How to Check and Interpret TTL Values in DNS Records (CNAME/A) Using dig Command


3 views

When querying DNS records using dig, the numeric value displayed right before the record type (e.g., CNAME or A) represents the Time-To-Live (TTL) in seconds. In your example:


;; ANSWER SECTION:
host.example.gov.       43200   IN  CNAME   host1.example.gov.
host1.example.gov.      43200   IN  A       192.168.16.10

Both records show a TTL of 43200 seconds (12 hours). This means resolvers should cache these records for this duration before checking for updates.

For a more detailed view of TTL behavior, try these command variations:


# Show all DNS response details including TTL
dig +nocmd +noall +answer +ttlid host.example.gov CNAME

# Monitor TTL changes over time (Mac/Linux)
watch -n 60 "dig +short +ttlid host.example.gov | grep -v ';'"

Here's a Python script to monitor TTL changes programmatically:


import subprocess
import re
import time

def get_ttl(domain, record_type="CNAME"):
    cmd = f"dig +nocmd +noall +answer +ttlid {domain} {record_type}"
    output = subprocess.check_output(cmd, shell=True).decode()
    match = re.search(r"\d+\s+IN\s+" + record_type, output)
    if match:
        return int(output.split()[1])
    return None

while True:
    ttl = get_ttl("host.example.gov")
    print(f"Current TTL: {ttl} seconds")
    time.sleep(300)  # Check every 5 minutes
  • Lower TTLs (300-900) are useful before DNS changes
  • Higher TTLs (86400+) reduce DNS lookup overhead
  • Some DNS providers enforce minimum TTL values
  • Actual cache behavior may vary by resolver implementation

Other command-line alternatives to dig:


# Using host command
host -v -t CNAME host.example.gov | grep 'TTL'

# Using nslookup (Windows/Mac/Linux)
nslookup -debug -type=CNAME host.example.gov

When working with DNS records, the Time-To-Live (TTL) value specifies how long a DNS record should be cached by resolvers before checking for updates. The TTL is expressed in seconds and appears right after the record type in dig output.

;; ANSWER SECTION:
example.com.     3600    IN  A     192.0.2.1
sub.example.com. 1800    IN  CNAME example.com.

The standard dig output shows TTL values clearly in the ANSWER SECTION. For your specific example:

% dig host.example.gov

;; ANSWER SECTION:
host.example.gov.       43200   IN  CNAME   host1.example.gov.
host1.example.gov.      43200   IN  A       192.168.16.10

Yes, the value '43200' (12 hours) is indeed the TTL for both the CNAME and A records in this response.

To get more detailed TTL information:

dig +ttlid +ttlunits host.example.gov CNAME

;; ANSWER SECTION:
host.example.gov.       12h     IN  CNAME   host1.example.gov.

This shows the TTL in human-readable format (hours/minutes). Other useful variations:

# Show only the answer section
dig +noall +answer host.example.gov

# Trace the full DNS resolution path
dig +trace host.example.gov

When examining TTL values:

  • Lower TTLs (300-3600) are good for records that change frequently
  • Higher TTLs (86400+) improve performance for stable records
  • Plan TTL reduction before DNS changes to minimize propagation delay
# Checking current TTL during migration
dig +short host.example.gov | while read line; do
    dig +short "$line" | awk '{print $1 " TTL: " $2}'
done

Here's how major services configure their TTLs:

# Google's main domain
dig google.com

;; ANSWER SECTION:
google.com.     300 IN  A   172.217.0.46

# Cloudflare's DNS
dig cloudflare.com

;; ANSWER SECTION:
cloudflare.com. 300 IN  A   104.16.132.229

Notice how both use 300-second (5 minute) TTLs for their main A records, allowing quick DNS updates.