Sadiq's Knowledge Vaults

DNS

4 min read

When anyone looks up a domain name, the answer does not come fresh every time from the original source. Instead, the result gets cached at multiple levels to reduce load and speed things up
Our computer caches DNS, your router caches it, and your ISP caches it as well. There are many layers, all holding on to DNS answers so nobody has to ask the authoritative server repeatedly
Every cached DNS answer has an expiration timer, called TTL, measured in seconds

  • TTL defines how long a cache can reuse an answer
  • Example: TTL = 3600 → cache keeps the answer for 1 hour
  • Until TTL expires, caches will not ask again, even if the record has changed

This is why DNS changes do not appear everywhere at the same time
Example:
We updated a DNS record at 2:00 PM:

  • ISP A cached the old record at 1:45 PM
    • TTL remaining: 45 minutes
  • ISP B cached it almost an hour ago
    • TTL remaining: 2 minutes
  • A user who never looked up your domain
    • Gets the new record immediately

There is:

  • No global announcement
  • No synchronization
  • Just caches expiring at different times

This is what DNS propagation really is → cache expiration, not a delay in saving changes

When we query DNS, you often see output like:

  • Left number → remaining TTL (seconds)
  • Right value → DNS answer (e.g., IP address)

This helps you verify whether:

  • The record is cached
  • How long until that cache expires

Authoritative DNS Servers (Source of Truth)

When you change a DNS record, it is saved at one place only: the authoritative name server (managed by your DNS provider)

  • Every other DNS server is just caching

  • If you want to verify whether your change actually saved:

    • Skip all caches
    • Query the authoritative server directly

  • Step 1: Find authoritative name servers (NS)

    dig NS example.com
    • NS = Name Server
    • Output tells you which servers are authoritative

  • Step 2: Query the authoritative server directly

    dig @ns1.example-dns.com example.com A
    • @server → queries that server directly
    • This bypasses all caches

Note: Interpretation

  • Authoritative server shows new IP, but normal lookup shows old one
    → Change is saved, just waiting for TTLs to expire
  • Authoritative server shows old IP
    → Change didn’t save, check your DNS provider dashboard

Different public resolvers maintain different caches Useful commands:

dig @8.8.8.8 example.com
dig @1.1.1.1 example.com

If answers differ:

  • Nothing is broken
  • Caches are expiring at different times

Full DNS lookup trace

dig +trace example.com
  • Shows every step in the DNS resolution chain
  • Useful for deeper debugging and understanding where things stop

Common DNS Record Types

DNS can return many record types, but these are the ones you’ll actually use

  1. A Record
    • Maps a domain to an IPv4 address
    • We can have multiple A records
    • Client picks one → basic load distribution
    • Limitation:
      • DNS has no health checks
      • If a server dies, DNS still returns it
  2. AAAA Record
    • Same as A record, but for IPv6
  3. CNAME Record
    • Points one domain to another domain
    • Example: www.example.comexample.com
    • Rules:
      • A CNAME cannot coexist with other record types on the same name
      • If a CNAME exists, nothing else can
    • That’s why:
      • We cannot CNAME the root domain
      • Root needs MX, TXT, and verification records
    • Workarounds:
      • Some providers offer ALIAS / ANAME
      • Otherwise, use an A record
  4. MX Record (Mail Exchange)
    • Controls where email is delivered
      • Numbers = priority
      • Lower number = tried first
        • If 10 fails → try 20
    • Important:
      • Wrong MX records cause silent email failure
      • Always check MX first when debugging email issues
      dig MX example.com
  5. TXT Record
    • Stores text data used for:
      • Domain ownership verification
      • Email security (SPF, DKIM, DMARC)
    • Almost every service asking us to verify a domain: Uses a TXT record
  6. NS Record
    • Specifies which name servers are authoritative. 
      dig NS example.com

Q How to Change DNS Without Waiting 24-48 Hours ?
A

  • Step 1: Check current TTL
    • Many records default to: 86400 seconds = 24 hours
    • This means caches may hold the old value for a full day
  • Step 2: Lower the TTL before changing the record
    • Set TTL to: 300 seconds (5 minutes)
    • Do not change the IP yet. Just lower the TTL and save
  • Step 3: Wait for the old TTL to expire
    • This step is commonly skipped
    • Why it matters:
      • Existing caches don’t know you lowered the TTL
      • They still obey the old TTL
    • If TTL was 24 hours → wait 24 hours
  • Step 4: Make the actual DNS change
    • Now:
      • Short TTL is already in effect
      • Caches expire quickly
      • World sees changes in minutes
  • Step 5: Verify
    • Query authoritative server directly: 
      dig @ns1.example-dns.com example.com A
    • Then test public resolvers or online DNS checkers
  • Step 6: Raise TTL back up
    • Once stable:
      • Set TTL back to 3600 or higher
      • Reduces DNS load and improves performance

Graph View