DNS Propagation

Q: What is DNS Propagation?

The time it takes for DNS changes to spread across all DNS servers worldwide.

What is DNS Propagation?

DNS propagation refers to the time it takes for changes made to DNS records to be recognized across the entire internet. When you update DNS records (changing nameservers, updating A records, modifying MX records), the changes don't take effect instantly—they must propagate through the hierarchical DNS system as caches expire and refresh.

Understanding "Propagation"

The term "propagation" is somewhat misleading—DNS changes don't actively "propagate" or spread. Instead:

1. You update records at your authoritative nameserver

2. Cached copies expire based on TTL (Time To Live)

3. New queries fetch updated records from authoritative servers

4. Old cached copies continue serving until TTL expires

It's more accurate to say "DNS cache expiration" than "propagation," but the term propagation is widely used.

How DNS Changes Work

The Update Process

Step 1: Update DNS records example.com A record: 203.0.113.50 → 203.0.113.51 Step 2: Authoritative nameserver immediately serves new record Step 3: Existing cached copies remain valid until TTL expires Step 4: New queries after TTL expiration receive updated record Step 5: All caches eventually expire and refresh

→ "Propagation complete"

Timeline Example

Time: 10:00 - DNS updated (TTL: 300s / 5 minutes) Resolver A (cached at 09:58): 09:58 - Cached old IP, expires 10:03 10:03 - Cache expires, queries again, gets new IP Resolver B (cached at 10:01): 10:01 - Cached old IP, expires 10:06 10:06 - Cache expires, queries again, gets new IP Resolver C (queries at 10:05): 10:05 - No cache, queries immediately, gets new IP All resolvers have new IP by: 10:06

Propagation time: 6 minutes (worst case based on TTL)

Factors Affecting Propagation Time

TTL (Time To Live)

The single most important factor:

TTL Value	Propagation Time	Use Case
60s	1-2 minutes	Active migrations, load balancing
300s (5 min)	5-10 minutes	Production changes, reasonable default
3600s (1 hour)	1-2 hours	Stable infrastructure
86400s (24 hours)	24-48 hours	Rarely changed records

Nameserver Changes

Changing nameservers takes longer than other DNS changes:

Registry Level: 24-48 hours (TLD nameserver cache) Resolver Level: Based on NS record TTL

Total Time: Up to 48 hours worst case

ISP and Resolver Behavior

Not all DNS resolvers respect TTL values:

Well-Behaved Resolvers: Google (8.8.8.8), Cloudflare (1.1.1.1), OpenDNS

Strictly respect TTL
Fast propagation

Problematic Resolvers: Some ISPs

May ignore low TTLs
Cache longer than specified
Can delay propagation by hours

Geographic Distribution

Different regions update at different times based on local resolver cache:

North America: 10:05 - Updated Europe: 10:08 - Updated

Asia: 10:12 - Updated

Client-Side Caching

Even after DNS servers update, local caches may retain old values:

Browser cache: 60 seconds typically
OS cache: Minutes to hours
Application cache: Varies by app

Checking DNS Propagation

Online Propagation Checkers

whatsmydns.net: Shows DNS resolution from 20+ locations worldwide dnschecker.org: Checks A, AAAA, CNAME, MX, TXT records globally DomScan Health Check:

curl "https://domscan.net/v1/health?domain=example.com"

# Shows current DNS configuration

Command Line Checks

Check multiple resolvers:

# Google DNS dig @8.8.8.8 example.com # Cloudflare DNS dig @1.1.1.1 example.com # Your ISP (no @ server specified) dig example.com

# Compare results

Query authoritative nameserver directly:

# Find nameservers dig example.com NS # Query authoritative NS directly

dig @ns1.example.com example.com

This shows the "truth" immediately—no cache involved.

Check from Multiple Locations

# Using curl with DNS over HTTPS

curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A'

Minimizing Propagation Time

Before Making Changes

Step 1: Lower TTL (24-48 hours before change)

Old: example.com. 3600 IN A 203.0.113.50 New: example.com. 300 IN A 203.0.113.50 ^^^

Reduced to 5 minutes

Step 2: Wait for old TTL to expire

Wait full duration of old TTL (3600s = 1 hour)

Step 3: Make DNS change

example.com.    300    IN    A    203.0.113.51

Step 4: Monitor propagation

Check resolvers globally

Step 5: Restore TTL (after confirming success)

example.com.    3600    IN    A    203.0.113.51

During Changes

Use anycast DNS: Providers like Cloudflare use anycast networks that update near-instantly across their global network Monitor continuously: Track propagation across key regions and resolvers Have rollback plan: Keep old infrastructure running until propagation complete

Common Propagation Scenarios

Changing A Record

Expected Time: 5-30 minutes (based on TTL)

# Before example.com → 203.0.113.50 # After example.com → 203.0.113.51

# Propagation: 1x TTL duration

Changing MX Record

Expected Time: 5-30 minutes (based on TTL) Risk: Email may be delivered to old server during propagation Mitigation: Keep old mail server active for 24-48 hours

Changing Nameservers

Expected Time: 24-48 hours

Why so long?
TLD registry caches NS records
Registry TTL often 24-48 hours
No control over registry cache

Best Practice: Configure all records at new nameservers before switching

Adding New Subdomain

Expected Time: Instant to 1 hour Gotcha: Negative caching

If subdomain was queried and didn't exist: → NXDOMAIN cached (SOA minimum TTL)

→ New subdomain won't resolve until cache expires

Mitigation: Lower SOA minimum TTL before adding new records

Troubleshooting Propagation Issues

Change Not Propagating

Check 1: Verify authoritative nameserver

dig @ns1.example.com example.com

# Should show new value

Check 2: Verify TTL

dig example.com | grep -i ttl

Check 3: Check SOA for negative cache

dig example.com SOA

# Look at minimum TTL field

Check 4: Flush local cache

Clear browser, OS, and application caches

Partial Propagation

Symptom: Some users see new records, others see old Cause: Different resolvers cached at different times Solution: Wait for maximum TTL duration, then flush client caches

Propagation Stuck

Symptom: Days later, some resolvers still serve old records Cause: ISP resolver ignoring TTL or misconfigured Solution:

1. Verify authoritative nameserver is correct

2. Contact ISP if persistent

3. Users can switch to public DNS (8.8.8.8, 1.1.1.1)

DNS Propagation vs Cache TTL

Concept	What It Is	Duration
TTL	How long a record can be cached	Set by domain owner
Propagation	Time for all caches to expire	Approximately 2x TTL
Nameserver TTL	How long NS records are cached	Often 24-48 hours (registry)
Negative Cache	How long NXDOMAIN is cached	SOA minimum TTL

Best Practices

1. Lower TTL before changes: Reduce TTL 24-48 hours before DNS updates

2. Use appropriate TTLs: Balance performance (high TTL) vs flexibility (low TTL)

3. Monitor globally: Check DNS from multiple geographic regions

4. Keep old services running: Maintain previous servers until propagation complete

5. Document changes: Track what changed and when for troubleshooting

6. Test thoroughly: Verify new DNS records work before switching

7. Communicate with users: Warn of potential brief disruptions

8. Use managed DNS: Providers with anycast networks minimize propagation time

9. Automate monitoring: Set up alerts for DNS changes and propagation status

10. Have rollback plan: Know how to revert changes if issues arise

Propagation Checklist

☐ Lower TTL 24-48 hours before change
☐ Wait for old TTL to expire
☐ Make DNS change
☐ Verify on authoritative nameservers
☐ Check multiple public resolvers
☐ Test from multiple geographic locations
☐ Monitor for 2x TTL duration
☐ Verify no errors reported
☐ Restore higher TTL if desired
☐ Document change completion

DNS propagation is a natural consequence of DNS caching—understanding TTL behavior and planning changes accordingly ensures smooth, predictable updates with minimal disruption.