127

I would like to see the Time-To-Live (TTL) value for a CNAME record.

I have access to dig (on Apple Mac OS X), which gives me an answer like this:

% dig host.example.gov
<*SNIP*>
;; ANSWER SECTION:
host.example.gov.       43200   IN  CNAME   host1.example.gov.
host1.example.gov.      43200   IN  A       192.168.16.10

Is the value '43200' the TTL for this DNS record?

Stefan Lasiewski
  • 22,949
  • 38
  • 129
  • 184

4 Answers4

152

Yes, the number there is the number of seconds left until that record expires (providing we're not querying the authoritative nameserver). Obviously with a CNAME there's a level of redirection, so the TTL for the A record it points to in this case may be important as well.

If you wait a couple of seconds and run dig again on your local nameserver, you should see that TTL number decrease by the number of seconds you waited (approximately). When it hits 0, it'll refresh or if your nameserver refreshes the zone for some reason.

As mentioned above, there is a difference between dig being run against a nameserver with a cached entry and the nameserver that is authoritative for that entry.

(in the examples I use below I use the +noauthority +noquestion & +nostats flags just to keep the output terse).

Note the difference between the following queries:

$ dig +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.

; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +nostats stackoverflow.com @ns2.p19.dynect.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50066
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; ANSWER SECTION:
stackoverflow.com.  432000  IN  A   69.59.196.211

So in the above query, we're querying a nameserver that is authoritative for stackoverflow.com. If you notice the flags section, pay special attention to the aa flag which denotes this is an authoritative answer (i.e. not cached).

$ dig +noauthority +noquestion +noadditional +nostats stackoverflow.com 

; <<>> DiG 9.7.0-P1 <<>> +noauthority +noquestion +noadditional +nostats stackoverflow.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43514
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; ANSWER SECTION:
stackoverflow.com.  246696  IN  A   69.59.196.211

In the above query, we don't have an aa flag, and the TTL will keep decreasing as we query and query. This is essentially the counter I was talking about previously.

Philip Reynolds
  • 9,751
  • 1
  • 32
  • 33
  • In the second example the TTL of 246696 means that the nameserver (which returned the address of 69.59.196.211) fetched the answer from its cache and it'll do so for another 246696 seconds, right? After which it'll reach out to the authoritative nameserver or to another non-authoritive one and cache the results got from there, right? Thanks for the clarification. Having a hard time with this one. – Kohányi Róbert Oct 16 '20 at 20:58
60

If you happen to be stuck on a windows box and only have access to nslookup:

nslookup -qa=A -debug host.example.com authoritiative-dns-host-here.com
M Sleman
  • 1,091
  • 9
  • 5
17

Is the value '43200' the TTL for this DNS record?

Yes - as reported to you by the server that answered your query (if you're asking a caching server it will return the remaining time in its cache).

To see the TTL set on the actual record query the authoritative nameserver (dig @some.dns.server host.example.gov - The authoritative DNS servers will be listed in the Authority section of the dig output)

Quick check to see if you're asking the authoritative NS: If you run dig again and the TTL changes you're probably hitting a cache. If it stays the same you're probably asking the authoritative server (or one that has broken caching).

voretaq7
  • 79,345
  • 17
  • 128
  • 213
  • 1
    if ttl doesn't change it could just be one that believes itself to be authoritative: the domain owner may have changed DNS server without shuttiong the old one down.... had that problem last month. – Jasen Jul 12 '15 at 23:29
  • 2
    @Jasen Yes, that's definitely possible (It indicates something important as well: The DNS admin will be buying drinks at the next company outing for screwing up the migration!) – voretaq7 Jul 13 '15 at 15:26
9

I couldn't see the authoritative servers in the default dig output, but the following

dig +nssearch host.example.com

returned them, which could then be used as described by voretaq7 to get the actual TTL value for the record.

Update: kept forgetting how to do this and having to come back, so wrote a little script to first fetch the authoritative nameserver then dig using it

#!/bin/bash

show_help(){
        echo Usage $0 domain
}

if [ -z "$1" ]; then
        show_help
        exit 1
fi

DOMAIN=$1
APEX_DOMAIN=`echo $DOMAIN | sed 's/\(.*\.\)\([^.]*\.[^.]*\)/\2/'`
FIRST_AUTHORITATIVE_NS=$(dig +nssearch $APEX_DOMAIN | awk '$1=="SOA"{sub(".$","",$2);print $2;exit;}')

echo
echo Using authoritative nameserver $FIRST_AUTHORITATIVE_NS

dig @$FIRST_AUTHORITATIVE_NS $@
Bruno Bronosky
  • 4,429
  • 3
  • 24
  • 32
Adam
  • 266
  • 2
  • 4