IPFYI
🌐 DNS Deep Dive 7 menit baca

DNS Caching: How TTL and Cache Work

Learn how DNS caching works at every level -- browser, OS, resolver, and CDN -- and how TTL controls cache freshness.

Why DNS Caching Exists

Every website visit requires at least one DNS lookup to convert a domain name into an IP address. Without caching, your device would query DNS servers for every single request -- adding latency and increasing load on DNS infrastructure. Caching stores resolved records locally so subsequent requests are answered instantly.

A single page load might require DNS lookups for the main domain, CDN subdomains, analytics scripts, and third-party resources. Caching turns what would be dozens of round trips into near-instant answers.

The DNS Cache Hierarchy

DNS responses are cached at multiple levels:

Browser cache (seconds to minutes)
  -> OS cache (minutes to hours)
    -> Resolver cache (hours to days)
      -> Authoritative server (source of truth)

Browser Cache

Modern browsers maintain their own DNS cache. Chrome caches up to 1,000 entries, viewable at chrome://net-internals/#dns. Firefox manages its cache internally with a default 60-second minimum TTL.

Operating System Cache

The OS maintains a system-wide DNS cache:

# View OS DNS cache on macOS
sudo dscacheutil -flushcache   # Flush cache
sudo killall -HUP mDNSResponder

# View/flush on Windows
ipconfig /displaydns
ipconfig /flushdns

# View on Linux (systemd-resolved)
resolvectl statistics
resolvectl flush-caches

Resolver Cache

Your configured DNS resolver (ISP DNS, Google 8.8.8.8, Cloudflare 1.1.1.1) caches responses for the duration specified by the TTL. This is the most impactful cache layer because it serves many users.

Understanding TTL

TTL (Time to Live) is a value in seconds set by the domain owner in their DNS zone file. It tells resolvers how long to cache the record before querying the authoritative server again.

TTL Value Duration Use Case
60 1 minute During migrations, failovers
300 5 minutes Dynamic content, load balancing
3600 1 hour Standard websites
86400 24 hours Static records, MX, NS 
example.com.  3600  IN  A  93.184.216.34
              ^^^^
              TTL: cache for 1 hour

Cache Poisoning Risks

DNS cache poisoning occurs when an attacker injects false records into a resolver's cache. If successful, all users of that resolver are directed to malicious IP addresses until the poisoned record expires.

Defenses include: - DNSSEC -- Cryptographically signs DNS records to verify authenticity. - Source port randomization -- Makes it harder for attackers to forge responses. - DNS over HTTPS/TLS -- Encrypts the channel between client and resolver.

TTL Best Practices

  • Set low TTLs (60-300s) before planned DNS changes (migrations, IP changes).
  • Use moderate TTLs (3600s) for production records to balance freshness and performance.
  • Set high TTLs (86400s) for records that rarely change (MX, NS, TXT).
  • Remember that some resolvers enforce minimum TTL floors (commonly 30-60 seconds).

Lihat Juga

A Record Glosarium AAAA Record Glosarium Authoritative DNS Server Glosarium CNAME Record Glosarium DNS Glosarium DNS Resolver Glosarium MX Record Glosarium NS Record Glosarium DNS over HTTPS vs DNS over TLS Bandingkan Cloudflare DNS (1.1.1.1) vs Google DNS (8.8.8.8) Bandingkan Authoritative vs Recursive DNS Bandingkan BIND vs Unbound Bandingkan