DNS Cache Explained
Learn what a DNS cache is, where DNS answers are cached, how TTL controls cache expiry, and how to troubleshoot stale DNS results.
Answer snapshot
A DNS cache is temporary storage for DNS answers. Browsers, operating systems, routers, forwarders, and recursive resolvers cache DNS records so repeat lookups are faster and authoritative nameservers are not queried every time. Each cached answer normally lives until its TTL expires. This is why DNS changes can appear delayed: the authoritative server may already have the new value, while one or more caches still hold the old one.
What you'll learn
- Understand what a DNS cache stores and why DNS relies on caching
- Learn how TTL and negative caching control how long answers stay cached
- Use dig to distinguish cached resolver answers from authoritative DNS answers
- Know when to wait, flush a local cache, or investigate possible cache poisoning
A DNS cache is temporary storage for answers returned by the Domain Name System. When your device asks for www.example.com, the answer can be saved for a short period so the next lookup is faster.
DNS caching is one of the main reasons the internet feels fast. Without caching, every repeated visit would need to start from the root nameservers, move through the TLD nameservers, reach the authoritative nameserver, and then return the final record. With caching, most repeat lookups are answered much earlier.
For the broader resolution path, start with What Is DNS. This guide focuses on the cache layers that sit along that path.
What a DNS Cache Stores
A DNS cache stores DNS response data for later reuse. That can include:
- A records and AAAA records that map names to IP addresses
- CNAME records that point one hostname to another
- MX records for mail delivery
- TXT records, including SPF, DKIM, and verification records
- NS records and delegation data used while walking the DNS tree
- Negative answers such as NXDOMAIN, meaning a name does not exist
Each cached answer is stored with timing information. In normal DNS, that timing is controlled by TTL, short for Time To Live.
Where DNS Caching Happens
DNS answers can be cached in several places before they reach an authoritative nameserver.
| Cache layer | What it does | Who controls it |
|---|---|---|
| Browser DNS cache | Reuses host lookups inside Chrome, Edge, Firefox, Safari, or another browser | Browser |
| Operating system cache | Stores lookups for applications on the device | Windows, macOS, Linux, mobile OS |
| Router or local forwarder | Caches answers for devices on a home or office network | Router, dnsmasq, systemd-resolved, corporate DNS |
| Recursive resolver cache | Stores answers for many users of an ISP, public resolver, or company resolver | Resolver operator |
| Delegation cache | Stores NS and glue data learned from parent zones | Recursive resolver |
The recursive resolver cache usually matters most for public DNS changes. If Google Public DNS, Cloudflare DNS, Quad9, or an ISP resolver cached the old answer, users of that resolver may keep seeing it until the TTL expires.
How DNS Cache Lookup Works
Here is the simple version:
- You visit
www.example.com. - The browser checks whether it already has a cached answer.
- If not, the operating system checks its resolver cache.
- If not, the query goes to a recursive resolver such as
1.1.1.1,8.8.8.8, or an ISP resolver. - If the recursive resolver has a valid cached answer, it returns it immediately.
- If not, the recursive resolver asks the root, TLD, and authoritative nameservers.
- The answer is returned and cached according to its TTL.
The next user asking the same recursive resolver for the same record can get a response from cache instead of triggering the full lookup again.
TTL: The Timer on Cached DNS
TTL is the number of seconds a resolver may cache a DNS record before refreshing it.
dig example.com A @8.8.8.8
;; ANSWER SECTION:
example.com. 3600 IN A 192.0.2.10In this example, 3600 means the answer can be cached for up to one hour. If you query the same resolver again later, the TTL often counts down:
dig example.com A @8.8.8.8
;; ANSWER SECTION:
example.com. 3174 IN A 192.0.2.10That countdown tells you the resolver is serving a cached response. When the timer reaches zero, the resolver should ask the authoritative nameserver again.
For record planning, see DNS TTL Best Practices.
DNS Cache and Propagation
DNS propagation is mostly cache expiry. When you change a record in your authoritative DNS provider, the authoritative nameserver can serve the new value quickly, but recursive resolvers may still have the old value cached.
Example:
app.example.compoints to192.0.2.10with TTL86400.- A resolver caches that answer at 09:00.
- You change the record to
198.51.100.25at 09:05. - That resolver may keep returning
192.0.2.10until the original 24-hour TTL expires.
The important detail: the old TTL controls how long the old answer can remain cached. Lowering TTL at the same moment as the record change does not clear caches that already stored the old value.
For the full timing model, see DNS Propagation Explained.
Negative DNS Caching
DNS can also cache the fact that a name does not exist. This is called negative caching.
If a resolver asks for new.example.com before you create that record, it may receive NXDOMAIN and cache that negative answer. When you create the record a minute later, the resolver may still say the name does not exist until the negative cache expires.
Negative cache duration is controlled by the SOA record's negative-cache TTL. See What Is an SOA Record and NXDOMAIN Explained for the deeper mechanics.
How to Tell Whether an Answer Is Cached
Compare a public resolver with the authoritative nameserver.
# Ask a public recursive resolver
dig app.example.com A @1.1.1.1
# Ask the authoritative nameserver directly
dig app.example.com A @ns1.dnscale.euIf the authoritative nameserver returns the new value but the public resolver returns the old one, the public resolver is probably serving cached data. Check the TTL in the resolver's answer to estimate how long that cache can remain valid.
You can also compare multiple public resolvers:
dig +short app.example.com A @1.1.1.1
dig +short app.example.com A @8.8.8.8
dig +short app.example.com A @9.9.9.9Different answers usually mean different cache states, not that DNS servers are syncing with each other.
When to Flush DNS Cache
Flushing DNS cache clears local cached answers before they expire. It is useful when:
- You changed a record and want your own machine to test fresh data
- A browser still reaches an old IP address
- Your OS cache has stale data after a network or VPN change
- You are troubleshooting a local-only DNS problem
Flushing your local cache does not clear caches at public resolvers or ISP resolvers. For step-by-step commands on Windows, macOS, Linux, and browsers, use How to Flush Your DNS Cache.
Common DNS Cache Problems
| Symptom | Likely cause | What to do |
|---|---|---|
| You changed an A record but still see the old IP | Recursive resolver cache | Wait for TTL or test against authoritative DNS |
| One device works, another does not | Browser or OS cache | Flush local DNS cache |
| New subdomain still returns NXDOMAIN | Negative cache | Wait for the SOA negative-cache TTL |
| Public resolvers disagree | Caches refreshed at different times | Compare TTLs and wait |
| Everyone sees the wrong value from authoritative DNS | Zone data is wrong | Fix the record in the authoritative provider |
The safest troubleshooting pattern is:
- Query the authoritative nameserver directly.
- Query one or more public resolvers.
- Compare the answers and remaining TTLs.
- Flush local cache only if the problem is local to your device or browser.
DNS Cache and Security
Because recursive resolvers serve cached answers to many users, attackers have historically tried to inject false records into resolver caches. This is called DNS cache poisoning.
Modern resolvers use defenses such as source-port randomization, query randomization, and DNSSEC validation. DNSSEC is especially important for signed zones because it lets validating resolvers reject forged answers instead of caching them.
DNS Cache in DNScale Operations
DNScale runs authoritative DNS. That means DNScale serves the source-of-truth records for zones hosted on the platform. Once you update a record, DNScale's authoritative side can answer with the new value quickly, but recursive resolvers outside DNScale still refresh based on TTL.
For planned changes:
- Lower TTL 24-48 hours before the change.
- Wait for the old TTL window to expire.
- Change the record.
- Verify the authoritative answer directly.
- Restore a longer TTL after the new answer is stable.
This pattern reduces stale-cache windows without permanently increasing DNS query volume.
Related Topics
- What Is TTL -- how cache duration is set on DNS records
- DNS Propagation Explained -- why DNS changes appear at different times
- How to Flush Your DNS Cache -- clear browser and OS DNS caches
- Types of DNS Servers Explained -- recursive resolvers, forwarders, root, TLD, and authoritative servers
- DNS Cache Poisoning -- how forged answers can enter resolver caches
- DNS TTL Best Practices -- choosing practical TTLs for production records
Conclusion
DNS cache is not a separate DNS system. It is temporary storage inside the browsers, devices, routers, forwarders, and recursive resolvers that already participate in DNS resolution. Caching makes DNS fast and scalable, while TTL controls how long answers can be reused. When DNS changes appear delayed, compare authoritative and recursive answers before changing more records: most "propagation" problems are simply caches waiting for their timers to expire.
Frequently asked questions
- What is a DNS cache?
- A DNS cache is temporary storage for DNS responses. When a browser, operating system, router, or recursive resolver learns the IP address or other DNS record for a name, it can reuse that answer until the record's TTL expires.
- Why is DNS cached?
- Caching makes DNS faster and scalable. A recursive resolver can answer repeat queries from memory instead of walking the root, TLD, and authoritative nameservers every time. That reduces latency for users and reduces query load on authoritative DNS infrastructure.
- How long does a DNS cache last?
- Usually until the record's TTL expires. If an A record has a TTL of 3600 seconds, a resolver may serve the cached answer for up to one hour. Some resolvers also apply minimum or maximum cache limits, and browsers or applications may keep their own short-lived caches.
- Can I clear every DNS cache?
- No. You can usually clear your browser and operating system DNS caches. You generally cannot clear your ISP's recursive resolver cache or other users' resolver caches. For those, you wait for TTL expiry or query a different resolver for testing.
- Is DNS cache the same as browser cache?
- No. Browser cache usually refers to website assets such as images, scripts, and HTML. A browser DNS cache stores hostname lookup results, such as example.com to an IP address. Clearing one does not always clear the other.
Related guides
Records
DNS A Record Explained — What It Is and How to Use It
Learn what a DNS A record is, how it maps domain names to IPv4 addresses, and how to create, query, and troubleshoot A records with practical dig command examples.
Records
DNS AAAA Record Explained — IPv6 Address Mapping
Learn what a DNS AAAA record is, how it maps domain names to IPv6 addresses, and how to set up dual-stack DNS with practical dig command examples.
Records
DNS CNAME Record Explained — Aliases and Canonical Names
Learn how DNS CNAME records create domain aliases, when to use them over A records, and how to avoid common pitfalls like apex restrictions and CNAME chains.
Records
DNS MX Record Explained — Mail Exchange Configuration
Learn how DNS MX records route email to mail servers, configure priority-based failover, and set up MX records for Google Workspace, Microsoft 365, and self-hosted mail.
Ready to manage your DNS with confidence?
DNScale provides anycast DNS hosting with a global network, real-time analytics, and an easy-to-use API.
Start free