IPFYI
🌐 DNS Deep Dive 7 分钟阅读

DNS Caching: How TTL and Cache Work

Learn how DNS caching works at every level -- browser, OS, resolver, and CDN -- and how TTL controls cache freshness.

Why DNS Caching Exists

Every website visit requires at least one DNS lookup to convert a domain name into an IP address. Without caching, your device would query DNS servers for every single request -- adding latency and increasing load on DNS infrastructure. Caching stores resolved records locally so subsequent requests are answered instantly.

A single page load might require DNS lookups for the main domain, CDN subdomains, analytics scripts, and third-party resources. Caching turns what would be dozens of round trips into near-instant answers.

The DNS Cache Hierarchy

DNS responses are cached at multiple levels:

Browser cache (seconds to minutes)
  -> OS cache (minutes to hours)
    -> Resolver cache (hours to days)
      -> Authoritative server (source of truth)

Browser Cache

Modern browsers maintain their own DNS cache. Chrome caches up to 1,000 entries, viewable at chrome://net-internals/#dns. Firefox manages its cache internally with a default 60-second minimum TTL.

Operating System Cache

The OS maintains a system-wide DNS cache:

# View OS DNS cache on macOS
sudo dscacheutil -flushcache   # Flush cache
sudo killall -HUP mDNSResponder

# View/flush on Windows
ipconfig /displaydns
ipconfig /flushdns

# View on Linux (systemd-resolved)
resolvectl statistics
resolvectl flush-caches

Resolver Cache

Your configured DNS resolver (ISP DNS, Google 8.8.8.8, Cloudflare 1.1.1.1) caches responses for the duration specified by the TTL. This is the most impactful cache layer because it serves many users.

Understanding TTL

TTL (Time to Live) is a value in seconds set by the domain owner in their DNS zone file. It tells resolvers how long to cache the record before querying the authoritative server again.

TTL Value Duration Use Case
60 1 minute During migrations, failovers
300 5 minutes Dynamic content, load balancing
3600 1 hour Standard websites
86400 24 hours Static records, MX, NS 
example.com.  3600  IN  A  93.184.216.34
              ^^^^
              TTL: cache for 1 hour

Cache Poisoning Risks

DNS cache poisoning occurs when an attacker injects false records into a resolver's cache. If successful, all users of that resolver are directed to malicious IP addresses until the poisoned record expires.

Defenses include: - DNSSEC -- Cryptographically signs DNS records to verify authenticity. - Source port randomization -- Makes it harder for attackers to forge responses. - DNS over HTTPS/TLS -- Encrypts the channel between client and resolver.

TTL Best Practices

  • Set low TTLs (60-300s) before planned DNS changes (migrations, IP changes).
  • Use moderate TTLs (3600s) for production records to balance freshness and performance.
  • Set high TTLs (86400s) for records that rarely change (MX, NS, TXT).
  • Remember that some resolvers enforce minimum TTL floors (commonly 30-60 seconds).

另请参阅

A Record 词汇表 AAAA Record 词汇表 Authoritative DNS Server 词汇表 CNAME Record 词汇表 DNS 词汇表 DNS Resolver 词汇表 MX Record 词汇表 NS Record 词汇表 DNS over HTTPS vs DNS over TLS 比较 Cloudflare DNS (1.1.1.1) vs Google DNS (8.8.8.8) 比较 Authoritative vs Recursive DNS 比较 BIND vs Unbound 比较