Articles

DNS TTL Explained: Tune It for Fast Propagation and Low Load (2026)

April 16, 2026 5 min read

DNS TTL is a surprisingly active participant in how the internet works, not just a passive setting.

Let’s see it in action. Imagine you have a domain, example.com, and you want to point it to an IP address 192.0.2.1. You configure a DNS record like this:

example.com. IN A 192.0.2.1

Now, you set a Time To Live (TTL) for this record. Let’s say you set it to 3600 seconds (1 hour). This 3600 is the TTL.

Here’s what happens:

  1. Your Request: When a user’s browser asks for example.com, their computer’s DNS resolver (usually provided by your ISP or a public service like Google DNS 8.8.8.8) looks up the IP.
  2. Resolver Caching: If the resolver doesn’t have example.com cached, it asks your authoritative DNS server. Your server responds with 192.0.2.1 and the TTL of 3600.
  3. Caching Period: The resolver caches this answer. It will not ask your authoritative server again for example.com for the next 3600 seconds. Anyone else using that same resolver during that hour will get the cached IP address instantly.
  4. Subsequent Requests: If another user on a different network uses a different DNS resolver that also doesn’t have the record cached, that resolver will query your authoritative server. This increases the load on your server.
  5. TTL Expiration: After 3600 seconds, the resolver’s cache entry for example.com expires. The next time someone using that resolver asks for example.com, the resolver will query your authoritative server again.

This is the core mechanic: TTL dictates how long DNS resolvers are allowed to remember (cache) a DNS record before they must ask the authoritative server for it again.

The Problem TTL Solves (and Creates): Propagation Speed vs. Server Load

The fundamental trade-off with DNS TTL is between how quickly changes to your DNS records are seen by the entire internet (propagation speed) and how much load your authoritative DNS servers experience.

  • Low TTL (e.g., 60 seconds):

    • Pros: Changes propagate very quickly. If you update an IP address, within a minute or two, most resolvers will have fetched the new record. This is crucial for high-availability setups where you might need to rapidly shift traffic away from a failing server.
    • Cons: High query volume. Every resolver that previously cached your record will re-query your authoritative server every minute. This can overwhelm your DNS infrastructure, leading to slow responses or even outages for your users.

  • High TTL (e.g., 86400 seconds / 24 hours):

    • Pros: Low query volume. Resolvers cache your record for a long time, significantly reducing the number of requests hitting your authoritative servers. This is great for stability and cost savings if you use a paid DNS service.
    • Cons: Slow propagation. If you change an IP address, it could take up to 24 hours for all resolvers across the globe to update their cache. This means users might still be directed to the old, potentially broken, IP address for a long time.

Tuning TTL for Your Needs

The "best" TTL is highly situational.

  • For critical infrastructure or frequently changing records (like load balancer IPs): Use a low TTL, perhaps 60 to 300 seconds (1 to 5 minutes). Be prepared for the increased query load and ensure your DNS infrastructure can handle it.
  • For stable records (like a web server IP that rarely changes): Use a higher TTL, like 3600 (1 hour) or 86400 (24 hours). This drastically reduces server load.
  • During a migration or change: Temporarily lower your TTL to something like 60 seconds a day or two before making the actual change. Once the change is verified and you want to return to normal load, you can slowly increase it back up (e.g., to 300, then 3600, then 86400). This phased approach ensures smooth propagation without a sudden spike in load.

Example Configuration (Bind format):

$TTL 3600 ; Default TTL for all records
@       IN SOA  ns1.example.com. admin.example.com. (
              2023102701 ; Serial
              7200       ; Refresh
              3600       ; Retry
              1209600    ; Expire
              60         ; Minimum TTL (for negative caching)
              )

; ... other records ...

www     IN A    192.0.2.10  ; This record inherits the $TTL of 3600
mail    IN A    192.0.2.20  ; This record inherits the $TTL of 3600

; You can also set TTL per record:
ftp     IN A    192.0.2.30  ; This record inherits the $TTL of 3600

In this example, www and mail will have a TTL of 3600 seconds. If you wanted ftp to have a different TTL, say 5 minutes (300 seconds), you’d write:

ftp     IN A    192.0.2.30  ; TTL is 300 seconds

This is slightly different from the 3600 default inherited from $TTL.

The "Minimum TTL" in the SOA record is a bit of a misnomer. It’s primarily used for negative caching – how long resolvers should cache the fact that a record doesn’t exist. If a resolver queries for nonexistent.example.com and your server says "it’s not here," the resolver will cache that negative response for the duration specified by this "Minimum TTL" (in the example, 60 seconds).

When you’re troubleshooting DNS propagation, the most important thing to remember is that the TTL is set on the authoritative server but honored by the recursive resolver. You can’t force a resolver to forget a record before its cached TTL expires. The only thing you can do is set a low TTL on your authoritative server, and then wait for resolvers to pick up the change.

The next thing you’ll likely grapple with is DNSSEC, which adds cryptographic signatures to DNS records to prevent spoofing, and understanding how it interacts with TTL and propagation.

Want structured learning?

Take the full Dns course →