DNS Propagation (DNS Propagation)

Security Glossary - DNS

Definition: DNS propagation is the process by which DNS record changes spread across the global network of DNS resolvers and caches. After you update a DNS record, it takes time for all resolvers worldwide to pick up the new value because they cache records for the duration of the TTL (Time to Live).

Why DNS Propagation Matters

DNS propagation delays mean that DNS changes are not instant. After updating an A record to point to a new server, some visitors will still reach the old server until their resolver's cache expires. This creates a window where your site behaves differently for different visitors, which complicates server migrations.

The propagation time depends primarily on the TTL of the old record. If the previous TTL was 86400 seconds (24 hours), it can take up to 24 hours for all resolvers to fetch the new value. This is why best practice for planned migrations is to lower the TTL well in advance (to 300 seconds or lower) and then make the actual record change.

Some ISPs and corporate networks run aggressive caching resolvers that may ignore TTL values and cache records longer than specified. In practice, most propagation completes within a few hours, but edge cases can take up to 48 hours. During propagation, keep both old and new servers running to avoid any visitor seeing an error.

How to Check

Use a DNS health checker or propagation checker that queries your DNS from multiple global locations. This shows which resolvers have picked up the new record and which still serve the old one. Comparing results from different regions reveals propagation progress.

Check DNS Health

Frequently Asked Questions

How can I speed up DNS propagation?
Lower the TTL on the record before making the change. Set it to 300 seconds (5 minutes) at least 24-48 hours before the planned change. After the change propagates, you can raise the TTL back to a longer value for better caching performance.
Why do some users see the old site after a DNS change?
Their DNS resolver still has the old record cached. Until the cached TTL expires, the resolver serves the old IP address without checking the authoritative nameserver. Different resolvers received the old record at different times, so their caches expire at different times.
Key Takeaway: Lower your TTL to 300 seconds at least 24 hours before making DNS changes. This ensures resolvers cache the old record for at most 5 minutes, making the effective propagation time much shorter than the commonly cited 24-48 hours.
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.