DNS Caching: How It Works and Why It Matters
DNS caching stores resolved IP addresses to speed up repeat visits.
DNS Caching
Every DNS lookup you make gets cached somewhere. This caching is what makes browsing fast. Without it, every single request to any website would trigger a full DNS resolution chain from scratch, adding hundreds of milliseconds of delay every time you click a link or load a page.
What Is DNS Caching
DNS caching is the temporary storage of DNS query results at various points along the resolution chain. Once a domain name has been resolved to an IP address, that result is saved locally so that future requests for the same domain can be answered immediately without repeating the full lookup process.
The period of time a cached result is considered valid is controlled by a value attached to every DNS record called the TTL, or Time to Live. When the TTL expires, the cached entry is discarded and the next request for that domain triggers a fresh lookup. Until then, any query for that domain is answered from cache rather than from the authoritative DNS server.
Caching happens at multiple layers between your device and the authoritative name server. Each layer has its own cache, its own duration, and its own rules for when to refresh. Understanding where caching occurs helps you diagnose why DNS changes take time to propagate and how to work around stale records when needed.
Where DNS Cache Is Stored
| Cache Location | Who Controls It | Typical Duration | Notes |
|---|---|---|---|
| Browser Cache | The browser itself, such as Chrome or Firefox | Seconds to a few minutes | Browsers apply their own short minimum TTL regardless of the record value |
| Operating System Cache | Windows, macOS, or Linux DNS resolver | Follows the record's TTL | Most reliable cache to flush when testing DNS changes on your own machine |
| Router Cache | Your home or office router | Varies by device and firmware | Often overlooked during troubleshooting. Restarting the router clears it. |
| ISP Resolver Cache | Your internet provider's recursive resolver | Follows TTL, sometimes overridden | Some ISPs cap TTL values or cache longer than specified, slowing propagation |
| Public DNS Resolver Cache | Google, Cloudflare, or other public resolvers | Follows TTL | Generally respects TTL values more consistently than ISP resolvers |
| Authoritative DNS Server | Your DNS provider such as Cloudflare or Route 53 | Not a cache | This is the source of truth. Changes made here propagate outward as caches expire. |
How TTL Controls the Cache
Every DNS record includes a TTL value measured in seconds. This value tells every resolver along the chain how long it is allowed to keep the cached result before it must discard it and fetch a fresh copy. The TTL is set by the domain owner in their DNS provider's control panel, and it travels with the record whenever it is served to a resolver.
Choosing the right TTL is a trade-off between performance and flexibility. A high TTL reduces the volume of DNS queries hitting your authoritative server and speeds up lookups for end users because more resolvers have the record cached. A low TTL allows you to make changes that propagate quickly across the internet, which is valuable when migrating servers or responding to an outage.
- TTL 60 to 300 (1 to 5 minutes): Use in the hours before a planned server migration or IP address change. Lowering the TTL in advance ensures that once you make the change, the old record expires quickly everywhere.
- TTL 3600 (1 hour): A reasonable default for most A and CNAME records where changes are occasionally needed but not frequent.
- TTL 86400 (24 hours): Suitable for stable records that rarely change, such as NS and MX records. The higher TTL reduces query load and speeds up resolution for users worldwide.
It is worth noting that browsers and operating systems may enforce their own minimum TTL floors. Chrome, for example, caps its DNS cache duration and will not cache a record longer than a certain internal limit regardless of the TTL value in the record itself.
How to View and Clear Your DNS Cache
Flushing your local DNS cache forces your device to perform a fresh lookup for any domain on the next request. This is useful when you have recently changed a DNS record and want to verify the change is working, or when a website is failing to load due to a stale or corrupted cache entry.
| OS or Browser | Command or Steps to Clear Cache |
|---|---|
| Windows | Open Command Prompt and run ipconfig /flushdns. To view the current cache first, run ipconfig /displaydns. |
| macOS | Open Terminal and run sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder |
| Linux (systemd) | Run sudo systemctl restart systemd-resolved in the terminal |
| Chrome browser | Navigate to chrome://net-internals/#dns and click the Clear host cache button |
| Firefox browser | Open about:config, search for network.dnsCacheExpiration, or simply restart the browser to clear its in-memory cache |
Keep in mind that flushing your local cache only affects your own device. If you are testing a DNS change and others still see the old record, their devices or their ISP's resolver may still have the previous value cached. You cannot flush a remote resolver's cache directly, though switching to a public DNS server like 1.1.1.1 or 8.8.8.8 can sometimes give you access to a fresher cache than your ISP provides.
DNS Cache Poisoning
DNS cache poisoning is a security attack in which a malicious actor injects a forged DNS response into a resolver's cache. If successful, the resolver stores the fake record and serves it to all users who query through that resolver, silently redirecting them to a server the attacker controls. The user's browser shows no warning because it receives a valid-looking IP address and connects normally, making this a particularly effective attack for phishing and credential theft.
DNSSEC (DNS Security Extensions) was developed specifically to counter cache poisoning. It works by digitally signing DNS records so that resolvers can verify that a response genuinely came from the authoritative name server and has not been tampered with in transit. Adoption of DNSSEC has been gradual, and not all domains or resolvers support it, but it remains the primary technical defence against this class of attack.
Negative Caching
DNS does not only cache successful lookups. It also caches negative results, meaning responses that indicate a domain does not exist. When a resolver receives an NXDOMAIN response for a query, it stores that non-existence result for a period of time defined in the SOA (Start of Authority) record for the zone. This is called negative caching.
Negative caching prevents resolvers from repeatedly querying authoritative servers for domains they have already confirmed do not exist. This reduces unnecessary query load on DNS infrastructure, particularly for commonly mistyped domain names or spam-targeted addresses. The downside is that if you register a new domain that was previously queried and returned NXDOMAIN, resolvers with that negative cache entry will continue to report it as non-existent until the negative TTL expires.
Frequently Asked Questions
- Why does my DNS change not take effect immediately?
Because resolvers at every layer of the chain, including your browser, operating system, router, and ISP, still have the previous record cached. Each one will continue serving the old result until its cached copy expires based on the record's TTL. To see the change immediately on your own machine, flush your OS DNS cache. For everyone else on the internet, you must wait for the TTL to expire at each resolver. This is why lowering the TTL to a short value several hours before making a DNS change is standard practice. - Does flushing the DNS cache fix website errors?
Yes, in some cases. If your local DNS cache contains a stale or corrupted entry, your device may be trying to connect to an outdated IP address, resulting in connection failures or incorrect page loads. Flushing the cache forces a fresh lookup and resolves the issue if the problem is local. If the problem exists on your ISP's resolver or upstream, flushing your local cache alone will not help, and switching to a public DNS server like1.1.1.1may be the faster solution. - Can I use a public DNS server to avoid ISP caching delays?
Yes. Switching to a public resolver like Google's8.8.8.8or Cloudflare's1.1.1.1gives you DNS resolution that is independent of your ISP's caching behaviour. Public resolvers tend to respect TTL values more accurately, update more quickly after record changes, and often provide faster response times. You can change your DNS server in your operating system's network settings or on your router to apply it to all devices on your network. - What is DNS propagation and how does it relate to caching?
DNS propagation is the process by which a change made to a DNS record gradually becomes visible to resolvers around the world. It is driven entirely by TTL expiry. Each resolver that has the old record cached will continue serving it until the TTL runs out, at which point it fetches the updated record. Because different resolvers cache records for different durations and refresh at different times, the updated record does not appear everywhere simultaneously. Full propagation typically takes anywhere from a few minutes to 48 hours depending on the TTL value that was set before the change was made. - Does using a VPN change which DNS cache is used?
Yes. When you connect through a VPN, your DNS queries are typically routed through the VPN provider's DNS resolver rather than your ISP's. This means you are accessing a different cache with potentially different records and different TTL expiry times. Some VPN clients also flush your local DNS cache when the tunnel connects or disconnects to prevent cache-based leaks that could reveal your browsing activity to your ISP.
Conclusion
DNS caching is a fundamental performance mechanism that reduces lookup latency and cuts the volume of queries hitting authoritative name servers billions of times per day. TTL values control how long records are held at each layer of the chain, and understanding this relationship is essential when planning DNS changes, diagnosing propagation delays, or troubleshooting resolution failures. Flushing your local cache is a quick and reliable first step for testing changes on your own device, while switching to a public resolver gives you more consistent and up-to-date results independent of your ISP. Continue with DNS propagation, DNS records, and how DNS works to build a complete understanding of the domain name system.