Introduction

At the time of writing this, Amazon's AWS underwent a massive outage in their us-east-1 region that left few parts of everyday life unimpacted around the world. Delayed flights, inaccessible banking, unresponsive games... everything. When major services like these go down, netizens flock, en masse, to sites like DownDetector.com. The site uses a variety of indicators like social media mentions, direct user reports, and its own monitoring to determine if a service is experiencing widespread issues. To the average user, it's a great sanity check: "Is it just me, or is everyone else having this problem too?"

But for someone involved in cybersecurity or OSINT investigating a specific domain, a site or service being "down" has much more nuance than a simple binary answer. Was it taken down deliberately? Did it break? Is it only down for me?

In this post, we will explore several ways to analyze an inaccessible site to determine what flavor of "down" it might be experiencing.

(This article is part of PhishFort's The Nuance of Takedowns series.)

Is it DNS?

Click here for the simple answer.

Or, if you prefer haiku, this classic from SSBroski works:

It's not DNS. There's no way it is DNS. It was DNS.

Joking aside, the first thing you should always check is the DNS record for the site or hostname in question. If you use a dig tool like digwebinterface.com, you can directly query a domain's authoritative nameservers for a specific record type (like A or CNAME for a website). Remember, the authoritative nameservers hold the source of truth for a domain. If you don't get an answer back from them (or you get an NXDOMAIN error, meaning "Non-Existent Domain"), then any answer you might see from a public resolver (like 8.8.8.8) is just a cached, old record that will eventually vanish when its time-to-live (TTL) expires.

Some quick checks:

• Expecting a website? Check the A (IPv4) or AAAA (IPv6) records. Also check for a CNAME record, which might point to another hostname. If these are missing or incorrect, the domain won't resolve to the right web server IP.
• Mail not going through? Check the MX records to ensure they point to the correct mail servers with the right priorities.
• Getting no records at all from the authoritative server? This is rarer but can happen. It might mean the zone wasn't configured correctly, or, more nefariously...

Bad actors who run their own nameservers sometimes quickly delete the DNS records for a malicious domain after it gets reported. This makes the site instantly "disappear" from the DNS. If an abuse report relies solely on checking if the domain resolves, a registrar or registry with inadequate checks might see the domain isn't resolving, confirm the respondant's claim that the abuse is "gone," close the ticket, and the bad actor can simply republish the DNS records later to resume their activities. If the bad actor is using someone else's DNS servers, they might just delete the specific record type that got caught (e.g., the A record for a phishing site), while other records like NS or SOA might still return a value.

So, what kind of "down" is this? If the DNS record is missing or broken, the underlying service (the website on the server) might still be online and accessible via its direct IP address or another hostname. The "down" state is purely at the DNS resolution level. For an investigator, this means the infrastructure might still exist. For someone trying to stop abuse, deleting the DNS record provides immediate disruption, but it's often only a temporary fix.

Did it Get Held? (clientHold / serverHold)

Sometimes, a domain doesn't just have missing DNS records. Instead, it is actively prevented from resolving by the powers that be. Registrars have the ability to place a domain on clientHold, while registries can impose a serverHold. Both of these status codes found in the response of a WHOIS record effectively tell the global DNS infrastructure "Do not resolve this domain."

You can check for these statuses by looking at the "Domain Status" field in a current WHOIS or RDAP record for the domain.

• clientHold: Set by the registrar. Often used for non-payment, legal issues, or confirmed abuse originating from the domain. The registrar can remove this hold.
• serverHold: Set by the registry. This is less common but more severe. It might be used for TLD-wide policy violations, legal orders, or security issues that the registrar hasn't addressed. The registrar cannot remove a serverHold themselves - only the registry can.

What kind of "down" is this? This is the domain equivalent of being put on life-support in a coma. The domain registration exists, no one else can register it, but it serves no function. DNS queries for it will fail. Changes to its DNS records won't propagate. Transfer attempts will fail. This is often the best kind of "down" from an abuse mitigation perspective because the domain is completely neutralized. The only ways it comes back are if the hold is deliberately removed, or if the domain eventually expires, goes through the deletion cycle, and is re-registered (incurring new costs and potentially scrutiny for the bad actor).

401 Unauthorized

You try to visit a site, but instead of content, you get a "401 Unauthorized" error or a login prompt.

What it is: This is an HTTP status code indicating that your browser successfully reached the web server, but you lack the necessary credentials (like a username/password or authentication token) to view the requested page.

What kind of "down" is this? The site isn't technically "down" at all as the web server is up and running. It's just that the specific page or resource you requested is restricted. In this case, it is likely the actor has hidden the pages as a temporary measure to ward off abuse claims or additional investigations.

• Investigative Angle: Are you trying to access a known admin panel (/admin, /wp-admin)? A 401 here is expected. Are you getting a 401 on the site's homepage? This might indicate a misconfiguration by the site owner or, perhaps, content intended only for specific visitors (e.g., requiring login from a specific corporate network). It tells you the server is alive but selective about who it talks to.

404 Not Found

You click a link or type a URL, and you get the infamous "404 Not Found" error.

What it is: This HTTP status code means your browser successfully connected to the web server (so DNS worked, and the server is online), but the server couldn't find the specific file or page you asked for at that URL path.

What kind of "down" is this? The server is up, but the content is missing.

• Common Causes: A typo in the URL you entered, a broken link from another site, the site owner deleted or moved the page without setting up a redirect, or perhaps a temporary glitch.
• Investigative Angle: A 404 confirms the server at the domain's IP address is active. Try navigating to the root domain (e.g., if example.com/secret-page gives a 404, try just example.com). If the root domain works, the server is fine, and the issue is specific to that page. If even the root domain gives a 404, it might suggest the web server is running but misconfigured or has no content deployed.

503 Service Unavailable / 504 Gateway Timeout

The domain has working DNS records, isn't on hold, but when you try to visit the site, you get an error page mentioning a "503 Service Unavailable" or "504 Gateway Timeout."

What it is: These are server-side HTTP errors indicating a problem after your browser successfully connected.

• 503 Service Unavailable: The server is temporarily unable to handle the request for some reason. It implies the server might be available later.
• 504 Gateway Timeout: This usually occurs when a server acting as a gateway or proxy (like a load balancer or Cloudflare) didn't receive a timely response from an upstream server it needed to consult to complete your request.

What kind of "down" is this? The server is reachable, but it's malfunctioning or overwhelmed, or an intermediary system is failing.

• Common Causes:

  1. A site experiencing a sudden traffic surge.
  2. The server is down for maintenance.
  3. A misconfiguration by the site owner or hosting provider.
  4. The hosting provider has suspended the account (e.g., for non-payment or abuse), leaving the web server process unable to serve content correctly.

• Investigative Angle: Determining the exact cause can be tricky.

  • The Cloudflare Hint: If you see a branded 5xx error page from Cloudflare, it strongly suggests the issue lies with the origin server behind Cloudflare. Cloudflare itself is reachable, but it can't get a response from the actual website host. This could be due to suspension, overload, or misconfiguration at the origin. Since Cloudflare is still proxying the domain, the bad actor might be able to fix the issue and bring the site back online relatively quickly.
  • Check Other Sites: If you know the IP address (and it's not Cloudflare), are other domains hosted on the same IP also showing errors? If so, it points to a server-wide issue or potentially a suspension by the hosting provider affecting multiple accounts. If only the target site is down, it could be a site-specific misconfiguration.

Distinguishing between a temporary overload/misconfiguration and a hosting suspension is often difficult without insider information, but recognizing these 5xx errors tells you the problem lies deeper than just DNS.

Conclusion

So, is the site "down"? As we've seen, the answer is rarely a simple yes or no. A website or service can be inaccessible for many reasons, each telling a different story.

Is it a temporary DNS glitch or a deliberate deletion of records? Is the domain suspended by the registrar (clientHold) or registry (serverHold), indicating a more permanent action? Or are you seeing HTTP errors like 401, 404, or 5xx that point to issues with authentication, missing content, or server-side problems? These aren't the only possibilities, but they're common ones worth exploring in detail where possible.

Understanding these different flavors of "down" is a crucial diagnostic skill. It helps determine if the issue is a fleeting technical problem, a deliberate action by an administrator or bad actor, or a sign of intervention by authorities or providers. Knowing what kind of down you're looking at dictates your next steps, whether you're troubleshooting your own site or investigating someone else's.