[rdancer]

That depends on the expiry time ("Time To Live / TTL") set for the particular record. Minimum TTL is 1s, and maximum is 2e32 -1 seconds, or slightly over 136 years[1].

Resolver libraries and daemons keep cached results in volatile memory, so in practical terms, if a high TTL is set, the spoofed result will continue to be used until the given machine is rebooted. For some middle boxes, this can be years.

[1] RFC 1035 section 2.3.4 https://www.ietf.org/rfc/rfc1035.txt

[arihant]

I think the point is -- if the TTL is set low, most ISPs simply ignore it to a minimum setting of at least a few hours. So changing/pointing a Google hostname to a victim might not have that big an impact if done only for a few minutes.

[rdancer]

I have seen ever-lower TTLs in the wild, sub-minute even, in the past few years. Even historically, TTLs have in my experience always been respected.

I think what really tends to happen, and this gets the folks confused, is that the initial TTL is high (say, 3 days), then the sysadmin wants to do some changes, and because they want to be able to keep changing the IP quickly, while they're working on it, they set the TTL low (say, 1 minute). Only you cannot retroactively lower the TTL of the records that have been sent previously, they'll expire whenever during the following 3 days.

Your point still stands, mostly. The probability of the old record with a high TTL to be evicted from a resolver's cache during any given short period of time is low.