
Detailed TTL Setup Guide for DNS Records
- Transfer
- Recovery mode

DNS is a fundamental technology product. Processing of almost all top-level network and Internet searches, forwarding Internet traffic and e-mail, as well as many other operations are possible due to the establishment of certain correspondences when searching for DNS (converting names such as some.domain.org to IP addresses or names of other domains).
We decided to write about the Time To Live (TTL) of the data, since most system administrators do not have to work with DNS configurations every day, and a significant part of the information about this parameter is half-forgotten tales transmitted by system administrators from generation to generation.
By asking the corresponding question on Twitter, we found out that some system administrators can’t even decrypt the TTL abbreviation (although such, fortunately, are in the minority).
Guess the riddle! What does the abbreviation TTL mean when it comes to DNS?
18:43 26 Oct 2016
4% Terminal transfer border
85% Lifetime
8% Telemetric transport line
3% List of trusted technologies
26 votes • Final result
Retweet 1 Like 1
To clarify, we will consider the following topics.
1. General information about the DNS system and the TTL parameter
2. Troubleshooting TTL in DNS records
3. Recommendations for managing changes to DNS records
4. DNS tools
5. Next steps
1. GENERAL INFORMATION ABOUT DNS
What is a DNS record?
A Domain Name Server (DNS) record contains two important parameters:
addressing (matching) of requests for a particular record;
the time it takes to record when caching - this is precisely the value that got the ominous name "lifetime" (TTL).
Why are DNS records cached?
Many organizations configure DNS records once, and after that do not change them for years. Because DNS records are often requested but rarely updated, caching them can significantly improve network performance, while increasing the complexity of evaluating and resolving DNS problems.
What is TTL?
Time to Live (TTL) is the length of record caching * by each link * of the DNS mapping chain. This value is measured in seconds (the importance of this will be explained below).
Unfortunately, the generally accepted term “lifetime” cannot be called exhaustive. Perhaps the more logical would be the name "search time" or "the duration of the storage of DNS records in the cache."
What is the default TTL for DNS records?
The TTL value is always expressed in seconds. Most DNS configuration services provide a predefined list of values for the records.
300 seconds = 5 minutes = “Very short”
3600 seconds = 1 hour = “Short”
86 400 seconds = 24 hours = “Long”
604 800 seconds = 7 days = “Absolute maximum”
How is DNS lookup performed?
When you enter any URL in the browser, a whole series of searches is created.
At each stage of this process (often there are more stages than listed) the following questions are asked.
1. Is the desired entry cached?
2. If yes, is its TTL value really?
If the answer is “No” to any of these questions, the request moves to the next link in the chain.
Why are DNS based on network connections rather than devices?
Fixing DNS issues is not an easy task, not only because of a number of difficulties associated with the use of TTL and caching systems, but also because many modern devices are connected through various networks and chains of DNS servers.
Consider the situation on the example of an ordinary laptop. I usually work on a laptop at home. Despite the fact that I have not taken it anywhere for several weeks, during this time the following connections were established on the device:
• to the main home Wi-Fi network / cable network;
• to a mobile phone when the cable network is unavailable;
• both options are above, but with connection via VPN.
Each change of network activates a new DNS chain. If this happens at the time of the change, the servers and caching nodes in the DNS chain may provide incorrect data.
This often happens on corporate networks where the Active Directory domain name matches the address of the company’s website. An external DNS server (ISP level) stores a DNS record directing the addresswww.example.com to the correct IP address / CNAME of the web server, but the records are not duplicated on the internal DNS server used by Active Directory.
The panic will immediately begin: “The web server is not working!”, “This is the end of the world!”, “Where are my pants?” But when you start fixing the problem, you will find that its cause was an open connection via VPN.
2. TROUBLESHOOTING WITH TTL IN DNS RECORDS
How long does it take to update a DNS record?
To calculate the maximum (worst case) time interval required to update the DNS record value in links for all clients, multiply the number of chain links (excluding the authoritative server) by the TTL value.
For example, if the TTL is 3600 seconds (1 hour), and the DNS chain consists of 5 links, the full propagation of the changes should take no more than 18,000 seconds (5 hours).
But if everything was so simple.
What are the costs of finding a DNS?
When it comes to “costs” for DNS lookups, they usually mean not time, but time. Depending on the number of Internet gremlins in the global network, it usually takes 100-200 milliseconds to complete a DNS query.
This is a very short time, but imagine a web page. The correspondence between the name and IP address in the DNS system must be configured for all images, CSS files, and JavaScript asset files that are accessible via the links on the page. Without caching, load times will increase markedly.
Simplified DNS Cost Calculation Scheme
I called this simplified scheme because it is unlikely that all the assets on your website are in different domains. In addition, browsers integrate many different caching tools that provide faster loading of content than shown in my diagram.
With caching
(30 image files x 50 ms for downloading each file) + (100 ms for performing one DNS lookup followed by caching) = 1600 ms
Without caching
(30 image files x 50 ms for downloading each file) + (30 x 100 ms per DNS lookup) = 3000 ms.
Why are my DNS records not updated ?
There are other factors that increase the propagation time of changes. Some of them are listed below.
• Web browsers independently cache DNS records and store them for some time without TTL, which supposedly increases their speed. For example, modern versions of Internet Explorer by default cache DNS records for 30 minutes (prior to IE 4, this time was 24 hours) and ignore lower TTL values.
• Mobile Internet providers may try to reduce the total amount of traffic transmitted by increasing the TTL time, which reduces the frequency of requests.
• Sophisticated internal networks with a larger number of DNS servers than expected will take longer to update for obvious reasons.
That is why in many services you may come across the following statement: “Full propagation of changes in DNS records can take several days, so plan your actions accordingly.”
Is there any way to force the client to remotely update the DNS record?
This question is usually asked in the following context: “After updating the DNS records, the client cannot access some sites. How to force update? "
Unfortunately, the only answer to this question is “No way.” There is no command in the DNS system to force an early update of data for lower-level clients.
You can use the commands to delete DNS records from the local cache, but usually they do not work as efficiently as we would like, due to the presence of upstream (caching DNS records on the side of the Internet provider) and downstream (caching DNS records in the browser) channels .
It is best to change the TTL values in your entries in advance.
3. CHANGE RECOMMENDATIONS IN DNS RECORDS
Which TTL values are better: small or large?
Developers have long been waging a holy war over how to indent code: using tabs or spaces. I found that network administrators have roughly the same feelings when it comes to TTL duration.
Typically, this view is reinforced by their own experience in repelling previous network attacks and resolving network configuration problems.
A DDOS attack that can shut down root DNS servers or similar ISP servers for 12 hours will have less impact on sites with a very high TTL. In such cases, clients will work even if the DNS server is shut down or overloaded.
However, if you accidentally make a mistake when switching Internet or email sites, 12 hours without any opportunity to fix it is the last thing you will need. That is why some administrators believe that the lifetime should not exceed 1 minute.
Personally, I try to specify a low TTL value for DNS records (less than 1 hour / 3600 seconds).
How do I know when a client will request an updated DNS record?
It is very difficult to determine when all clients will update the data.
Life time is * not * expiration date. You should not compare the TTL value in the DNS record with the recommended date of use indicated, for example, on stale bread: this is not a certain time, upon which the record becomes invalid and requires replacement.

A DNS record is more likely a staffing table, changes in which are slowly spreading throughout the network. When clients located in the “below” schedule expire the cache, they request a record from a higher level DNS server.
What is the best way to modify DNS records?
Creating a “plan” or “strategy” to perform relatively simple tasks, which include changing a single record in a domain, may seem like an overkill, but given the enormous impact of DNS failures on the availability of your data, it’s worth some caution. As the old proverb says: "Prevention is easier than cure."
There is an easy way to minimize errors: never update the DNS record and the TTL value for this record at the same time. Ideally, you should have the following process implemented.
1. A few days before the switch, set the TTL of the DNS record to a low value, such as 300 seconds.
2. Set the switch date for recording.
3. A few days after the switch, set a higher TTL value.
What is the best way to add new DNS records?
Adding a new entry is easier than changing an existing one.
1. Add a record with a low TTL value.
2. Check if everything is working, and increase the TTL value.
What is the most common TTL value?
Opinions regarding the * correct * TTL value are so divergent that we attempted to determine it based on statistics. The list of the 500 most important websites according to Moz seemed to us an excellent slice of the Internet. In addition, a ready-made CSV file with a list of sites included in the final list was available on this resource.
I wrote a small script to iterate through the list and find the current TTL value for the master record in each domain. As with any data analysis project, this data will vary greatly depending on the question posed. The example is not comprehensive, it presents current (cached) results, etc., etc. Despite all these reservations, the results obtained still have some value.
Analysis of TTL values for the 500 most important Internet domains according to Moz version
You can view or modify this script or download it and perform the analysis yourself: gist.github.com/mbuckbee/79b2e76bd9271bea38487defd8a9138b You can view the
list and download it in CSV format at moz.com / top500
Minimum TTL: 1
Maximum TTL: 129 540
Matching Domains: 485
Arithmetic Average TTL: 6468
Median TTL: 300
Minimum values were obtained from domains that very often modify DNS records in order to balance the load. The maximum values corresponded to domains that have not been updated for a long time (yes, python.org, that's me about you).
If you need to justify your decision to set a low (within 1 hour, 3600 seconds) TTL value, you can provide a median value of 300 seconds (5 minutes) and confidently state that you have empirical evidence of the correctness of your choice.
4. DNS PLATFORM TOOLS
How to check TTL value for DNS record in Windows?
The easiest way to check DNS records in Windows is to use the nslookup utility: technet.microsoft.com/en-us/library/bb490950.aspx .
Example: C: \> nslookup -type = cname -debug www.varonis.com

The TTL value is indicated at the bottom of the output. The phrase Non-authoritative answer indicates the TTL value received from the client (2 minutes 11 seconds before the local client checks the next level in the DNS chain).
How to check TTL value for DNS record on Unix / Linux / Mac?
On a Unix system (and its derivatives), the dig command is used to troubleshoot DNS issues.
Example: dig www.varonis.com

The TTL value is circled in red.
How to check DNS record over the Internet?
Sometimes it happens that you need to check the DNS record without a computer at hand. A convenient (and free) version of the dig command is available on Google tools at the following address: toolbox.googleapps.com/apps/dig .

The TTL value is circled in red.
How to verify the distribution of TTL for DNS records?
If you need to find out whether the DNS record settings are updated on a particular DNS server, then in any DNS tool (dig, nslookup, etc.), instead of the local default setting, you can select the DNS server on which the query will be executed.
For a complete picture of the changes, I recommend the resource whatsmydns.net, which allows you to check many top-level DNS servers (level of the Internet provider) and identify possible problems.

FURTHER ACTIONS FOR CONFIGURING TTL FOR DNS RECORDS
Configuring TTL for DNS records can be a daunting task, but if you select small values (less than one hour), you can keep your network operational and better prepare it for changes.
If you enjoyed this article, I recommend that you also familiarize yourself with our course on the basics of web security. This will help you better protect the site or application for which you just configured a DNS record. The course is free and very informative.