Dnsium443DnDnsium
Back to blog

Understanding TTL DNS: Basics and Best Practices for Configuration

Learn the fundamentals of TTL DNS and essential configuration practices to optimize your domain performance. Read the article for effective insights!

DNS TTL Explained: How Time To Live Shapes DNS Performance and Propagation

Introduction to DNS TTL

Every time someone types a domain name into a browser, the domain name system works behind the scenes to translate that name into an ip address. DNS TTL, or time to live ttl, is the numerical value attached to every dns record that controls how long that record stays in dns cache before another dns query is made to authoritative dns servers.

Why does this matter? DNS TTL directly affects three things you care about: website availability during dns changes, dns resolution speed for end users, and the pace of dns propagation when you update records. Get it wrong, and your users may hit a dead server for hours after a migration. Get it right, and transitions become nearly invisible.

This article covers the basics of ttl dns, configuring ttl for different record types, real-world scenarios like migrations and failover, and best practices to balance performance against flexibility.

Consider two quick examples. A dns record with a ttl value of 300 seconds (5 minutes) means most resolvers worldwide will pick up a change within minutes. Set that same record to 86400 seconds (24 hours), and some users could see stale data for an entire day after you make a change. The difference between these two numbers can mean the difference between a smooth migration and a midnight incident.

DNS TTL Basics: What Time To Live Means in Practice

TTL is an integer measured in seconds, attached to every dns record-whether it is an A, AAAA, CNAME, mx record, or one of many txt records. DNS TTL determines how long records are cached by recursive resolvers, operating system caches, and other layers between your users and your authoritative server.

Here are the key concepts:

  • Authoritative nameserver sets the TTL. When you configure a dns record at your dns provider, you assign it a ttl value. This is the "original" TTL that the authoritative name server advertises.

  • Recursive resolvers honor that TTL. A dns resolver receives the answer, stores it, and serves it from cache until the ttl expires. Once it hits zero, the resolver must perform fresh dns lookups against the authoritative dns servers.

  • Multiple cache layers exist. Browsers, OS stub resolvers, your local dns resolver, ISP resolvers-each can hold a cached copy with a remaining TTL that decrements over time.

  • Typical TTL values range from 30 to 86,400 seconds. Very short (60s) suits dynamic failover. A default ttl of 3600 seconds (1 hour) is standard for most production web records. Long TTLs of 14,400–86,400 seconds work for stable records like NS or MX. Weekly TTLs of 604,800 seconds are used for infrequently changing sites.

A typical TTL value is 3600 seconds, which strikes a reasonable balance between efficient caching and timely updates.

How TTL Works During a DNS Query and DNS Resolution

When you visit a website, the dns resolution path typically follows this sequence:

  1. Your browser checks its own dns cache.

  2. If nothing is found, the OS cache is queried.

  3. If still empty, the request goes to the local dns resolver (often your router or ISP).

  4. The recursive resolver checks its own cache. If the record is missing or expired, it queries the authoritative dns servers.

  5. The authoritative server returns the record with its configured TTL.

Each cache along this path stores the answer with the remaining TTL, which decreases over time. Here is a concrete example:

At 12:00 UTC, a recursive resolver queries api.example.com and receives an A record with TTL = 3600 seconds. It caches the result. At 12:45 UTC, a client asks the same resolver for the same record. The resolver returns the cached answer with approximately 900 seconds remaining-no trip to the authoritative server needed. At 13:00 UTC, the TTL reaches zero, and the next dns query forces the resolver to contact the authoritative name server again for a fresh answer.

This ttl logic means that dns changes are never instant. The speed at which the world sees your update depends entirely on when each resolver last fetched and cached the record.

TTL vs Other DNS Timing Fields (SOA, Refresh, Retry, Expire)

The soa record at the top of every DNS zone contains its own timing fields, which are separate from per-record TTL:

  • Refresh (e.g., 3600 seconds): how often secondary dns servers poll the primary for zone updates.

  • Retry (e.g., 900 seconds): how long to wait before retrying a failed refresh.

  • Expire (e.g., 1,209,600 seconds): how long secondary servers consider zone data valid if they cannot reach the primary.

  • Minimum / Negative TTL (e.g., 300–3600 seconds): how long resolvers cache "not found" (NXDOMAIN) responses.

The critical distinction: per-record TTL governs how long positive answers (existing records) stay in resolvers cache. SOA timing fields govern zone transfers between dns servers and negative data caching. For most people adjusting ttl settings, you are working with per-record TTL, not SOA timers.

Unless you run your own primary authoritative server and manage zone transfers, leave SOA values at your dns provider defaults.

Why DNS TTL Matters: Speed, Stability, and DNS Propagation

TTL sits at the intersection of speed, stability, and operational flexibility. Here is why it matters in business terms:

  • Faster responses for end users. A long ttl means the dns resolver can answer queries from cache, eliminating network latency to the authoritative server. Long TTLs can improve performance by allowing DNS resolvers to return cached results more frequently.

  • Reduced risk during changes. A short ttl before a planned migration means most resolvers pick up new records quickly, achieving maximum uptime.

  • Server cost and load management. Higher TTL values result in reduced load on authoritative DNS servers by decreasing the frequency of queries. Conversely, a lower ttl generates more dns requests against your dns infrastructure.

  • DNS propagation speed. TTL affects how quickly DNS changes propagate globally. Lowering ttl values before a change compresses the propagation window.

Configuration of TTL should consider the balance between caching performance and update speed. There is no universal "best" number-the right ttl depends on how often a record changes and how critical rapid updates are.

DNS Propagation and the Effect of TTL

DNS propagation is the time it takes for new or updated dns records to be picked up by resolvers worldwide. It is not a push mechanism-resolvers simply wait for their cached copy to expire, then fetch the updated record.

Consider this scenario: on 2026-06-15, your domain's A record points to IP 203.0.113.10 with a TTL of 86,400 seconds (a TTL of 86400 seconds equals 24 hours). At 10:00 UTC, resolvers across Europe cache this record. You change the ip address to 198.51.100.20 at 14:00 UTC the same day. Those European resolvers will not see the new IP until their cached copy expires-potentially not until 10:00 UTC on 2026-06-16.

Rules of thumb for dns propagation:

  • Lower TTL (e.g., 300 seconds): Most resolvers see the change within 5–15 minutes. A low TTL allows changes to DNS records to propagate quickly across the internet.

  • Medium TTL (e.g., 3600 seconds): Propagation completes within 1–2 hours.

  • High TTL (e.g., 43,200–86,400 seconds): Full propagation can take 12–48 hours. High TTL values can lead to stale DNS records during this window.

Lowering TTL speeds up DNS propagation time, which is why many admins lower their TTL before a major change to increase the speed of DNS updates.

Impact of TTL on DNS Query Load and DNS Cache Usage

Long TTLs reduce the number of dns lookups hitting your authoritative dns servers, lowering CPU usage, bandwidth, and potentially your bill from managed dns services.

Very low TTLs can dramatically increase query volume. Here is a simple numeric example:

  • A site serves 10,000 users per minute. With TTL = 3600 (1 hour), each resolver queries the authoritative server roughly once per hour.

  • With TTL = 60 (1 minute), that same resolver re-queries 60 times per hour-a 60× increase in dns traffic reaching your dns infrastructure.

Short TTLs can increase traffic to authoritative DNS servers due to more frequent re-queries. For high-traffic domains, this can mean overloading servers or triggering rate limits.

Note that some large ISPs enforce minimum cache times regardless of your requested TTL, which helps reduce network congestion but means a few resolvers may hold onto old records slightly longer than expected.

Common DNS Record Types and Typical TTL Values

Each dns record type serves a different purpose and changes at a different frequency. Setting ttl values per record gives you fine-grained control over data caching and dns propagation. Typical TTL values range from 30 to 86,400 seconds depending on the record's role.

A and AAAA Records (Web and API Servers)

A and AAAA records map a domain name to an IPv4 or IPv6 ip address. They are the workhorses of dns configuration for websites and APIs.

  • Dynamic or frequently updated services: TTL of 300–3600 seconds. Lower TTL values for frequently updated records range from 30 to 300 seconds.

  • Very stable endpoints: TTL of 14,400–86,400 seconds.

  • Example: An ecommerce checkout service uses TTL 300 for rapid failover across data centers, while a static marketing site sits comfortably at TTL 21,600 (6 hours).

CDN providers often suggest specific appropriate ttl values for A or CNAME records that front their edge network. When using a CDN, align your TTL accordingly.

CNAME Records (Aliases and CDN Endpoints)

CNAME records point one hostname to another domain name, commonly used for CDN integrations and SaaS platforms.

  • Endpoints that may change: TTL of 900–3600 seconds.

  • Highly stable SaaS targets: TTL of 14,400 seconds or more.

  • Changes to a CNAME target propagate slowly if TTL is high, so plan before migrations by lowering ttl values in advance.

  • Some dns services disallow CNAME at the zone apex. Providers may offer ALIAS or ANAME records with configurable TTL as alternatives.

MX, TXT, and SPF Records (Email and Verification)

MX records direct email delivery to the correct mail servers. They rarely change after initial setup, making them good candidates for long TTLs. Typical TTL for MX and TXT records is 3,600 to 86,400 seconds.

  • Stable email configuration: TTL of 14,400–86,400 seconds for mx record and SPF-related txt records.

  • During email provider migration: Temporarily lower mx record TTL to 300–900 seconds at least 24–48 hours before the cut-over date (e.g., if migrating on 2026-07-01, lower TTL by 2026-06-29).

  • Verification txt records for services like Google Workspace or Microsoft 365 can safely use long TTLs after initial domain verification is complete.

NS and SOA Records (Zone Delegation)

NS records delegate a domain or subdomain to specific dns servers and almost never change once configured.

  • Recommended TTL for NS records: 86,400 seconds or more to maximize efficient caching at resolvers.

  • Before moving to a new dns provider, temporarily lower the NS TTL to shorten perceived dns propagation time.

  • The soa record's negative TTL field governs how long "no such record" responses remain in a resolver's cache. Keep this moderate (300–3600 seconds) to avoid prolonged outages from accidental NXDOMAIN responses.

Unless you are actively migrating dns infrastructure, leave NS and SOA TTLs at your provider's defaults.

How to Configure and Adjust TTL in Real-World Scenarios

Configuring ttl is typically done through a DNS management UI, control panel, or API at your registrar or managed dns provider. Most dashboards let you set a numerical value in seconds for each record.

  • Plan ttl management changes days before critical dns updates, especially for high-traffic or mission-critical services.

  • Some providers offer "Auto" default ttl settings. Check what value "Auto" actually maps to (often 300 seconds).

  • The shortest recommended TTL value is 30 seconds. Many providers enforce this as a floor, particularly on non-enterprise tiers.

Website Migrations and Server IP Changes

Here is a practical migration checklist using specific ttl times and timelines:

  1. 48 hours before migration: Lower the TTL of relevant A, AAAA, and CNAME records from their current value (e.g., 86,400) to 300 seconds. DNS administrators can set TTLs to manage the speed of changes in DNS records based on their needs.

  2. Wait for old TTL to expire. If the previous TTL was 86,400 seconds, wait at least 24 hours so all resolvers worldwide have cycled through and now respect the new short ttl.

  3. At the planned cut-over (e.g., 2026-07-01 01:00 UTC): Update the A record to the new ip address. Monitor dns lookups using dig or nslookup to confirm the change is visible.

  4. After confirming stability (24–48 hours): Raise TTL back to a stable value like 3600–14,400 seconds. A solid long TTL is around 1 hour (3,600 seconds) for most web services.

Load Balancing, Failover, and Dynamic DNS Use Cases

Services using DNS-based load balancing or active-passive failover need shorter ttl values so that endpoint changes propagate within seconds or minutes.

  • Failover architectures: TTL of 30–300 seconds. For example, two data centers in US-East and EU-West with DNS failover-if the US-East health check fails, DNS responds with the EU-West ip address. With TTL 60, most end users switch within a minute.

  • Dynamic DNS for branch offices or home labs: IPs change frequently, so TTL must stay low. Typical short TTL values range from 30 to 300 seconds.

  • Warning: Ultra-low TTLs increase dns traffic and query load on your authoritative servers. Network devices between clients and servers may also impose their own minimum cache durations. Factor in potential rate limits from your dns provider.

Planning TTL Around Routine DNS Changes

Routine dns changes include adding subdomains, rotating API endpoints, updating TXT verification records, or switching CDN providers.

A reliable pattern for adjusting ttl settings around any planned change:

  1. One day before the change: Lower TTL to 300–900 seconds. If the current TTL is 86,400, make this adjustment at least 24 hours in advance to respect the existing expiration date of cached records.

  2. Make the change. Update the dns record.

  3. Confirm propagation. Use lookup tools to verify resolvers see the new value.

  4. Raise TTL. Once confirmed stable, increase to your standard value.

Maintain a documented TTL policy so your team knows which records can safely use low, medium, or high ttl. This prevents ad-hoc decisions that lead to unnecessary dns updates headaches.

Checking TTL Values and Troubleshooting DNS TTL Issues

When diagnosing dns resolution or dns propagation problems, verifying the actual TTL values seen by resolvers is essential. The TTL your authoritative server advertises and the TTL a recursive resolver returns can differ based on how long the record has been cached.

Using dig, nslookup, and Other CLI Tools

The dig command is the standard tool for inspecting dns records and their TTL:

dig A example.com +noall +answer

The ANSWER SECTION shows the remaining TTL in seconds. To query a specific dns resolver:

dig @8.8.8.8 example.com A

On Windows, nslookup works similarly:

nslookup example.com 8.8.8.8

The TTL shown is the remaining cache time on that resolver, which may be less than the original TTL set on the authoritative dns server. To see the full configured TTL, query the authoritative nameserver directly.

Online DNS Lookup and Propagation Checkers

Online dns lookup tools query multiple public recursive resolvers across geographic regions, showing you the current dns record and remaining TTL from each location. These are especially useful during migrations or after major dns changes to verify global dns propagation.

  • Check A, AAAA, CNAME, and MX records to ensure all critical dns services point to expected endpoints.

  • Differences between locations typically reflect cached values with different remaining TTLs-not actual dns configuration errors.

  • Use these tools to answer queries from stakeholders asking "why can't I see the new site yet?"

Common TTL-Related Problems and How to Fix Them

Frequent issues and their fixes:

  • Users still hitting old IP after cut-over: The most common cause is a high ttl that was not lowered early enough before dns changes. Wait for the remaining TTL to expire, or set up a temporary redirect on the old server.

  • Email routed to legacy MX: Same root cause-high ttl values on the mx record. Lower TTL values speed up DNS record updates, but only if you lower them in advance.

  • CDN changes not visible in some regions: Network performance varies, and some ISPs override very low TTLs. A few hours of inconsistency can be normal even with perfect configuration. Lower ttl values before changes reduce but do not eliminate this window.

  • Negative caching holding stale NXDOMAIN: If you accidentally deleted a record and the soa record's minimum TTL is high, resolvers may cache the "not found" answer for hours. Reduce the SOA negative TTL to 300–900 seconds to mitigate this risk. Routing loops in complex multi-CDN setups can compound the confusion.

Best Practices and Recommended DNS TTL Strategies

Effective ttl management comes down to matching each record's TTL to its purpose, change frequency, and business criticality. Here are strategic guidelines to balance performance, responsiveness, and resource usage across your dns infrastructure.

Choosing Between Short, Medium, and Long TTLs

TTL CategoryRangeBest For
Short30–300 secondsMission-critical failover, dynamic DNS, active deployments
Medium900–3,600 secondsStandard web apps, APIs, monthly or quarterly dns changes
Long14,400–86,400 secondsStable MX, NS, verification txt records, rarely changing endpoints

  • Short TTLs suit records backing automated failover where every second of stale data matters.

  • Medium TTLs work for most web properties. Setting ttl values around 3,600 seconds is a reasonable default.

  • Long TTL values can be set between 3,600 and 86,400 seconds for records that rarely change. High TTL values reduce query load and improve network performance through efficient caching.

Quick reference: A and AAAA records → medium. CNAME → medium. MX and TXT → long. NS → long. Records under active migration → short.

Aligning TTL With Business and Operations Requirements

  • Encourage collaboration between network engineers, DevOps teams, and product owners when setting ttl depends on SLA targets.

  • Strict zero-downtime requirements and frequent deploys push TTL lower for certain records to help improve network performance during transitions.

  • Cost matters: high-volume sites using very low TTL across all records generate heavy dns traffic, and some dns services charge per query. A data packet of unnecessary queries adds up.

  • Review your dns ttl values every 6–12 months as infrastructure and traffic patterns evolve.

  • Document your TTL standards. Ad-hoc per-record decisions across teams lead to inconsistent behavior and surprise propagation delays. Think of this the same way you would approach network security policies-written down, reviewed, enforced.

Security Considerations: TTL and DNS Cache Poisoning

DNS cache poisoning occurs when a malicious actor injects forged records into a resolver's cache. High TTL values mean poisoned entries persist longer, extending the window for potential data breaches or traffic redirection.

  • Shorter ttl values reduce the duration a poisoned dns cache entry remains effective, though they do not prevent the attack itself.

  • TTL tuning is only one layer of network security. Combine appropriate ttl values with DNSSEC validation and secure dns server configurations.

  • Avoid multi-day TTLs on sensitive records (login subdomains, API endpoints) where rapid revocation might be needed.

  • A hop limit concept in IP networking prevents a data packet from circulating forever; similarly, TTL in DNS prevents stale records from persisting indefinitely. Understanding where a packet originated and how long its data should live is fundamental to both network traffic management and DNS hygiene.

TTL is not a silver bullet for security, but thoughtful ttl management reduces your exposure surface alongside other defensive measures.

Getting TTL right is not about picking one magic number. It is about matching each record's TTL to its role, its rate of change, and your operational requirements. Start by auditing the TTL values across your current dns configuration. Document a clear policy for short, medium, and long TTLs. And the next time you plan a migration or dns update, remember the simple rule: lower the TTL early, make the change, confirm, then raise it back.

Your future self-and your on-call team-will thank you.