Back to Blog
Networking

TTL (Time to Live) in Networking: A Real Explanation

By Kunal KhatriMar 10, 2026
TTL (Time to Live) in Networking: A Real Explanation

Time to Live is one of those terms that means something slightly different depending on the context. In IP networking it's a hop counter that prevents packets from circulating forever. In DNS it's a cache duration that tells resolvers how long to keep a record. Both uses solve the same underlying problem: stale data causing problems in a distributed system.

IP Packet TTL

Every IP packet has a TTL field in its header — a number set by the sender, typically 64 or 128. Each router that forwards the packet decrements the TTL by one. When TTL reaches zero, the router discards the packet and sends an ICMP Time Exceeded message back to the source. This prevents routing loops from causing packets to circulate indefinitely.

Traceroute exploits this mechanism deliberately. It sends packets with TTL values of 1, 2, 3, 4... and so on. The packet with TTL 1 expires at the first router, which reports back. TTL 2 expires at the second router. By collecting all the Time Exceeded responses, traceroute maps the entire path.

DNS Record TTL

In DNS, TTL is different. It's a time value in seconds that tells resolvers how long to cache a DNS record before querying authoritative servers again. An A record with TTL 3600 can be cached for one hour. A record with TTL 300 expires after five minutes and is re-fetched more frequently.

TTL is a ceiling, not a guarantee. Resolvers must respect TTLs and not cache longer than specified. But negative caching (caching of NXDOMAIN responses) has its own TTL, and some resolvers have minimum TTL floors — they won't honour anything shorter than 30 seconds even if you request it.

Choosing DNS TTL Values

High TTLs (3600-86400) reduce DNS query load and improve performance — responses come from resolver caches rather than authoritative servers. Low TTLs (60-300) allow faster propagation of changes — useful when you're about to change server IPs or need to fail over quickly. The downside of low TTLs is increased query volume to your authoritative nameservers.

The practical advice: run high TTLs normally. Before a planned IP change — migrating servers, changing hosting providers — lower the TTL to 300 seconds at least 48 hours before the change. This ensures all cached records expire quickly once you make the switch. After the change is confirmed stable, raise TTLs again.

TTL Outside DNS: Cache Headers and Beyond

The TTL concept appears beyond DNS. HTTP cache headers use similar logic. The Cache-Control: max-age=3600 header tells browsers and intermediate caches to hold the response for 3,600 seconds before re-fetching. The Expires header does the same thing with an absolute timestamp. CDN and proxy caches respect these headers when deciding whether to serve a cached response or check with the origin server.

In network security, TTL values in IP packets are sometimes used for OS fingerprinting. Windows defaults to a starting TTL of 128. Linux and macOS default to 64. Cisco routers default to 255. When you receive a packet with a TTL of 117, the remote host probably started with 128 and passed through 11 hops. When you receive one with TTL 54, it probably started with 64. This inference is imperfect — admins can change default TTLs — but it's a useful signal in network reconnaissance and is part of how tools like p0f do passive OS fingerprinting.

Look Up DNS and IP Information

Check TTL values and full DNS records for any domain or IP address.

WHOIS Lookup
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: