What Is TTL? | NOC.org

What Is TTL?

TTL stands for Time to Live. It is a value that tells a system how long a piece of data should be considered valid before it must be refreshed or discarded. TTL appears in two distinct but related contexts: DNS records and network packets. In both cases, it serves as an expiration mechanism that prevents stale data from persisting indefinitely.

TTL in DNS

In the Domain Name System, every DNS record includes a TTL value measured in seconds. This value tells recursive resolvers and caches how long they can store the record before querying the authoritative DNS server again for a fresh copy.

For example, if your domain's A record has a TTL of 3600, any DNS resolver that looks up your domain will cache the result for 3600 seconds (one hour). During that hour, all subsequent lookups by that resolver will return the cached answer without contacting your authoritative server. Once the TTL expires, the next lookup triggers a fresh query.

TTL directly affects DNS propagation speed. When you change a DNS record — such as pointing your domain to a new server or activating a CDN — the old record remains cached by resolvers around the world until its TTL expires. A record with a 86400-second (24-hour) TTL means some visitors may still be directed to the old address for up to a full day after the change.

Choosing the Right DNS TTL

Selecting appropriate TTL values involves balancing two competing concerns:

• Higher TTLs (3600-86400 seconds) reduce the query load on your authoritative DNS servers and provide slightly faster DNS resolution for repeat visitors (since the answer is already cached). They are appropriate for records that rarely change, such as MX records or the A records of stable production servers.
• Lower TTLs (60-300 seconds) allow faster propagation when changes are made. They are essential for records that need to change quickly — such as during a failover event, a DDoS attack requiring traffic rerouting, or a migration to new infrastructure.

A common best practice is to use moderate TTLs (300-3600 seconds) for most records, then temporarily lower the TTL to 60 seconds a day or two before a planned change. After the change is complete and verified, raise the TTL back to its normal value.

Typical TTL recommendations by record type:

• A / AAAA records: 300-3600 seconds for active services. Lower if you need fast failover.
• CNAME records: 3600 seconds is common, since CNAMEs typically point to stable hostnames.
• MX records: 3600-86400 seconds. Mail records change infrequently.
• TXT records (SPF, DKIM, DMARC): 3600-86400 seconds. These change rarely once configured correctly.
• NS records: 86400 seconds or higher. Nameserver changes are rare and critical.

TTL in Networking (IP Packets)

In the networking context, TTL serves a completely different purpose. Every IP packet contains a TTL field (8 bits in IPv4, called "Hop Limit" in IPv6) that specifies the maximum number of router hops the packet can traverse before being discarded.

Each time a router forwards the packet, it decrements the TTL by one. When the TTL reaches zero, the router drops the packet and sends an ICMP "Time Exceeded" message back to the sender. This mechanism prevents packets from looping endlessly through the network if a routing error creates a circular path.

The traceroute command exploits this behavior: it sends packets with incrementally increasing TTL values (1, 2, 3...) and collects the ICMP responses from each router along the path, mapping the route to the destination hop by hop.

TTL and CDN Caching

CDNs use TTL concepts at multiple layers. DNS TTL controls how quickly traffic can be rerouted to or away from the CDN. HTTP cache TTL (set via Cache-Control and Expires headers) controls how long the CDN's edge servers cache your content before revalidating with the origin. A well-configured zone file combined with appropriate HTTP cache headers ensures that your CDN serves fresh content efficiently while minimizing origin load.