You might have heard that DNS updates need time to “propagate”.

What’s actually happening is that there are old cached records which need to expire.

DNS records are cached in many places

• browser caches
• DNS resolver caches
• operating system caches

google.com, represented by a box with a smiley face: my DNS records are cached on billions of devices!

let’s see what happens when you update an IP

bananas.com A▾
300 [changed to] 60
1.2.3.4 [changed to] 5.6.7.8

beware: even if you change the TTL to 60s, you still have to wait 300 seconds for the old record to expire

30 seconds later…

(you go to bananas.com in your browser)

Illustration of a resolver, represented by a box with a smiley face holding a magnifying glass, and a browser, represented by the Firefox logo of a fox wrapped around a globe

browser: hey what’s the IP for bananas.com?
resolver, thinking: let’s check my cache for bananas.com… found it!!
resolver: it’s 1.2.3.4!

400 seconds later…

(you refresh the page again)
browser: hey what’s the IP for bananas.com?
resolver, thinking: The TTL (300s) is up, better ask for a new IP…
resolver: it’s 5.6.7.8!

12 hours later…

(you check 1.2.3.4’s logs to make sure all the traffic has moved over)

Illustration of a stick figure with curly hair looking confused, and a rogue DNS resolver, which looks like the other resolvers except that it is wearing a burglar mask.

person: that’s weird, the old server is still getting a few requests…
rogue DNS resolver: I don’t care about your TTL! I just cache everything for 24 hours!

the culprit: a rogue DNS resolver