. This table is the fastest way to translate what you see into where the failure is.
| Layer | What it does | Browser error you see | Most likely cause |
|---|---|---|---|
| 1. DNS | Turns the name into an IP | DNS_PROBE_FINISHED_NXDOMAIN, ERR_NAME_NOT_RESOLVED | Expired domain, bad nameservers, local DNS cache |
| 2. TCP | Opens a connection to the IP | ERR_CONNECTION_REFUSED, ERR_CONNECTION_TIMED_OUT | Server process down, firewall, wrong IP in DNS |
| 3. TLS | Negotiates encryption | ERR_SSL_PROTOCOL_ERROR, NET::ERR_CERT_DATE_INVALID | Expired certificate, broken TLS config |
| 4. HTTP | Serves the actual response | 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout | Application crash, overload, backend timeout |
Read the table top-down: a failure at any layer prevents all layers below it from running. NXDOMAIN means the request never reached a server at all; a 503 means DNS, TCP, and TLS all worked and the web server itself answered — it just answered with a failure.
NXDOMAIN is the DNS response code meaning the name does not exist in the zone, defined in RFC 1035 §4.1.1 as RCODE 3 ("Name Error").
How to Check Website Status from the Command Line
Three commands walk all four layers in under a minute. Run them in this order and the first failure tells you the layer.
Step 1 — DNS. Resolve the name:
dig example.com A +short
93.184.215.14
An IP back means layer 1 is fine. An empty response or status: NXDOMAIN in full dig output means the failure is DNS — verify what the rest of the world sees with the DNS Lookup tool. If external resolvers succeed while your machine fails, your local cache is stale; see How to Flush DNS Cache.
Step 2 — TCP + TLS + HTTP in one request. Fetch only the headers:
curl -sIL https://example.com --max-time 10
HTTP/2 200
content-type: text/html; charset=UTF-8
cache-control: max-age=3055
Any HTTP status line back — even 503 — proves layers 1–3 all work. The failures look like this instead:
curl: (7) Failed to connect to example.com port 443: Connection refused ← layer 2 (TCP)
curl: (28) Connection timed out after 10005 milliseconds ← layer 2 (TCP)
curl: (60) SSL certificate problem: certificate has expired ← layer 3 (TLS)
Step 3 — isolate a TLS failure. If curl exits with error 60 or 35, inspect the certificate with the SSL Checker, or locally:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
notBefore=Jan 15 08:21:11 2026 GMT
notAfter=Apr 15 08:21:10 2026 GMT
If notAfter is in the past, the certificate expired — a site that is "up" but unreachable by every browser. Expired certificates are one of the most common self-inflicted outages; the fixes are covered in Common SSL Errors and How to Fix Them.
What Do 502, 503, and 504 Errors Mean?
A 5xx status code means the site is down for everyone — but the web server or proxy in front of it is still alive. These codes are defined in RFC 9110 §15.6, and each one points at a different failure behind the proxy.
| Code | Name | What actually failed | Typical wait |
|---|---|---|---|
| 500 | Internal Server Error | The application itself crashed or threw an unhandled error | Until the operator deploys a fix |
| 502 | Bad Gateway | The proxy/CDN got an invalid response from the origin server | Minutes — often a crashed backend process restarting |
| 503 | Service Unavailable | The server is overloaded or in maintenance; per RFC 9110 it may send a Retry-After header | Seconds to minutes |
| 504 | Gateway Timeout | The proxy got no response in time from the origin | Minutes — origin is hung or unreachable |
| 521/522/523 | Cloudflare-specific | Cloudflare is up but cannot reach the origin server at all | Until the origin is fixed |
In practice: 502/504 mean the CDN or load balancer is fine and the origin behind it is dead — as a visitor you can only wait, but as the site owner these codes tell you exactly which machine to look at. Codes 521–523 are Cloudflare's origin-error range, documented in Cloudflare's troubleshooting docs.
Check which code a site is returning right now — without a browser cache in the way — using the HTTP Headers Check.
Why Is a Website Not Loading Only for You?
If external checkers say the site is up but your browser disagrees, one of these local causes is responsible. They're ranked by how often they're the culprit:
-
Stale local DNS cache. Your OS cached an old or negative DNS answer. Flush it (
ipconfig /flushdnson Windows,sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponderon macOS) — full per-OS steps in How to Flush DNS Cache. -
Your configured DNS resolver is failing. If no sites load by name but IPs work, your resolver is down, not the website. Diagnosis and fixes: DNS Server Not Responding.
-
VPN or proxy. VPNs route your DNS and traffic through their own exit; a blocked exit IP or a VPN-side DNS failure looks identical to a site outage. Disconnect and retest.
-
Browser cache or extensions. Test in a private window first — it bypasses cache and most extensions in one step. A site that loads privately but not normally is a cache/extension problem.
-
ISP or national-level blocking. Some ISPs block domains at the resolver. If switching your resolver to
1.1.1.1or8.8.8.8makes the site load, that's the confirmation. -
hosts file override. A leftover entry in
/etc/hosts(orC:\Windows\System32\drivers\etc\hosts) pins the domain to a dead IP. Check withcat /etc/hosts | grep example.com.
The pattern "website works on phone but not computer" is almost always cause 1, 4, or 6 — the phone uses a different DNS cache and browser profile, so it never sees your machine's stale state.
What to Do When It's Your Own Website
When the site that's down is yours, run the same four-layer check — but each failing layer now maps to an action instead of a wait:
- DNS fails globally: check the domain hasn't expired (registrar dashboard, or a WHOIS lookup shows the expiry date) and that the nameservers are correct. If you changed DNS recently, propagation delay may be the whole story — see DNS Propagation Taking Too Long.
- TCP fails: your server process or the host itself is down. Check the hosting provider's status page, then restart the web server (
systemctl status nginx). - TLS fails: renew the certificate. If you use Let's Encrypt, certificates expire after 90 days and renewal automation failing silently is the classic cause.
- HTTP 5xx: read the origin server's error log — a
502from your CDN means the backend process crashed; a504means it's hung.
Stop checking manually. DNSnexus Monitor watches your DNS records, SSL expiry, email auth, and blacklist status — and alerts you before things break. Free tier covers one domain.
Key Takeaways
- ✓ Test from outside your own network first — a phone on mobile data settles "everyone or just me" in ten seconds.
- ✓ Every outage fails at exactly one of four layers: DNS, TCP, TLS, or HTTP — and each layer has a distinct error string.
- ✓
dig example.com +shortpluscurl -sIL https://example.comwalks all four layers in two commands. - ✓ Any 5xx status code (RFC 9110 §15.6) means the site is down for everyone — DNS, TCP, and TLS all worked.
- ✓
502/504mean the proxy is alive but the origin behind it is dead;503is overload or maintenance and often clears in minutes. - ✓ "Works on my phone but not my computer" is almost always local DNS cache, browser cache, or a hosts-file entry.
Frequently Asked Questions
Q: How do I check if a website is down for everyone or just me?
Test from outside your network: load the site on your phone using mobile data, or run the domain through the DNSnexus HTTP Headers Check, which fetches it from a neutral server. If external checks return a status code but your browser fails, the problem is local to your device or network.
Q: What does DNS_PROBE_FINISHED_NXDOMAIN mean?
It means DNS resolution returned NXDOMAIN — RCODE 3 in RFC 1035 — indicating the domain name does not exist according to the resolver you asked. Causes are an expired domain, a typo, deleted DNS records, or a stale local cache. Flush your DNS cache and retest with an external resolver like dig @1.1.1.1 example.com.
Q: Is a 503 error my fault or the website's?
The website's. A 503 Service Unavailable is generated by the server itself (RFC 9110 §15.6.4) and means it is overloaded or in maintenance. Your connection, DNS, and TLS all worked. The server may include a Retry-After header saying when to try again; otherwise wait a few minutes.
Q: Why does a website work on my phone but not my computer?
Your phone on mobile data uses a different DNS resolver, DNS cache, and browser profile than your computer. When one device loads a site and the other doesn't, the failing device has a local problem — most often a stale DNS cache, browser cache, VPN, or a hosts-file entry pinning the domain to a dead IP.
Q: Can a website be up but unreachable?
Yes — an expired TLS certificate is the classic case. The server runs and answers TCP connections, but every modern browser refuses the connection at the TLS layer with errors like NET::ERR_CERT_DATE_INVALID. Verify certificate validity dates with an SSL Checker or openssl s_client.
Q: How can I check website status from the command line?
Run curl -sIL https://example.com --max-time 10. Any HTTP status line back (even a 5xx) proves DNS, TCP, and TLS all work. curl: (7) Connection refused means a TCP failure, curl: (60) a certificate failure, and curl: (6) Could not resolve host a DNS failure.
Q: Does ping tell me if a website is down?
Only partially. A ping reply proves the host is reachable at the IP layer, but a web server can be crashed while the machine still answers ping — and many servers and CDNs block ICMP entirely, so no reply doesn't prove an outage. Always follow up with an HTTP-level check like curl -I.
Next Steps
Bookmark the two tools that answer this question fastest: the HTTP Headers Check for "what status code is it actually returning," and the DNS Propagation Checker for "does the domain resolve globally." Run a quick Ping Test when you need raw reachability, and inspect certificates with the SSL Checker whenever the failure is at the TLS layer.