Network or DNS Isn't Working¶

"The network is down" can mean a dead link, a missing route, or just broken DNS. Diagnose it in layers from the bottom up so each test rules out one possibility and points at the next.

Tested on

AlmaLinux 9 / RHEL 9 with NetworkManager (nmcli). Debian/Ubuntu desktop also uses NetworkManager, but Ubuntu Server uses netplan (/etc/netplan/*.yaml) — netplan equivalents are noted inline.

Symptom¶

One or more of:

No connectivity at all — nothing reaches the host or the host reaches nothing.
ping 1.1.1.1 works but ping google.com fails — a classic DNS-only failure.
Slow or intermittent name lookups, or a specific service can't be reached.

Likely causes¶

Interface is down or has no IP (DHCP failed, cable/virtio link down).
No default gateway / wrong route.
Firewall blocking the traffic (see Firewalls).
DNS misconfigured: empty/stale /etc/resolv.conf, broken systemd-resolved, bad /etc/hosts, or nsswitch.conf order.

Diagnose¶

Work up the stack. Stop at the first layer that fails — that's your culprit.

Layer 1 — Is the link up?¶

ip link

Look for state UP and the LOWER_UP flag on your interface (e.g. eth0, ens18). state DOWN means the interface or its carrier is down.

Layer 2 — Is an IP assigned?¶

ip addr show

You want a real inet address on the interface. If there's only a 169.254.x.x link-local address, DHCP failed.

Layer 3 — Is there a default route?¶

ip route

You need a default via <gateway> line. No default route means you can reach the local subnet but nothing beyond it.

Layer 4 — Connectivity, three pings in order¶

This sequence pinpoints exactly where it breaks:

ping -c3 <gateway-ip>     # 1. the gateway from `ip route`
ping -c3 1.1.1.1          # 2. a public IP by NUMBER
ping -c3 google.com       # 3. a public NAME

Interpret the first failure:

Fails at	Meaning
Gateway	Local L2/IP problem — link, IP, subnet, or switch/firewall
Public IP (1.1.1.1)	Routing or upstream/firewall problem beyond your LAN
Only the name	It's DNS. Connectivity is fine — resolution is broken

ping IP works, ping name fails

This is the unambiguous DNS signature. Skip straight to Layer 5; the network itself is healthy.

Layer 5 — DNS configuration and queries¶

cat /etc/resolv.conf          # which nameservers are in use?
resolvectl status             # systemd-resolved view (per-link DNS)
cat /etc/hosts                # static overrides — a wrong entry here can hijack a name
cat /etc/nsswitch.conf | grep hosts   # resolution order: files dns ...

Query directly to separate "DNS server is broken" from "the system isn't using DNS":

dig google.com                # asks the configured resolver
dig @1.1.1.1 google.com       # bypass it — query a known-good server directly
host google.com
getent hosts google.com       # uses nsswitch (files + dns), like apps actually do

If dig @1.1.1.1 works but dig google.com fails, your configured resolver is the problem. If dig works but getent hosts fails, suspect nsswitch.conf or /etc/hosts.

Listeners — is the service even up?¶

ss -tulpn        # all TCP/UDP listeners with PID/program

Confirm the service binds the expected address/port (e.g. 0.0.0.0:443, not just 127.0.0.1:443).

Fix¶

Bring an interface up¶

sudo ip link set eth0 up           # immediate, non-persistent
sudo nmcli connection up "System eth0"

Get an address — DHCP or static (nmcli)¶

# List connections
nmcli connection show

# DHCP
sudo nmcli connection modify "System eth0" ipv4.method auto

# Static
sudo nmcli connection modify "System eth0" \
  ipv4.method manual \
  ipv4.addresses 192.0.2.50/24 \
  ipv4.gateway 192.0.2.1 \
  ipv4.dns "1.1.1.1 8.8.8.8"

# Apply
sudo nmcli connection up "System eth0"

Ubuntu Server uses netplan

Edit /etc/netplan/*.yaml, then sudo netplan try (auto-reverts if you lose access) and sudo netplan apply:

network:
  version: 2
  ethernets:
    ens18:
      dhcp4: false
      addresses: [192.0.2.50/24]
      routes:
        - to: default
          via: 192.0.2.1
      nameservers:
        addresses: [1.1.1.1, 8.8.8.8]

Fix the default route¶

# Temporary (lost on reboot/reconnect)
sudo ip route add default via 192.0.2.1

# Persistent via NetworkManager
sudo nmcli connection modify "System eth0" ipv4.gateway 192.0.2.1
sudo nmcli connection up "System eth0"

Set working DNS¶

sudo nmcli connection modify "System eth0" ipv4.dns "1.1.1.1 8.8.8.8"
sudo nmcli connection modify "System eth0" ipv4.ignore-auto-dns yes   # don't let DHCP override
sudo nmcli connection up "System eth0"
resolvectl status        # confirm the new servers are active

Don't hand-edit /etc/resolv.conf

On NetworkManager/systemd-resolved systems /etc/resolv.conf is usually a managed symlink and your edits get overwritten. Set DNS through nmcli (or netplan) instead.

Open the firewall¶

If the host is up but a service is unreachable, the firewall may be blocking it:

sudo firewall-cmd --list-all
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

See Firewalls for the full workflow (UFW on Ubuntu).

Prevent¶

Make config persistent with NetworkManager (nmcli connection) or netplan — never rely on raw ip commands that vanish on reboot.
Use sudo netplan try (or keep a second session open) when changing networking remotely, so a mistake auto-reverts instead of stranding the box.
Monitor reachability and DNS (Zabbix/uptime checks) so you learn about failures before users do.
Document each host's expected interface, IP/CIDR, gateway, and DNS servers in your runbook.
Review the Networking Basics tutorial to keep the layered model sharp, and the Server Hardening Checklist for safe firewall defaults.