DNS TTL Limits at Public DNS Resolvers

In my post about the basics of DNS TTLs and caching I mentioned that DNS resolvers use the TTL of the record to determine how long to cache any particular record for. While this is /normally/ true, there are exceptions. Namely, certain public DNS resolvers have a upper limit of the TTL that they will cache. That is, if you set a TTL longer than their limit, the resolver will bring the TTL down to their limit and cache it using their TTL.

Google Public DNS

Google Public DNS is the most significant example of a public DNS resolver applying DNS limits.

For example:

nullrouted.space.       21600   IN      A

;; Query time: 56 msec

The TTL set for that particular A record is set at 86400 seconds or 1 day. Google Public DNS brings the TTL down to their upper limit which is 21600 seconds or 6 hours.

Here is the same record from a resolver that does not have a upper TTL limit.

nullrouted.space.       86400   IN      A

;; Query time: 76 msec


Quad9 is another example of a public DNS resolver applying a upper TTL limit.

For example:

nullrouted.space.       43200   IN      A

;; Query time: 92 msec

Quad9 brings the TTL down from 86400 seconds to 43200 seconds or 12 hours.


OpenDNS is the one I’ve found that most aggressively limits TTLs.

For example:

test.zombocloud.com.    3600    IN      A

;; Query time: 48 msec

OpenDNS brings the TTL down from 86400 seconds or 1 day to 3600 seconds or 1 hour.


I don’t have an authoritative answer from any of these public resolver vendors as to exactly why they apply these limits. The most likely theory is that they do this to keep their cache size low. DNS caching uses RAM and with public DNS resolvers and their query volumes their cache sizes will be non-trivial. Setting a upper TTL limits means that they can keep their memory usage down.

Does every public DNS resolver do this?

No, they don’t. One popular public DNS resolver that doesn’t have a upper TTL limit is Cloudflare’s

Does this matter?

Unless you are a DNS nerd who cares about the minutiae of how the DNS works at large, nope. I wrote this post down just to make a note of this behaviour.