DNS Change Propagation Delay Time

Information about the Propagation Delay Time for Domain Name Server Changes


Most of us use DNS every day when surfing the web.  If you open a browser and click a link the first thing your computer’s operating system does is a Domain Name Service lookup to convert the host name to an IP address. This IP Address is used to find the best network path from your computer across the routers on the Internet to the destination server and back.

If you’ve got your own domain name and are able to make changes to A records then you can create your own domain name service records making it easier to find the systems you use without having to lookup or remember a long IP Address.

But what happens when you create or modify an A record and the change doesn’t seem to take effect right away?  There are many steps that need to happen for your computer to notice the new or changed DNS record.

  1. When you modify DNS for your domain you’re actually changing a “host file” on a master DNS server some where out there on the Internet.  These servers are used for many customers making changes all the time so they might only reload and process new changes once an hour or every twenty minutes or what ever interval decided upon by the DNS system administrators. You can check if the master server has processed the change with the nslookup command as shown below.
  2. Once the master dns server updates it’s records these changes are pushed out to the secondary servers right away with a DNS Notify message. Most DNS Service providers have 3 or more secondary servers which are used as primary DNS servers as shown by a whois lookup to the DNS registrar. This is called a “hidden master” configuration. As soon as these delegated secondary servers are updated the Internet at large is able to start using these new DNS records you’ve made. Any lookups you make on your computer for a new record will be found right away.
  3. However – if you are changing an existing DNS entry the results typically don’t show up right away.  The reason for this is two fold:
    1. Due to the caching of DNS records that takes place on your local computer.  You can clear your computer’s local Domain Name Resolver cache forcing it to request the updated DNS record from its configured DNS server.
      1. Windows: 1) Open Command Prompt (Run as Administrator) . 2) Enter: ipconfig /flushdns
      2. Mac OS X 10.10 Yosemite: 1) Open a terminal. 2) Enter: sudo discoveryutil mdnsflushcache;sudo discoveryutil udnsflushcaches;say flushed
      3. Mac OS X 10.6 <= 10.9 Mavericks: 1) Open a terminal. 2) Enter: sudo killall -HUP mDNSResponder
    2. The local computer where you run your web browser is configured using DHCP to use a specific set of dedicated DNS Servers. Your Network Administrator will configure DHCP to give your computer a set of reliable DNS Servers. These DNS servers might be on your company’s intranet or they might be run by your ISP. These DNS Servers have their own cache – hopefully they will respect the TTL (Time To Live) settings of your DNS Zone but they might also override this and do their own caching. This override and TTL is yet another reason that your changes to existing records don’t take place right away. While you probably won’t be able to convince the support team that runs these DNS servers to change their settings or flush their cache you can certainly override the settings on your computer to make it use different “nicer” DNS servers in the Internet such as:
      1. CensurFriDNS: 91.239.100.100, 89.233.43.71
      2. OpenDNS: 208.67.222.222, 208.67.220.220
        (WARNING: Do not change your DNS server if you need it to access local systems on your company intranet such as a wiki or print server)

Troubleshooting and Checking DNS Changes

If you’ve made a change to your DNS and it doesn’t show up there are some steps you can follow to troubleshot and evaluate the situation.  Normally, waiting an hour or more for the changes to propagate from the public Internet DNS server down to your local computer. If you don’t want to wait or are concerned that there might be a mistake of configuration error follow these steps:

  1. in this example we will use my domain, ibenit.com, and check the status of the www entry we made there:www.ibenit.com
  2. There are two DNS servers we want to check:
    1. A public internet DNS server like the ones provided by google: 8.8.8.8
      Check the record under question as follows:

      1. Open a command prompt and run this command. Remember – this is just an example. For your situation you’d replace the fqdn hostname below. (FQDN = Fully Qualified Domain Name = http://www.ibenit.com)
      2. nslookup http://www.ibenit.com 8.8.8.8
      3. This command returns the following result which includes both the CNAME (AKA Alias) as well as the IP Addresses for that CNAME record.
        http://www.ibenit.com canonical name = domains.tumblr.com.
        Name: domains.tumblr.com
        Address: 66.6.42.22
        Name: domains.tumblr.com
        Address: 66.6.43.22
    2. One of the designated “authoritative” DNS server as registered with your Domain Name Registrar.
      1. Find the designated DNS Servers for your domain with the Internet whois system. Here’s one easy to use service for whois lookups:  https://who.is/whois/ibenit.com
      2. For my domain you can see there are 3 Name Servers (NS) listed. These are the “Authoritative” DNS servers used when looking up records for my domain.
        1. ns1.systemdns.com 216.40.47.90
        2. ns2.systemdns.com 216.40.47.90
        3. ns3.systemdns.com 64.99.96.3
      3. Pick one of these designated name servers from the registrar and do a name service lookup to it.
        1. From the same command prompt you opened before run this command. Remember – this is just an example. Replace the HIGHLIGHTED fqdn hostname and ip addresses below with the correct details. FQDN (Fully Qualified Domain Name)

          FQDN = http://www.ibenit.com )

          nslookup www.ibenit.com 216.40.47.90
        2. This command returns the following result which is a CNAME (Canonical Name).
          $nslookup www.ibenit.com 216.40.47.90
          Server: 216.40.47.90
          Address: 216.40.47.90#53
          Non-authoritative answer:
          www.ibenit.com canonical name = domains.tumblr.com.
  3. Once you’ve checked the designated name servers you need to compare the results between the two nslookup commands.  Repeat these lookups multiple times waiting a few minutes between sessions.  It may take a while for the results to merge.
  4. If after following these steps and waiting for the servers to sync up and the caches to refresh the DNS changes are still not working you at least have some good information you can share with the support team when you need to escalate and ask for technical support.
  5. If your nslookup diagnostics don’t report any issues then there may be a firewall or other service issues blocking your application.  Run an NMAP port scan against the ip address of your system to see which services are responding.

Hope this helps!

References:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s