Edge & DNS Ops Guide

Propagation & Caching Basics

A technical deep-dive into how DNS changes propagate across global resolvers and how edge networks cache those records. Covers authoritative vs. recursive resolution, TTL-driven cache lifecycles, and zero-downtime deployment strategies. For foundational architecture context, review DNS Fundamentals & Advanced Record Configuration before implementing production rollouts.

  • Map the recursive resolver chain and authoritative server handshakes to predict update latency
  • Align TTL values with actual cache expiration behavior across ISPs, enterprise networks, and CDNs
  • Implement staged rollouts and dual-stack routing to prevent split-brain traffic during migrations
  • Leverage cache-control headers and CDN purge APIs to synchronize edge routing with authoritative DNS updates

The Mechanics of DNS Propagation

Resolvers fetch records through a hierarchical delegation chain. Authoritative servers hold the source of truth. Recursive resolvers cache responses to reduce latency and upstream load. Each layer enforces TTLs independently.

Negative caching also impacts propagation. NXDOMAIN responses and SOA minimum TTLs dictate how long resolvers remember failed lookups. This delays visibility for newly created zones. Refer to Understanding DNS Record Types for record-specific propagation behaviors and chain resolution.

Platform quirks vary significantly. Cloudflare 1.1.1.1 aggressively honors TTLs. AWS Route 53 Resolver caches at the VPC level. Google Public DNS applies proprietary load-balancing logic. Always verify against your target infrastructure.

Diagnostic Commands:

# Trace the full delegation chain from root to authoritative NS
dig +trace yourdomain.com A

# Debug recursive resolution steps and cache status
nslookup -debug yourdomain.com

# Inspect local systemd-resolved cache state
systemd-resolve --status

Expected Output: dig +trace returns iterative IN NS responses ending with the authoritative IP. nslookup -debug shows Got answer: blocks with AUTHORITY SECTION and ADDITIONAL SECTION. systemd-resolve lists DNSSEC status and Current DNS Server per interface.

TTL-Driven Cache Invalidation & Edge Routing

TTL values dictate cache lifespan across all recursive layers. Lowering TTL 24–48 hours before migration forces faster cache turnover. This prevents stale routing during authoritative updates. Consult Mastering TTL Strategies for production-grade TTL tuning and SOA record optimization.

CDN edge caches often bypass DNS TTLs. They rely on origin connection pools. You must synchronize DNS changes with cache-control headers. Stale cache during regional outages requires manual intervention.

Verification Command:

# Inspect CDN cache headers and object age
curl -s -o /dev/null -D - https://cdn.yourdomain.com/asset.js | grep -iE 'cache-control|age'

Expected Output:

cache-control: public, max-age=3600, s-maxage=86400
age: 1245

Note: s-maxage controls shared CDN cache. age shows seconds since edge retrieval. If age exceeds expected TTL post-update, trigger a targeted purge.

CDN & DNS Integration Quirks

Modern CDNs cache DNS lookups at the edge. Origin pull populates caches on first request. Push models pre-warm assets. Both approaches interact differently with DNS updates. Anycast routing masks resolver proximity. Perceived propagation speed varies by geography.

Bypass CDN DNS caching using custom edge rules. Switch to IP-based origins for critical failover paths. Implement cache tags and programmatic purge APIs alongside authoritative updates. This guarantees immediate routing synchronization.

Purge Command:

# Invalidate all cached paths on an AWS CloudFront distribution
aws cloudfront create-invalidation \
 --distribution-id E1234567890 \
 --paths '/*'

Expected Output:

{
 "Invalidation": {
 "Id": "I2QJ4F8X9Z0K",
 "Status": "InProgress",
 "CreateTime": "2024-01-15T10:30:00.000Z",
 "InvalidationBatch": {
 "Paths": { "Quantity": 1, "Items": ["/*"] },
 "CallerReference": "auto-1705312200"
 }
 }
}

Rollback Step: If the new origin fails health checks, revert the DNS A record to the legacy IP and immediately purge the CDN again. Maintain dual-stack routing during the transition window.

Debugging & Verification Workflows

Global DNS checkers aggregate public resolvers. They often mask ISP-level caching. Direct recursive queries isolate true propagation state. Track TTL deltas to confirm compliance.

Identify DNS hijacking or aggressive caching by comparing dig outputs across multiple resolvers. Misconfigured SOA minimum TTLs cause prolonged negative caching. Follow Debugging DNS propagation delays across global resolvers for advanced diagnostic scripts and automation.

Live Monitoring Command:

# Poll two major resolvers every 2 seconds to track TTL convergence
watch -n 2 'dig @8.8.8.8 yourdomain.com A +short && echo "---" && dig @1.1.1.1 yourdomain.com A +short'

Expected Output: Alternating IP addresses until both resolvers return the new authoritative IP. Query times drop from ~45ms to ~2ms once cached.

Configuration Examples

Lowering TTL 48 hours before a DNS migration

# Verify current SOA TTL
dig @ns1.provider.com yourdomain.com SOA | awk '{print $7}'

# Reduce TTL to 300s (5 minutes)
provider-cli dns update --zone yourdomain.com --record @ --type A --ttl 300

Explanation: Demonstrates pre-migration TTL reduction to force faster cache expiration across resolvers before authoritative record changes.

Purging CDN cache after DNS record update

curl -X POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache \
 -H 'Authorization: Bearer $TOKEN' \
 -H 'Content-Type: application/json' \
 -d '{"purge_everything": true}'

Explanation: Ensures edge nodes fetch the new DNS-resolved origin IP immediately after authoritative changes, bypassing stale edge caches.

Verifying resolver cache status and TTL compliance

dig @1.1.1.1 yourdomain.com +noall +comments | grep -E 'Query time|SERVER'
sleep 5
dig @1.1.1.1 yourdomain.com +noall +comments | grep -E 'Query time|SERVER'

Explanation: First query shows cache miss (higher query time). Second shows cache hit (near-zero time). Confirms TTL behavior and resolver compliance.

Edge Cases & Warnings

Scenario Impact Mitigation & Rollback
ISP ignores low TTL values Delayed propagation despite 300s TTL, causing split-brain routing and inconsistent user experiences Use DNSSEC to enforce compliance. Implement dual-stack routing during transition. Verify with multiple public resolvers before cutting over. Rollback: Revert authoritative record and flush local resolver cache.
CDN caches DNS resolution at the origin Edge nodes continue hitting old origin IP even after authoritative DNS updates, causing 502/504 errors Configure origin DNS lookup interval in CDN settings. Use static IP-based origin instead of hostname. Trigger targeted cache purge post-update. Rollback: Disable edge routing rules and route traffic directly to legacy IP.
Negative caching of NXDOMAIN records Newly created subdomains fail to resolve for hours or days due to aggressive negative caching Set SOA minimum TTL appropriately (300–600s). Pre-warm resolvers with synthetic queries. Use wildcard records if applicable to your architecture. Rollback: Temporarily point wildcard to a maintenance endpoint until propagation stabilizes.

Frequently Asked Questions

Why does DNS propagation sometimes take up to 48 hours? Legacy TTLs, ISP resolver caching policies, and negative caching can extend propagation. Modern systems respect TTLs, but some resolvers override them for performance or cost reasons.

How do I force immediate DNS updates without downtime? Lower TTL 24–48 hours in advance. Deploy dual-stack origins. Use CDN cache purging to synchronize edge routing with authoritative changes.

Does changing a CNAME affect cached A records? No. Resolvers cache the final resolved IP based on the CNAME chain’s TTL. Update the target’s TTL or purge CDN caches to reflect changes faster.