Understanding "cached" vs "forwarded"

Please follow the below template, it will help us to help you!

Expected Behaviour:

A whitelisted server IP address is cached and the cache entry is used

Actual Behaviour:

Same host is used as forwarded and direclty afterwards as cached

2019-09-09 14:51:02 |A    | cdws.us-east-1.amazonaws.com   |hades   | OK (forwarded)     | IP (39.6ms)
2019-09-09 14:51:02 |AAAA | cdws.us-east-1.amazonaws.com   |hades   | OK (cached)        | NODATA (0.4ms)
2019-09-09 15:36:04	|A	  | cdws.us-east-1.amazonaws.com   |hades	| OK (forwarded)	 | IP (42.3ms)
2019-09-09 15:43:36	|AAAA |	cdws.us-east-1.amazonaws.com   |hades	| OK (forwarded)	 | NODATA (44.4ms)


|2019-09-09 15:47:12  |A    |ping.ubnt.com |hades |OK (forwarded)      |CNAME (18.2ms)
|2019-09-09 15:46:59  |A    |ping.ubnt.com |hades |OK (cached)         |CNAME (0.2ms)
|2019-09-09 15:46:12  |A    |ping.ubnt.com |hades |OK (forwarded)      |CNAME (19.9ms)
|2019-09-09 15:46:02  |A    |ping.ubnt.com |hades |OK (cached)         |CNAME (0.2ms)


Debug Token:


To be able to cache a result you first have to ask (forward) a resolve (IP address) of a domain.

A non IP address resolve is also cached for the duration of the stated TTL. After that it should be rechecked if what is the current resolve is of that domain.

TTL = Time To Live

Hi, yes, I understand that.
But why is it forwarded even after it has been cached?
In less than 60min it is being forwarded again.

That is determined by the TTL of the domain itself.


1 Like

If you look at the output of a dig for each of those domains, you will see the TTL in the answer section. The TTLs for these domains are very short. Your TTL may vary, depending on which upstream server you are using with Cloudflared.

dig ping.ubnt.com @

ping.ubnt.com.		  143	IN	CNAME	dl.ubnt.com.
dl.ubnt.com.		  143	IN	CNAME	d2cnv2pop2xy4v.cloudfront.net.
d2cnv2pop2xy4v.cloudfront.net. 9 IN	A
 dig cdws.us-east-1.amazonaws.com @

cdws.us-east-1.amazonaws.com. 12 IN	A
1 Like

On those shown TTL of 143 and 12 seconds, the clock was already running for removal from cache.

For both show domains the TTL is 300, so 5 minutes and a change of IP address for that domain is changed then the old IP address will stay in your cache for maximal 300 seconds.

Every client like Pi-hole, Windows has their own cache and because all clients in the steam will have the same TTL counted down and stay so in sync. The TTL (full) is originating from the authoritative server or the first server in chain.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.