Understanding TTL values in DNS query answers using dig

Question

I'm querying google.com with dig and I'm having a hard time understanding why TTL values sometimes jump around instead of decrementing every second uniformly (which is my expectation). What am I missing here?

Here's what I'm doing on my Windows machine with dig installed (DiG 9.16.7, from the BIND 9 distribution).

c:\>for /l %i in (1,1,10) do @(sleep 1 & dig @1.1.1.1 +noall +answer google.com)
google.com.             163     IN      A       172.217.19.110
google.com.             168     IN      A       172.217.19.110
google.com.             166     IN      A       172.217.19.110
google.com.             166     IN      A       172.217.19.110
google.com.             157     IN      A       172.217.19.110
google.com.             160     IN      A       172.217.19.110
google.com.             163     IN      A       172.217.19.110
google.com.             160     IN      A       172.217.19.110
google.com.             163     IN      A       172.217.19.110
google.com.             156     IN      A       172.217.19.110

The first response has a TTL of 163, the second is 168, etc. ... my expectation was that TTL decrements until it reaches zero.

Then I've searched around and it seems dig doesn't use the hosts (OS-level or other) DNS cache (like a browser would), which explains why the number is not decrementing, however, it doesn't answer why it's all over the place.

If I don't specify 1.1.1.1 as the nameserver and instead rely on my IPS it's even weirder.

c:\>for /l %i in (1,1,10) do @(sleep 1 & dig +noall +answer google.com)
google.com.             56      IN      A       172.217.18.78
google.com.             55      IN      A       172.217.18.78
google.com.             54      IN      A       172.217.18.78
google.com.             52      IN      A       172.217.18.78
google.com.             50      IN      A       172.217.18.78
google.com.             47      IN      A       172.217.18.78
google.com.             48      IN      A       172.217.18.78
google.com.             45      IN      A       172.217.18.78
google.com.             6       IN      A       172.217.19.110
google.com.             64      IN      A       172.217.19.110

I've also tried nslookup -debug google.com but I experience the same with regards to TTL values as with dig.

What am I missing here? Thanks for the input.

What server are you querying in the second case? – Michael Hampton Oct 15 '20 at 20:35 — Michael Hampton, Oct 15 '20 at 20:35
My ISPs DNS server at 213.46.246.53. – Kohányi Róbert Oct 16 '20 at 07:46 — Kohányi Róbert, Oct 16 '20 at 07:46

score 4 · Accepted Answer · answered Oct 15 '20 at 20:49

There are multiple boxes behind 1.1.1.1 or any other similar public DNS resolver. Hence, technically, all those boxes can share their DNS cache, or not.

If they don't, each one will have different set of records cached, and different TTLs associated to them.

What you observe may seem puzzling but has 0 negative effects on the DNS service.

Understanding TTL values in DNS query answers using dig

1 Answers1