Loading learning content...
DNS caching is not implemented at a single location—it's distributed across multiple levels of the resolution path, creating a layered defense against unnecessary upstream queries. Each layer serves distinct populations, operates under different constraints, and contributes uniquely to overall caching efficiency.
Understanding these caching levels is essential for:
This page explores each caching level in depth, from the browser's internal cache to enterprise DNS infrastructure, examining their behavior, configuration options, and operational characteristics.
By the end of this page, you will understand each level of the DNS cache hierarchy: browser caches, operating system caches, local network resolvers, ISP resolvers, and enterprise DNS infrastructure. You'll learn how these layers interact, their typical configurations, and how to work with each layer during troubleshooting and operations.
When an application needs to resolve a domain name, the query traverses a series of potential caches before reaching authoritative servers. At each level, a cache hit can immediately satisfy the request; only cache misses propagate to the next level.
The Cache Hierarchy (Client to Server):
Each layer exhibits different characteristics in terms of scope, population, cache capacity, and administrative control.
| Cache Level | Scope | Typical Capacity | Cache Hit Rate | Admin Control | Response Time |
|---|---|---|---|---|---|
| Browser Cache | Single browser instance | 100-1000 entries | 20-40% | User/Developer | < 1ms |
| OS Cache | Single device | 500-5000 entries | 30-50% | System Admin | < 1ms |
| Router/Local DNS | Local network (~50 devices) | 1000-10000 entries | 40-60% | Network Admin | 1-5ms |
| ISP Resolver | Millions of subscribers | Millions of entries | 80-95% | ISP | 5-30ms |
| Enterprise DNS | Organization (~10000 devices) | 100K+ entries | 70-90% | IT Admin | 1-10ms |
Larger cache populations (more clients sharing a cache) increase cache hit rates due to request aggregation. If one ISP subscriber resolves google.com, millions of other subscribers benefit from the cached response. This aggregation is why ISP resolvers achieve 80-95% hit rates while browser caches achieve only 20-40%.
Modern web browsers maintain their own internal DNS cache, independent of the operating system's resolver cache. This application-level cache provides the fastest possible dns resolution for recently visited domains.
Why Browsers Implement DNS Caching:
Browser-Specific Caching Behavior:
| Browser | Default Cache Duration | Maximum Entries | Flush Method | Special Behavior |
|---|---|---|---|---|
| Chrome | 60 seconds (min) | ~1000 | chrome://net-internals/#dns | Async DNS, prefetching |
| Firefox | Respects TTL | Configurable | about:networking#dns | DNS-over-HTTPS option |
| Safari | Varies | System-managed | Restart or clear history | Uses OS resolver |
| Edge | 60 seconds (min) | ~1000 | edge://net-internals/#dns | Chromium-based, same as Chrome |
Viewing and Flushing Browser DNS Cache:
Chrome / Edge (Chromium-based):
chrome://net-internals/#dnsFirefox:
about:networking#dnsabout:config → network.dnsCacheExpiration to adjust behaviorBrowser DNS Prefetching:
Browsers proactively resolve domains before they're needed, hiding DNS latency during user think-time:
<!-- Explicit prefetch hints -->
<link rel="dns-prefetch" href="//cdn.example.com">
<link rel="dns-prefetch" href="//api.example.com">
<!-- Browsers also auto-prefetch hrefs in <a> tags -->
<a href="https://other-site.com">Link</a> <!-- domain pre-resolved -->
Prefetching trades bandwidth (speculative DNS queries) for latency reduction. High-traffic sites typically prefetch CDN, API, and analytics domains.
When testing DNS changes during development, flush the browser's internal DNS cache—not just the OS cache. Chrome's DevTools also has 'Disable cache' in the Network panel, but this affects HTTP caching, not DNS. For DNS, use chrome://net-internals/#dns explicitly.
The operating system's DNS resolver—often called the stub resolver—provides system-wide DNS caching for all applications. When applications call standard resolver functions (e.g., getaddrinfo(), gethostbyname()), the OS stub resolver handles the request, checking its cache before forwarding to configured nameservers.
Windows DNS Client Service:
Windows implements DNS caching through the "DNS Client" service (dnscache). This service:
ipconfig /displaydns and ipconfig /flushdns commands12345678910111213141516171819202122
# View Windows DNS Cacheipconfig /displaydns # Sample output:# www.example.com# ----------------------------------------# Record Name . . . . . : www.example.com# Record Type . . . . . : 1 (A record)# Time To Live . . . . : 2847# Data Length . . . . . : 4# Section . . . . . . . : Answer# A (Host) Record . . . : 93.184.216.34 # Flush Windows DNS Cacheipconfig /flushdns# Successfully flushed the DNS Resolver Cache. # PowerShell: View DNS cache with more detailGet-DnsClientCache # PowerShell: Clear DNS cacheClear-DnsClientCachemacOS DNS Caching:
macOS uses mDNSResponder for DNS resolution and caching. Cache management:
# View DNS cache (macOS 10.12+)
sudo dscacheutil -cachedump -entries Host
# Flush DNS cache
sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
Linux DNS Caching:
Linux DNS caching depends on the resolver configuration:
systemd-resolved (Modern distributions):
# View cache statistics
resolvectl statistics
# Flush DNS cache
resolvectl flush-caches
dnsmasq (Often used on routers/embedded):
# Flush by restarting service
sudo systemctl restart dnsmasq
nscd (Name Service Cache Daemon):
# Flush hosts cache
sudo nscd -i hosts
No local caching — Some configurations forward directly to upstream; applications query upstream on every request.
Unlike Windows and macOS, Linux desktop/server distributions have inconsistent DNS caching configurations. Ubuntu uses systemd-resolved by default; others may use dnsmasq, nscd, or no local caching. Verify your distribution's resolver stack before assuming cache behavior.
Most local networks—home networks, small offices, Wi-Fi hotspots—include a local DNS resolver that serves all devices on the network. This is typically the router itself, which provides DHCP-assigned addresses with itself as the DNS server.
How Local Resolvers Work:
Benefits of Local Network Caching:
Home Router DNS Caching:
Consumer routers typically run lightweight DNS resolvers with modest cache sizes:
| Router Type | DNS Implementation | Typical Cache Size | Cache Control |
|---|---|---|---|
| Consumer routers | dnsmasq (common) | 150-1000 entries | Via admin panel (limited) |
| ISP-provided | Varies | Varies | Often locked down |
| Mesh systems | Proprietary | Varies | App-based management |
| Advanced/DD-WRT | dnsmasq/unbound | Configurable | Full control via SSH |
dnsmasq Configuration Example:
# /etc/dnsmasq.conf on router
# Set cache size (default is usually 150)
cache-size=1000
# Don't cache negative responses
no-negcache
# Log queries (for debugging)
log-queries
# Forward to specific upstream
server=8.8.8.8
server=1.1.1.1
Pi-hole and Local DNS Solutions:
Advanced users often deploy dedicated local DNS solutions:
Some applications and devices now bypass local resolvers by hardcoding public DNS (8.8.8.8, 1.1.1.1) or using DNS-over-HTTPS. This can undermine local caching, content filtering, and enterprise DNS policies. Network administrators may need to intercept or block such traffic at the firewall level.
ISP recursive resolvers serve the largest populations—potentially millions of subscribers—making them the most impactful caching layer. A single cache hit at an ISP resolver can serve countless subsequent queries from all subscribers.
ISP Resolver Characteristics:
| Characteristic | Description |
|---|---|
| Client population | 100,000 to 10,000,000+ subscribers |
| Query volume | 1-100+ billion queries per day |
| Cache size | Millions of entries; possibly tens of GB |
| Cache hit rate | 80-95% for typical residential traffic |
| Server infrastructure | Clusters of high-performance servers |
| Network position | Regional anycast or centralized |
ISP Resolver Operations:
ISP resolvers implement sophisticated infrastructure for performance and reliability:
Public DNS Services:
Public DNS resolvers provide alternatives to ISP-provided DNS, often with privacy or performance benefits:
| Provider | Primary IP | Secondary IP | Notable Features |
|---|---|---|---|
| Google Public DNS | 8.8.8.8 | 8.8.4.4 | Global anycast, DNSSEC, DNS-over-HTTPS |
| Cloudflare | 1.1.1.1 | 1.0.0.1 | Privacy focus, WARP VPN, fastest claimed latency |
| Quad9 | 9.9.9.9 | 149.112.112.112 | Security focus, blocks malicious domains |
| OpenDNS | 208.67.222.222 | 208.67.220.220 | Content filtering options, Cisco-owned |
| AdGuard DNS | 94.140.14.14 | 94.140.15.15 | Ad blocking at DNS level |
Why Cache Hit Rates Are Highest at This Level:
The power-law distribution of DNS queries explains high cache hit rates:
With millions of subscribers, even moderately popular domains get resolved frequently enough to remain cached. The top 10,000 domains are almost always cached at major ISP resolvers.
ISP Resolver Policies:
ISPs may implement policies affecting cache behavior:
When using public DNS instead of your ISP's resolver, CDNs may select suboptimal servers because they see the resolver's location, not yours. EDNS Client Subnet (ECS) mitigates this by sending your subnet to authoritative servers, but not all resolvers support it and it has privacy implications.
Enterprise networks implement sophisticated DNS infrastructure that serves internal resources and external resolution, with caching as a critical component. Enterprise DNS differs from consumer DNS in several ways:
Enterprise DNS Functions:
server.corp.example.com to internal IPsWindows Active Directory DNS:
Microsoft environments typically use AD-integrated DNS:
# View DNS server cache statistics
Get-DnsServerStatistics -ComputerName dc01.corp.example.com
# Clear DNS server cache
Clear-DnsServerCache -ComputerName dc01.corp.example.com
# View cached records
Show-DnsServerCache -ComputerName dc01.corp.example.com
Enterprise DNS Architecture Patterns:
| Pattern | Description | Use Case |
|---|---|---|
| Single-tier | Domain controllers provide all DNS | Small organizations |
| Forwarder model | DCs forward external to dedicated resolvers | Medium enterprises |
| Hybrid | Internal DNS on-premises, external via cloud | Modern/cloud-migrating |
| Conditional forwarding | Different forwarders for different domains | Multi-domain environments |
| DNS proxy/firewall | All DNS routes through security inspection | Security-focused orgs |
Enterprise DNS Security Layers:
Enterprises often add security layers to DNS:
When implementing split-horizon DNS (different internal vs. external responses for the same domain), ensure that internal caches don't leak to external resolvers and vice versa. Misconfigured caching in split-horizon environments can cause internal IPs to propagate externally or external IPs to resolve internally—both causing connectivity failures.
Understanding how cache levels interact helps troubleshoot resolution issues and predict propagation behavior. Several edge cases and interactions warrant special attention.
Cache Consistency Issues:
Different cache layers may hold different versions of records after a DNS change:
Scenario: DNS Change Propagation
Result: User A continues reaching old IP even though ISP has new IP, because their local caches haven't expired.
Troubleshooting Cache Layer Issues:
When debugging DNS resolution problems, systematically check each cache level:
# Step 1: Check authoritative (ground truth)
dig @ns1.example.com www.example.com A
# Step 2: Check ISP/public resolver
dig @8.8.8.8 www.example.com A
dig @1.1.1.1 www.example.com A
# Step 3: Check local resolver
dig @192.168.1.1 www.example.com A
# Step 4: Check OS resolution
# Windows:
nslookup www.example.com
# Linux/macOS:
host www.example.com
getent hosts www.example.com
# Step 5: Check browser (manual - view cache page)
If results differ between levels:
DNS changes often propagate unevenly due to cache layer timing. The complaint 'it works for some users but not others' typically indicates cache state variance. Users who haven't queried recently get new records; users with fresh cache entries retain old records. Patience (waiting for max TTL) or cache flushing resolves this.
DNS caching operates across multiple layers, each serving distinct populations and providing cumulative benefits. Understanding this hierarchy is essential for DNS operations, troubleshooting, and change management.
Key takeaways from this page:
What's next:
We've explored how DNS caching works beneficially. Next, we'll examine the dark side: DNS Cache Poisoning—attacks that exploit caching to inject fraudulent records, redirecting users to malicious servers. Understanding these attacks is essential for secure DNS operations.
You now understand the complete DNS cache hierarchy, from browser to enterprise infrastructure. Each level serves distinct purposes and populations, working together to achieve the high cache hit rates that enable global DNS to function. Next, we'll explore how attackers exploit caching through cache poisoning attacks.