If DNS resolved every query from scratch every time, the internet would feel sluggish. DNS caching is the mechanism that stores resolved DNS answers locally so they can be reused without repeating the full lookup process. Understanding where DNS is cached — and how to control it — is essential knowledge for web administrators, developers, and anyone managing a domain.
What Is a DNS Cache?
A DNS cache is a temporary storage area that holds the results of recent DNS lookups. When a resolver (whether a browser, operating system, or upstream DNS server) receives a DNS answer, it stores it along with a countdown timer derived from the record's TTL (Time to Live). For the duration of that TTL, any future query for the same record is answered from cache — no network trip required.
Caching reduces latency, reduces load on authoritative nameservers, and improves the overall resilience of the internet. Without caching, even a simple page load could trigger dozens of DNS lookups, each requiring a round-trip through the full resolution hierarchy.
Where Does DNS Caching Happen?
DNS is cached at multiple independent layers. A single DNS record may be stored in all of these simultaneously:
1. Browser DNS Cache
Modern browsers maintain their own DNS cache, separate from the operating system. This is the first place the browser checks when resolving a hostname. Chrome, Firefox, Edge, and Safari all cache DNS records, though their behaviour differs slightly.
Chrome respects the TTL up to a maximum of 1 minute for positive responses and 15 seconds for negative ones. You can inspect Chrome's DNS cache directly by navigating to chrome://net-internals/#dns.
2. Operating System DNS Cache
If the browser cache does not have a valid entry, the request goes to the OS stub resolver, which maintains a system-wide DNS cache. This cache is shared across all applications on the device — not just the browser.
- Windows — uses the DNS Client service (
dnscache). - macOS — uses
mDNSResponder. - Linux — depends on the distribution; may use
systemd-resolved,nscd, or no caching at all by default.
3. Recursive Resolver Cache (ISP / Public DNS)
The recursive resolver — operated by your ISP, or a public service like Cloudflare (1.1.1.1) or Google (8.8.8.8) — maintains a large shared cache used by all its clients. Because millions of users share the same resolver, popular domains are almost always served from cache instantly.
This shared cache is the largest source of propagation delay. If a resolver cached your old DNS record an hour before you updated it, every user on that resolver will continue to see the old answer until the TTL expires — regardless of what you do locally.
4. Router / Home Gateway Cache
Some home routers and corporate gateways include a built-in DNS cache or forwarder. Queries from devices on the network pass through the router before reaching an upstream resolver. The router may cache responses for its own TTL, adding another layer between your device and the authoritative answer.
How Long Are DNS Records Cached?
The duration is set by the TTL in the DNS record itself. Once a resolver stores a record in cache, a timer counts down from the TTL value. At zero, the entry expires and the next query for that record triggers a fresh lookup.
Critically, every resolver starts the TTL countdown from the moment it receives the record — not from when the record was set by the domain owner. A resolver that fetches a record with a 3600-second TTL will cache it for up to one hour from that moment, regardless of how old the record is at the source.
# Check the current TTL of a cached record at a specific resolver
# The TTL in the answer section shows the remaining cache time at that resolver
dig @8.8.8.8 showdns.net A
;; ANSWER SECTION:
showdns.net. 2847 IN A 93.184.216.34
# ^^^^
# Remaining TTL (seconds) at Google's resolverDNS Cache and Propagation Delays
When you update a DNS record, the change is immediate at the authoritative nameserver. However, the old record remains valid in every cache worldwide until each cached copy's TTL expires. This is what people refer to as DNS propagation — it is not DNS spreading to new servers, but rather the process of old cached values expiring across the global network of resolvers.
Propagation time depends entirely on the TTL value that was in place before you made the change. If your record had a TTL of 86400 (24 hours) and you update it, some users may see the old record for up to 24 hours. If the TTL was 300 (5 minutes), propagation completes within minutes.
Use the ShowDNS DNS Propagation Checker to see what different resolvers around the world are currently returning for your domain.
How to Flush Your DNS Cache
Flushing your local DNS cache forces your device to perform a fresh lookup on the next query, bypassing any locally cached (potentially stale) answers. This is useful after DNS changes you have made, or when troubleshooting DNS resolution issues.
Windows
# Open Command Prompt as Administrator
ipconfig /flushdnsmacOS
# macOS Ventura / Monterey / Big Sur / Catalina
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponderLinux (systemd-resolved)
sudo systemd-resolve --flush-caches
# Verify
sudo systemd-resolve --statisticsChrome Browser
# Paste this into the Chrome address bar:
chrome://net-internals/#dns
# Click "Clear host cache"DNS Cache Poisoning
DNS cache poisoning (also called DNS spoofing) is a security attack where a malicious actor injects fraudulent DNS records into a resolver's cache. Victims who query that resolver receive the forged IP address and may be redirected to a malicious site. DNSSEC was designed to prevent this by cryptographically validating DNS responses.
Frequently Asked Questions
Why does my DNS change look different on my computer vs. another location?
Different devices use different recursive resolvers, which cache records independently. Your device may have already expired the old cached record while someone in another city (using a different ISP resolver) still has the old value cached. This is normal — propagation completes when all cached copies expire across all resolvers worldwide.
How can I check what my resolver is currently returning?
Use the ShowDNS DNS Lookup tool to query a specific record. For command-line users, nslookup or dig can query a specific resolver by specifying its address (e.g., dig @1.1.1.1 example.com A).
Does incognito mode bypass the DNS cache?
No. Incognito (private) mode does not bypass DNS caching. The browser and OS caches are shared between normal and incognito sessions. To get a fresh DNS lookup, you must flush the relevant cache.
Can I disable DNS caching entirely?
You can disable the DNS Client service on Windows or nscd on Linux to prevent OS-level caching, but this is not recommended for production environments. Without caching, every DNS lookup triggers a full recursive query, increasing latency and DNS server load significantly.
What is the difference between DNS cache and browser cache?
DNS cache stores the mapping from domain names to IP addresses. Browser cache stores downloaded web content — HTML, CSS, JavaScript, images, and other assets. These are completely separate caches that serve different purposes. Clearing browser cache does not flush DNS cache, and vice versa.