Home › Glossary › DNS Caching

DNS Caching

DNS records are cached at every layer between you and the authoritative nameserver. Caching is what makes the internet fast: but it's also what creates the appearance of slow DNS "propagation" after you change a record.

Layers of cache

• Application cache: browsers (Chrome, Firefox) keep their own DNS cache, usually for 60 seconds or until the tab is closed.
• OS cache: Windows, macOS, and Linux all cache DNS at the operating-system level. Flush with ipconfig /flushdns on Windows, sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder on macOS, or sudo resolvectl flush-caches on systemd Linux.
• Router cache: most home routers run dnsmasq or similar. They cache too, and you usually can't flush them without rebooting the router.
• Recursive resolver cache: this is the big one. Your ISP's resolver, or 1.1.1.1, etc. They honor (mostly) the TTL on the record.
• Authoritative nameserver: no caching here; this is the source of truth.

Worked example: TTL=300 didn't help

You lowered the TTL to 300 the day before your migration. You made the IP change at 10am. At 10:05 the propagation checker still shows the old IP at three resolvers. What went wrong?

Most likely: those resolvers cached the record before you lowered the TTL. They're still running out the old 86400-second clock. Lowering TTL changes future caches, not existing ones. The fix is to lower the TTL at least 24 hours (one old-TTL window) before the change, not the day of.

Less likely but possible: one of those resolvers is a Comcast or AT&T forwarder that caps minimum TTL at 600 or 3600 regardless of what you publish. There's no way to override that as the publisher.

Negative caching

Resolvers also cache absence. If a resolver looks up a record and gets NXDOMAIN, it caches the "no such record" answer for the duration of the SOA's minimum TTL (typically 1 hour). This is why a freshly-created subdomain may not resolve at every resolver immediately: some have a cached "doesn't exist" answer that hasn't expired yet.

Forcing a local flush vs forcing a remote flush

You can flush your own caches (browser, OS, router) at will. You cannot flush a recursive resolver you don't operate. Cloudflare exposes a "purge cache" tool at https://one.one.one.one/purge-cache/ for their own resolver, and Google has one at https://developers.google.com/speed/public-dns/cache, but most resolvers don't, and none of them help with the long tail of ISP resolvers.

Verify on WhereIsDNS

The 14 resolvers WhereIsDNS queries are independent. If one or two return the old answer and twelve return the new, that's stale cache. It will clear on its own when the TTL expires. If all return the old answer, the change hasn't been published yet at the authoritative — re-check your DNS console.

Related: TTL · NXDOMAIN · resolver.