Edge & DNS Ops Guide

Mastering TTL Strategies

Time-To-Live values dictate how long recursive resolvers and edge caches retain DNS records before querying authoritative servers again, and tuning them is the single highest-leverage decision in DNS operations for balancing query latency, infrastructure cost, and deployment agility. This guide provides a production-ready framework for configuring, validating, and troubleshooting TTL across modern DNS and CDN architectures. It builds on DNS Fundamentals & Advanced Record Configuration and connects DNS-layer caching to the HTTP-layer caching covered in Cache-Control & CDN TTL.

Key implementation principles:

  • TTL governs resolver cache duration, directly impacting failover speed and authoritative query load.
  • Recursive resolvers, CDNs, and OS caches each enforce independent TTL lifecycles that you cannot flush remotely.
  • Dynamic TTL adjustments require pre-deployment planning to avoid stale cache propagation and cache stampedes.
  • Platform-specific minimums and negative-caching rules often override the explicit TTL you set in the zone.
TTL caching hierarchy and expiration flow A query travels from client through OS cache, recursive resolver, and authoritative server, with each layer holding its own copy of the record until its independent TTL countdown reaches zero. TTL Caching Hierarchy Client / OS cache holds TTL=245s Recursive resolver caps at 24-48h CDN edge Cache-Control rules Authoritative source of truth query path on cache miss → each hop sets its own countdown Independent TTL countdowns Resolver cache: serves stale copy until 0 Short TTL = faster change, more queries A change at the authoritative server is invisible to clients until every cached copy along the path expires. NXDOMAIN cached for SOA minimum new records hidden until it expires Lower TTL 24-48h before a change so caches drain before the swap

TTL Architecture & Caching Hierarchy

Understanding how TTL propagates through the DNS resolution chain is critical before modifying record types. The resolution path dictates where caching bottlenecks form and how quickly infrastructure changes take effect globally. A TTL is set once at the authoritative server, but it is then re-counted independently at every layer that touches the record. When a recursive resolver answers a query from its cache, it decrements the TTL it advertises to downstream clients — so two clients asking the same resolver seconds apart see different remaining values. This is why a single global “propagation time” is a myth: each cache is on its own clock, started the moment that cache first fetched the record.

Layer Behavior Typical cap / override
Authoritative server Publishes the definitive TTL in the zone file N/A — source of truth
Recursive resolver Honors authoritative TTL but may enforce caps Often 24-48 hours max
OS / local cache Per-process or system-wide cache Flushable via systemd-resolve --flush-caches
Application / stub Language runtimes (JVM networkaddress.cache.ttl) ignore DNS TTL entirely Often caches forever by default
Negative cache (NXDOMAIN) Caches failed lookups based on SOA minimum TTL 300-3600s standard
CDN edge Decouples HTTP caching from DNS TTL Cache-Control headers govern HTTP; DNS TTL governs IP resolution

The application-layer row is the one most teams forget. The JVM, for instance, historically caches successful resolutions forever when a security manager is installed, completely ignoring the DNS TTL. A 60-second failover record means nothing if your Java service holds the dead IP until it restarts. Audit your runtime’s resolver settings before relying on TTL for failover. The interaction between DNS TTL and HTTP caching is the subject of Propagation & Caching Basics, which maps the full chain end to end.

Validation command:

dig @1.1.1.1 api.example.com A +trace +noall +answer

This shows iterative queries from root to authoritative servers. The final line displays the exact TTL returned by the authoritative server before resolvers apply local caching policies. Run the same query twice a few seconds apart against a non-tracing resolver and watch the TTL countdown — a value that decreases proves you are hitting a cached copy, while a value that resets to the full TTL on every query indicates an alias or proxy layer that synthesizes answers rather than caching them.

TTL vs the SOA Record

The zone’s SOA record carries timing fields that are frequently confused with the per-record TTL, but they govern different machinery. The refresh, retry, and expire fields control communication between primary and secondary authoritative servers (zone-transfer scheduling and how long a secondary keeps serving when it cannot reach the primary). They have nothing to do with how resolvers cache your A records. The one SOA field that does affect resolvers is the final minimum value, which since RFC 2308 defines the negative-caching TTL — how long resolvers remember an NXDOMAIN or NODATA answer. Set it too high and a freshly created record stays invisible for an hour; set it too low and you invite query floods for genuinely missing names. Managing these transfer fields correctly is central to DNS Zone Management.

$TTL 3600
@ IN SOA ns1.example.com. admin.example.com. (
    2026062001 ; serial
    7200       ; refresh  (secondary polls primary)
    3600       ; retry    (secondary retry on failure)
    1209600    ; expire   (secondary stops serving)
    300        ; minimum  (NEGATIVE cache TTL — affects resolvers)
)

Platform-Specific TTL Implementation

TTL semantics diverge sharply once you leave a vanilla zone file, because managed DNS providers and CDN proxies layer their own behavior on top. The table below summarizes the wire behavior; the snippets that follow give a working configuration for each.

Provider Minimum TTL Wire behavior Failover / notes
BIND / PowerDNS 1s (configurable) Returns the zone $TTL or per-record override verbatim Full control; you own the caps
Cloudflare 30s (DNS-only); “Auto” when proxied Proxied (orange-cloud) records return edge IPs with a fixed 300s TTL DNS TTL irrelevant to HTTP clients; failover via Load Balancing
AWS Route 53 1s Alias records return fresh target IPs every query, no resolver caching at the alias Health checks drive failover, not TTL
Azure DNS 1s Honors record TTL; no proxy layer Traffic Manager handles failover separately
GCP Cloud DNS / Fastly 1s (Fastly TTL via VCL) Cloud DNS honors TTL; Fastly’s edge TTL is HTTP-layer, not DNS Fastly failover is origin-health based

Cloudflare

Cloudflare’s proxy mode fundamentally changes TTL behavior for HTTP traffic: clients connect to Cloudflare’s edge IPs (which rarely change), and the DNS TTL on the record primarily affects non-HTTP resolution paths. When a record is proxied, the dashboard greys out the TTL field and forces “Auto” (a fixed 300s on the wire), because the orange-cloud IP is stable and Cloudflare manages origin failover itself. For complex apex routing this interacts with CNAME Flattening Explained. Set a DNS-only (grey-cloud) record’s TTL through the API:

curl -X PATCH \
  "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/dns_records/${RECORD_ID}" \
  -H "Authorization: Bearer ${CF_API_TOKEN}" \
  -H "Content-Type: application/json" \
  --data '{"type":"A","name":"db.example.com","content":"203.0.113.40","ttl":120,"proxied":false}'

A ttl of 1 is the magic value meaning “Auto.” Any explicit value below 30 on a DNS-only record is clamped to 30.

AWS Route 53

Route 53 standard records honor the TTL you set down to 1 second, but alias records (used for ELB, CloudFront, and S3 targets) deliberately ignore TTL and re-resolve the target on every query so they always track the underlying resource. Use a JSON change batch for a normal record:

cat > ttl-update.json <<'EOF'
{
  "Changes": [{
    "Action": "UPSERT",
    "ResourceRecordSet": {
      "Name": "app.example.com",
      "Type": "A",
      "TTL": 300,
      "ResourceRecords": [{ "Value": "203.0.113.50" }]
    }
  }]
}
EOF

aws route53 change-resource-record-sets \
  --hosted-zone-id Z1234567890ABC \
  --change-batch file://ttl-update.json

Expected output: a ChangeInfo object with Status: PENDING and a unique ChangeId. Poll with aws route53 get-change --id <ChangeId> until it flips to INSYNC, which means all Route 53 name servers carry the change (not that resolver caches have expired).

BIND / PowerDNS

Self-hosted servers give you per-record granularity and no hidden minimums. The zone below mixes a stable hour-long record with a short failover record:

$TTL 3600
@   IN SOA ns1.example.com. admin.example.com. (
    2026062001 7200 3600 1209600 300 )
    IN NS  ns1.example.com.
    IN NS  ns2.example.com.
api 3600 IN A 192.0.2.10  ; explicit TTL matching zone default
web  300 IN A 192.0.2.20  ; 5-minute TTL for faster failover

The web record caches for 300s regardless of the zone default, so resolvers refresh it twelve times more often than api. After editing, bump the serial and reload with rndc reload example.com, then confirm with dig @localhost web.example.com +norecurse.

Azure DNS / GCP Cloud DNS / Fastly

Azure and GCP both honor record TTL with a 1-second floor and no proxy layer, so the TTL you set is the TTL on the wire. Set it declaratively with the gcloud CLI:

gcloud dns record-sets update web.example.com. \
  --type=A --zone=example-zone --ttl=120 --rrdatas=192.0.2.20

Fastly is different in kind: its “TTL” knobs (Surrogate-Control, beresp.ttl in VCL) govern HTTP object caching at the edge, not DNS resolution. Your DNS provider still controls how long resolvers cache Fastly’s anycast IPs. Treat the two as separate budgets, exactly as described in Cache-Control & CDN TTL.

Dynamic TTL & Failover Strategies

Low-TTL architectures enable rapid traffic shifting but require strict operational sequencing. Abrupt TTL reductions trigger cache stampedes because previously cached records suddenly expire simultaneously, flooding the authoritative server with a synchronized wave of refresh queries. The defense is to lower TTL gradually and early, well before the actual record change, so caches across the world expire on a staggered schedule rather than all at once.

Safe TTL reduction workflow:

  1. T-48 hours: Lower TTL to 300s across all target records. The old (high) TTL is still in flight, so the change itself only takes effect after that old TTL drains.
  2. T-12 hours: Verify global propagation using multiple public resolvers; confirm every region now reports the 300s value.
  3. Deployment window: Execute the IP swap or routing change. Resolvers will refresh within 300s.
  4. Post-deployment: Monitor authoritative query volume and error rates; once stable, raise TTL back to the steady-state value.

For SaaS-specific TTL baselines and the numbers that pair with this workflow, see Best TTL Values for High-Traffic SaaS Platforms.

Automated TTL scaling script:

#!/usr/bin/env bash
set -euo pipefail
ZONE_ID="Z1234567890ABC"
RECORD="failover.example.com"
NEW_IP="198.51.100.20"
NEW_TTL=60

aws route53 change-resource-record-sets \
  --hosted-zone-id "$ZONE_ID" \
  --change-batch "{
    \"Changes\": [{
      \"Action\": \"UPSERT\",
      \"ResourceRecordSet\": {
        \"Name\": \"${RECORD}\",
        \"Type\": \"A\",
        \"TTL\": ${NEW_TTL},
        \"ResourceRecords\": [{ \"Value\": \"${NEW_IP}\" }]
      }
    }]
  }"

For weighted shifts, consider managing the change through infrastructure-as-code so the TTL and target move atomically and remain in version control:

resource "aws_route53_record" "failover" {
  zone_id = "Z1234567890ABC"
  name    = "failover.example.com"
  type    = "A"
  ttl     = 60
  records = ["198.51.100.20"]
}

Rollback procedure: Maintain a documented secondary A record with the previous IP mapping. If health checks fail after the swap, execute an immediate UPSERT to revert to the stable IP. Because TTL is already at 60s, the revert reaches resolvers within a minute. Do not raise TTL until traffic has been stable for at least one full TTL cycle, or you will lock the bad value into caches.

TTL, Caching & Propagation Implications

Every TTL choice is a trade between three competing costs. A high TTL (3600s+) minimizes authoritative query load and gives resolvers fast, cache-warm answers — but it makes any change slow to take effect and slows failover to the same duration. A low TTL (60-300s) buys agility and quick failover at the price of more authoritative queries, higher latency on cache-miss, and greater exposure to authoritative-server outages (resolvers re-query so often that an outage is felt almost immediately). The right answer depends on the record’s blast radius: a root apex or NS record should sit high because it rarely changes and its outage is catastrophic, while a failover or canary endpoint should sit low.

At the HTTP layer the same logic plays out one level up, where Cache-Control: max-age and surrogate TTLs decide how long the CDN and browser hold a response rather than an address. The two are independent and must be reasoned about separately — a 300s DNS TTL with a one-week Cache-Control means clients keep serving cached HTML long after they could re-resolve your IP. Cache-Control & CDN TTL covers the HTTP side in depth. Negative caching deserves its own budget too: the SOA minimum determines how long a typo’d or not-yet-created hostname returns NXDOMAIN, so keep it at 300s or below in environments where records are created on demand.

Debugging & Validation Workflows

Verifying TTL propagation requires querying multiple resolver layers to isolate stale caches. Browser refreshes and ping bypass DNS caching logic and yield false positives, so always go through dig or drill.

# Linux/macOS: query a specific resolver and watch TTL decrement
dig @8.8.8.8 example.com A +noall +answer

# Windows: force a recursive query against a chosen resolver
nslookup -type=A example.com 1.1.1.1

# Linux: authoritative-only check, bypassing all caches
drill @ns1.example.com example.com A

Expected output: example.com. 245 IN A 192.0.2.10 — the 245 means 245 seconds remain before the resolver must refresh. Repeat the query and confirm the number drops; if it snaps back to the full TTL each time, you are talking to an alias/proxy that re-synthesizes answers.

Global cache inspection strategy:

  • Query 1.1.1.1 and 8.8.8.8 to measure regional cache variance between the two largest public resolvers.
  • Use dig +trace to confirm authoritative servers return the updated TTL after a change.
  • Deploy synthetic DNS probes from multiple geographic regions to map the expiration curve and identify the slowest resolver.
  • Monitor authoritative-server query logs for spikes during TTL transitions — a sharp spike is your cache-stampede early-warning signal.

If propagation appears stuck, the deep-dive procedure in Debugging DNS Propagation Delays Across Global Resolvers walks through isolating a single misbehaving resolver from a genuinely slow change.

Troubleshooting & Rollback

Symptom Likely cause Fix
Change not visible after expected TTL Old high TTL still cached; you forgot the pre-lowering window Wait out the previous TTL; next time lower TTL 48h ahead
TTL never decrements on repeat dig Querying an alias/proxy or a record clamped to “Auto” Query the authoritative server directly with dig @ns1...
Authoritative query spike after a deploy Cache stampede from synchronized TTL expiry Stagger the change; raise TTL once traffic settles
New hostname returns NXDOMAIN for an hour SOA minimum (negative TTL) set too high Lower SOA minimum to 300s; pre-create placeholder records
Java service keeps hitting dead IP JVM caching resolution forever, ignoring DNS TTL Set networkaddress.cache.ttl=60 in java.security

Rollback rule of thumb: never raise a TTL during an incident. Keep it low until the new state is proven, then restore the steady-state value in a separate, deliberate change.

Critical Edge Cases & Mitigations

Scenario Impact Mitigation
TTL set below 60 seconds Enterprise firewalls and some public resolvers enforce a 60s floor Use 60s as the production minimum; rely on CDN health probes for sub-minute failover
Negative caching blocks new record visibility Resolvers cache NXDOMAIN for the SOA minimum duration Set SOA minimum ≤ 300s; pre-create placeholder records before re-adding them
CDN proxy overrides DNS TTL for HTTP traffic Proxied endpoints return edge IPs governed by Cache-Control, not DNS TTL Budget DNS TTL and HTTP cache headers independently
Stale cache during rapid IP rotation Previous TTL causes resolvers to hold old IPs for its full duration Reduce TTL 48-72 hours in advance; verify global propagation before swapping
Application runtime ignores TTL JVM and some libraries cache resolutions indefinitely Override networkaddress.cache.ttl; restart pods on failover if needed

Frequently Asked Questions

What is the optimal TTL for a production web application? For stable environments, 3600s (one hour) balances resolver performance and flexibility. For failover-critical services, 300s (five minutes) is the common industry standard, and 60s is the practical absolute floor before firewalls and resolvers start ignoring lower values.

Does lowering TTL speed up DNS propagation? No, not immediately. Lowering TTL only affects future queries after the current cached value expires. You must reduce TTL 24-48 hours before a planned change so the old high TTL has time to drain from caches first.

How do CDNs handle DNS TTL differently from recursive resolvers? For HTTP traffic through a CDN proxy, DNS TTL governs how long resolvers cache the CDN edge IP (which rarely changes), while HTTP response caching is governed entirely by Cache-Control headers. They are independent layers, as detailed in Cache-Control & CDN TTL.

Can I set different TTLs for A and AAAA records? Yes. Each DNS record maintains an independent TTL. You can configure IPv4 (A) at 3600s and IPv6 (AAAA) at 300s if your dual-stack infrastructure needs asymmetric failover behavior.

Why does my new subdomain stay unreachable even though the record exists? This is almost always negative caching: a resolver queried the name before you created it and cached the NXDOMAIN for the SOA minimum duration. Lower the SOA minimum to 300s or pre-create placeholder records to avoid the gap.

Back to DNS Fundamentals & Advanced Record Configuration