Frank DENIS random thoughts.

On the distribution of DNS TTLs

I recently sampled 348,876,495 valid (actual records exist) A queries processed by OpenDNS servers. This represents 6,263,672 unique names.

And I then made a simple app that dumps the initial TTL (as reported by authoritative servers) for each of these unique names, in order to check what the TTL distribution looks like. This data was then processed with R.

General overview

Well, the TTL distribution looks very unbalanced, to say the least.

Do a lot of people publish records with a TTL that is longer than 30 days?

More than 30 days

No, apparently, only a ridiculous amount of records happen to have a TTL larger than 30 days.

It’s fun to see insane TTLs like 68 years (,,,,,,,,,, …), although these are probably configuration errors.

Let’s zoom into more reasonnable TTLs, that are 1 week or less.

7 days or less

Wow. Apparently, even TTLs longer than 1 day are very rare. So let’s shrink the window to TTLs that are no longer than 1 day.

1 day or less

A fair amount of records have been configured with a TTL that is exactly 1 day, but the vast majority seems to be below 4 hours.

Let’s zoom in.

8 hours or less

Ok, at this point, it’s probably reasonnable to keep zooming in:

4 hours or less

or with 10 segments: 4 hours or less - 10 segments

This is still a very unbalanced distribution. 4 hours TTLs are common, 1 hour TTLs are more common, but the vast majority seems to be below 15 minutes.

TTLs below 1 hour represent the hot spot, so let’s zoom in:

1 hours or less

There’s a fair amount of records with a 1 hour TTL, a high amount of records with a TTL below or equal to 10 minutes, and pretty much nothing in-between.

Let’s see what TTLs below 10 minutes look like:

10 minutes or below

So, records within this interval are either below 5 minutes (with peaks at 1 minute and 2 minutes), or 10 minutes.

In summary:

TTL = 00.16 %
TTL <= 1 minute9.84 %
TTL <= 2 minutes16.32 %
TTL <= 5 minutes39.88 %
TTL <= 1 hour70.07 %
TTL <= 1 day98.89 %

Looks like there are still ways to make the internet faster.