The myth of DNS “propagation” needs to die. Changed DNS entries do not “propagate”. The old cached DNS entries in DNS resolvers simply expire, in an arbitrary order. DNS resolvers are not linked geographically; there is no “propagation”.
If this tool was querying a list of widely-used public (and/or private) DNS resolvers, it might be useful. But pretending that DNS entries propagate geographically does not do anyone any favors.
> The old cached DNS entries in DNS resolvers simply expire, in an arbitrary order.
I really wish that was so. There's lots of weird resolvers out there used by weird ISPs that don't properly respect the TTL value. Setting TTL to some really low number a full day before making a major change is no guarantee that your zone will expire in a bunch of places. All kinds of weird ISPs try to do things with the dns results they present to their customers.
a) different DNS systems get the change out to all the authoritatives different ways. Some of them with much delay. Delays are hopefully minimal on modern systems, but I've worked with bad systems where you change dns in the api and it takes minutes and sometimes hours for the authoritatives to start returning new results; traditional notify/axfr based systems often have a queue of several seconds at least.
b) as resolver caches expire, new queries will hopefully get new answers (as long as the authoritatives get updated per a), and eventually you get the new results everywhere except for resolvers that do terrible things...
When the change is made and it takes time for the results to show up everywhere, I think propagate is a reasonable verb. You could use disperse or diffuse or something else, but you need a verb to let people know it's going to take time for your changes to be visible everywhere.
I don't know that propagate necessary implies the change becomes visible in an orderly way. 'Around the globe' doesn't really either, it's just observing from around the globe as resolvers get new data.
What verb do you prefer to use to describe how unsychronized caches obtain new values?
The delays are almost always self inflicted by people who've blindly put 36400 in the TTL field like some sort of magic charm rather than considering how long they want the cache expiry to be. Long ago I was one of them and then I had the company greybeard point out that DNS record updates are a thing we had control over - just drop the TTL to 30 seconds or whatever a day before a planned change of servers and (barring the odd stubborn resolver which thinks it knows better than you do) the time it takes for those caches to refresh goes from 24 hours to 30 seconds.
djbdns/tinydns can schedule a change and give out a lower and lower TTL the nearer the changeover time gets - a quick search doesn't show any newer implementations but this is surely a good way to do it.
My interpretation of the concern is that propagate implies that the new value is being pushed out to other resolvers, when in fact those other resolvers pull the new value (once their cached value expires).
What's the actual issue? Are you being frustrated by people laboring under the assumption that DNS records are being sent by carrier pidgeon or something?
> There is no geographical connection whatsoever.
DNS censorship will presumably be based on geopolitical boundaries, which in turn are bound by geography. And I wouldn't be entirely suprised if poor network connections - including those potentially geographically bound (poor weather / flooding / tornados severing or degrading links or power) had some (minor, infrequent) impact on the rate stale cache entries are evicted in favor of fresh ones.
Granted, none of that means a DNS resolver halfway across the globe from the authoritative servers can't typically get updated results <200ms (≈light speed), which is safely ignorable / won't be visible as records propagating from geographic neighbor to geographic neighbor. And granted further, I'm both too boring to censor, and too smart to be on call for anything that would make me aware of global outage reports - so the map is admittedly useless to me beyond farming that hacker vibe aura.
But I imagine there's at least one or two dudes out there that'll see a red dot in, say, Australia - and that'll save them a few minutes, by giving them a shortcut to determining the root cause of some issue reported in Australia by letting them correctly guess/blame stale DNS records.
Yes, I am constantly needing to disabuse people of their misconception that DNS changes start to apply gradually by geographic distance, instead of applying arbitrarily by pure chance of when each resolver happened to query the record previously.
> What's the actual issue? Are you being frustrated by people laboring under the assumption that DNS records are being sent by carrier pidgeon or something?
The actual issue is that some people misunderstand how DNS works, and the notion that records propagate doesn't help people understand it better. It propagates a misunderstanding of DNS.
That's what the tool is doing - querying a bunch of public resolvers around the world to see the state of what they resolve to. Since end users usually use DNS servers close to their location, this gives an idea, around the world, of who sees what.
Agreed, this is a cache that expires and refreshes from the source DNS server. It just looks like a virus that propagates when the cache expires.
> It just looks like a virus that propagates when the cache expires.
No it does not. The changes do not happen geographically. There is no geographical connection whatsoever. Calling the tool “DNSGlobe”, and displaying a map, only further reinforces the myth.
Thank you. I have this discussion all the time. The argument I get back "Right, but it seems like the change takes awhile because of the DNS cache expiring, so it's the same as propagating". My counter to that is to say "If I punch you in the mouth, would you just tell people I'd asked you be to be quiet, or would you use the right explanation as to what'd happened?"
(It's a stupid counterargument, btw, but it ends the discussion)
Just FYI, those discussions might be ending because your analogy comes across as a threat to punch them in the mouth, rather than because it convinces them.
But is there a functional difference between push and pull in this case? Is there something that cannot be explained in terms of propagation? Perhaps timing: there's no reason for propagation to wait an hour or a day.
BTW, only last week I explained a potential problem of a DNS change with caching, and it was understood. There doesn't seem to be a need to simplify it.
There is absolutely a reason for propagation to wait an hour or a day, and you've set that value in the TTL field for the record in question. It stands for Time To Live and specifies how long downstream resolvers should cache the last value they saw before querying the authoritative server again, if you set that value to a few seconds then almost every DNS resolver in the world will get updated values within a few seconds as they expire the cached value.
Ehh do you remember the defaults back in the day? And how long local vs intermediary vs backbone TTLs could be cached for, even above and beyond the set TTL?
The propagation part refers to how long it would take for all those cached requests to expire and when you could tell some random client they should be able to see the new value. Especially when you forgot to lower the TTL ahead of time.
It’s a term of art and it’s fine.
Oh that reminds me. I made a bunch of DNS changes a while ago and left all the TTLs set to 5 minutes. I should up them.
This is an example of the myth in action. There are no such things. There is a single resolver, which you use, and a set of authoritative server, which that resolver will query when the TTL in the resolver’s cache times out. There is no chain of resolvers.
What do you call it when an application queries systemd-resolved and systemd-resolved queries PiHole and PiHole queries your home router and your home router queries your ISP? What is that if not a chain?
There is no such myth that I'd be aware of, and I seriously doubt the author behind this would be operating under such a misunderstanding either. Maybe you used to at some point, but then that's a separate issue.
Propagation is just an incremental spread across a topology. Doesn't need to be a physical topology whatsoever.
It may seem like this program suggests a physical propagation as far as its elevator pitch goes, but one glance at the readme clears it up pretty quickly that that's not actually the case.
Changes do propagate, and seeing funny blinking lights on a world map is cool. Doesn't mean there'd be an intent to convey the process as a geographical spread.
What's with the rust community and terminals? I get that gui's are tedious in those languages, but surely you don't have to write everything in rust? Or has rust become the be-all-and-end-all for them?
You take the `other`, do a `to_string()` on it, which creates a String representation. Then you pass a reference to that String, and, in the case it doesn't contain `time out` or `timeout` or `refused`, the reference gets turned AGAIN into a String (i.e. new allocation), truncated to 48, and then returned.
There is no check whether that the character at the 48th byte is a character boundary.
Add to that the fact that this is a Rust project with the oldest commit created yesterday and it is using the 2021 edition.
The very first thing written about this tool is the programming language it's written in.
Like, when I'm querying a bunch of DNS servers, it is crucial for me to know which compilable language it was written in. Like, the most important thing.
It's gotten to the point that the moment I see "Rust" and "TUI" together, I immediately assume it's vibe coded. The combination just seems to be vibe coders' favorite, for some reason.
Quite mixed on this one given that the author has experience with Rust before coding agents and this is just his toy project.
There is going to be a time where these vibe coded projects have silent bugs, vulnerabilities or unnecessary performance issues and the AI coding agent just lies to the user that it has none.
The AI agent will be the one to introduce new issues in the codebase regardless of "tests". The new issue is now the non-technical human vibe-coding is none the wiser.
We have already seen this in Codex itself. Imagine this propagated in many other code-bases.
Having created and debugged human-written code with silent bugs, vulnerabilities, or unnecessary performance issues since my first day on the job, and pointing you to myriad companies with bugs and vulnerabilities that existed pre-AI, all I can say is "plus ça change, plus c'est la même chose."
The myth of DNS “propagation” needs to die. Changed DNS entries do not “propagate”. The old cached DNS entries in DNS resolvers simply expire, in an arbitrary order. DNS resolvers are not linked geographically; there is no “propagation”.
If this tool was querying a list of widely-used public (and/or private) DNS resolvers, it might be useful. But pretending that DNS entries propagate geographically does not do anyone any favors.
> The old cached DNS entries in DNS resolvers simply expire, in an arbitrary order.
I really wish that was so. There's lots of weird resolvers out there used by weird ISPs that don't properly respect the TTL value. Setting TTL to some really low number a full day before making a major change is no guarantee that your zone will expire in a bunch of places. All kinds of weird ISPs try to do things with the dns results they present to their customers.
a) different DNS systems get the change out to all the authoritatives different ways. Some of them with much delay. Delays are hopefully minimal on modern systems, but I've worked with bad systems where you change dns in the api and it takes minutes and sometimes hours for the authoritatives to start returning new results; traditional notify/axfr based systems often have a queue of several seconds at least.
b) as resolver caches expire, new queries will hopefully get new answers (as long as the authoritatives get updated per a), and eventually you get the new results everywhere except for resolvers that do terrible things...
When the change is made and it takes time for the results to show up everywhere, I think propagate is a reasonable verb. You could use disperse or diffuse or something else, but you need a verb to let people know it's going to take time for your changes to be visible everywhere.
I don't know that propagate necessary implies the change becomes visible in an orderly way. 'Around the globe' doesn't really either, it's just observing from around the globe as resolvers get new data.
What verb do you prefer to use to describe how unsychronized caches obtain new values?
> Delays are hopefully minimal on modern systems
The delays are almost always self inflicted by people who've blindly put 36400 in the TTL field like some sort of magic charm rather than considering how long they want the cache expiry to be. Long ago I was one of them and then I had the company greybeard point out that DNS record updates are a thing we had control over - just drop the TTL to 30 seconds or whatever a day before a planned change of servers and (barring the odd stubborn resolver which thinks it knows better than you do) the time it takes for those caches to refresh goes from 24 hours to 30 seconds.
djbdns/tinydns can schedule a change and give out a lower and lower TTL the nearer the changeover time gets - a quick search doesn't show any newer implementations but this is surely a good way to do it.
My interpretation of the concern is that propagate implies that the new value is being pushed out to other resolvers, when in fact those other resolvers pull the new value (once their cached value expires).
Percolate?
> The myth of DNS “propagation” needs to die.
What's the actual issue? Are you being frustrated by people laboring under the assumption that DNS records are being sent by carrier pidgeon or something?
> There is no geographical connection whatsoever.
DNS censorship will presumably be based on geopolitical boundaries, which in turn are bound by geography. And I wouldn't be entirely suprised if poor network connections - including those potentially geographically bound (poor weather / flooding / tornados severing or degrading links or power) had some (minor, infrequent) impact on the rate stale cache entries are evicted in favor of fresh ones.
Granted, none of that means a DNS resolver halfway across the globe from the authoritative servers can't typically get updated results <200ms (≈light speed), which is safely ignorable / won't be visible as records propagating from geographic neighbor to geographic neighbor. And granted further, I'm both too boring to censor, and too smart to be on call for anything that would make me aware of global outage reports - so the map is admittedly useless to me beyond farming that hacker vibe aura.
But I imagine there's at least one or two dudes out there that'll see a red dot in, say, Australia - and that'll save them a few minutes, by giving them a shortcut to determining the root cause of some issue reported in Australia by letting them correctly guess/blame stale DNS records.
Yes, I am constantly needing to disabuse people of their misconception that DNS changes start to apply gradually by geographic distance, instead of applying arbitrarily by pure chance of when each resolver happened to query the record previously.
>> The myth of DNS “propagation” needs to die.
> What's the actual issue? Are you being frustrated by people laboring under the assumption that DNS records are being sent by carrier pidgeon or something?
The actual issue is that some people misunderstand how DNS works, and the notion that records propagate doesn't help people understand it better. It propagates a misunderstanding of DNS.
DNSGlobe – Rust TUI to watch misunderstandings about DNS propagate around the world (github.com/514-labs)
There I fixed it for you.
That's what the tool is doing - querying a bunch of public resolvers around the world to see the state of what they resolve to. Since end users usually use DNS servers close to their location, this gives an idea, around the world, of who sees what.
Agreed, this is a cache that expires and refreshes from the source DNS server. It just looks like a virus that propagates when the cache expires.
> It just looks like a virus that propagates when the cache expires.
No it does not. The changes do not happen geographically. There is no geographical connection whatsoever. Calling the tool “DNSGlobe”, and displaying a map, only further reinforces the myth.
Thank you. I have this discussion all the time. The argument I get back "Right, but it seems like the change takes awhile because of the DNS cache expiring, so it's the same as propagating". My counter to that is to say "If I punch you in the mouth, would you just tell people I'd asked you be to be quiet, or would you use the right explanation as to what'd happened?"
(It's a stupid counterargument, btw, but it ends the discussion)
Just FYI, those discussions might be ending because your analogy comes across as a threat to punch them in the mouth, rather than because it convinces them.
But is there a functional difference between push and pull in this case? Is there something that cannot be explained in terms of propagation? Perhaps timing: there's no reason for propagation to wait an hour or a day.
BTW, only last week I explained a potential problem of a DNS change with caching, and it was understood. There doesn't seem to be a need to simplify it.
There is absolutely a reason for propagation to wait an hour or a day, and you've set that value in the TTL field for the record in question. It stands for Time To Live and specifies how long downstream resolvers should cache the last value they saw before querying the authoritative server again, if you set that value to a few seconds then almost every DNS resolver in the world will get updated values within a few seconds as they expire the cached value.
Ehh do you remember the defaults back in the day? And how long local vs intermediary vs backbone TTLs could be cached for, even above and beyond the set TTL?
The propagation part refers to how long it would take for all those cached requests to expire and when you could tell some random client they should be able to see the new value. Especially when you forgot to lower the TTL ahead of time.
It’s a term of art and it’s fine.
Oh that reminds me. I made a bunch of DNS changes a while ago and left all the TTLs set to 5 minutes. I should up them.
> local vs intermediary vs backbone TTLs
This is an example of the myth in action. There are no such things. There is a single resolver, which you use, and a set of authoritative server, which that resolver will query when the TTL in the resolver’s cache times out. There is no chain of resolvers.
What do you call it when an application queries systemd-resolved and systemd-resolved queries PiHole and PiHole queries your home router and your home router queries your ISP? What is that if not a chain?
There is no such myth that I'd be aware of, and I seriously doubt the author behind this would be operating under such a misunderstanding either. Maybe you used to at some point, but then that's a separate issue.
Propagation is just an incremental spread across a topology. Doesn't need to be a physical topology whatsoever.
It may seem like this program suggests a physical propagation as far as its elevator pitch goes, but one glance at the readme clears it up pretty quickly that that's not actually the case.
Changes do propagate, and seeing funny blinking lights on a world map is cool. Doesn't mean there'd be an intent to convey the process as a geographical spread.
What's with the rust community and terminals? I get that gui's are tedious in those languages, but surely you don't have to write everything in rust? Or has rust become the be-all-and-end-all for them?
You can do GUI/web easily enough in Rust, but as this is DNS and so most users will be network/sysadmin types, their natural habitat is the terminal.
Rust is taking over from C/C++ (as per US Government guidance on using more secure languages) and so is attracting the most hardcore programmers.
Libraries for everything: https://crates.io
p.s. stop being so grumpy!
Vibe-coded. Sorry.
https://github.com/514-labs/dnsglobe/blob/c29802162636832e88...
You take the `other`, do a `to_string()` on it, which creates a String representation. Then you pass a reference to that String, and, in the case it doesn't contain `time out` or `timeout` or `refused`, the reference gets turned AGAIN into a String (i.e. new allocation), truncated to 48, and then returned.
There is no check whether that the character at the 48th byte is a character boundary.
Add to that the fact that this is a Rust project with the oldest commit created yesterday and it is using the 2021 edition.
Be better.
The very first thing written about this tool is the programming language it's written in.
Like, when I'm querying a bunch of DNS servers, it is crucial for me to know which compilable language it was written in. Like, the most important thing.
It's gotten to the point that the moment I see "Rust" and "TUI" together, I immediately assume it's vibe coded. The combination just seems to be vibe coders' favorite, for some reason.
It must be because if you program in Rust, you don't have bugs ;)
That's not whose favorite it is; it's the favorite of who's doing the work. :)
> The combination just seems to be vibe coders' favorite, for some reason.
It's the secret key to HN front page!
This was 100% vibe-coded with Claude Code and Fable.
https://x.com/thatsFrScience/status/2073741209592295866
Thanks for the feedback, though, and for taking the time to look at the code. I can ship a round of cleanup.
Nothing wrong with vibecoding a toy project.
There is if you present it to others without telling anyone it’s slop.
For some vague reason you can't really articulate, that's a bad thing?
Quite mixed on this one given that the author has experience with Rust before coding agents and this is just his toy project.
There is going to be a time where these vibe coded projects have silent bugs, vulnerabilities or unnecessary performance issues and the AI coding agent just lies to the user that it has none.
The AI agent will be the one to introduce new issues in the codebase regardless of "tests". The new issue is now the non-technical human vibe-coding is none the wiser.
We have already seen this in Codex itself. Imagine this propagated in many other code-bases.
Having created and debugged human-written code with silent bugs, vulnerabilities, or unnecessary performance issues since my first day on the job, and pointing you to myriad companies with bugs and vulnerabilities that existed pre-AI, all I can say is "plus ça change, plus c'est la même chose."
Addressed the feedback
Aren’t there websites already that check global DNS servers to check TTL expiry of DNS records?
There are many; I often use <https://dnschecker.org/>
Yeah, I used to use https://www.whatsmydns.net/. I wanted it in the terminal without ads.
It's called DNSGlobe but it does not feature a globe, only a map :(
Rust terminal apps are the bees knees right now
Not sure of why everyone is negative against this tool?
I quite like it. Thanks for sharing!
I like it too. I'll almost certainly get a lot of use out of this and not once will I ever get upset that it uses the word propagation.
I like it. Tell the vibe-coder haters to take a hike. Suggestion: It would be helpful if you could sort by COLUMN or group by LOCATION.
Keep on vibin'.
Released a new version with the suggestion ;)
Thanks for the feedback!