How To Flush DNS Cache On Linux (For systemd-resolved, BIND, Dnsmasq Or nscd)

This article explains how to flush the DNS cache (clear it) on Linux, not only for systems that use systemd-resolved (e.g. Ubuntu 18.04 and newer), but also for those using nscd, BIND or Dnsmasq to cache DNS queries.

DNS, or Domain Name System, is like the Internet's phonebook, translating human-friendly computer hostnames into IP addresses. For example, google.com is translated to the 216.58.214.238 IPv4 address, and 2a00:1450:400d:808::200e IPv6 address. This way the domain name can change the IP address without affecting its users, and without changing the its name.

The DNS cache (or DNS resolver cache) is a temporary database that stores these records, which is used to quickly lookup a website when you're trying to visit it.

If the DNS is cached, you might not be able to access some hostnames that were changed recently - until your DNS cache is updated or cleared, that's why it's useful in some situations to flush / clear the DNS cache. After the DNS cache is cleared, the new addresses are taken from the DNS server set for your network.

How to flush the DNS cache when using systemd-resolved


systemd-resolved is a network name resolution manager. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR and MulticastDNS resolver and responder.

systemd-resolved is used by default on recent versions of many Linux distributions, including Ubuntu, Linux Mint and Fedora.

Don't know if you system uses systemd-resolved? Use:

systemctl is-active systemd-resolved

In case this command returns active, then your system has systemd-resolved enabled and active. If anything else (e.g. inactive) is shown, then systemd-resolved is not used on your system.

Flush the DNS cache when using systemd-resolved:

sudo systemd-resolve --flush-caches

Check the DNS cache using:

systemd-resolve --statistics

The Current Cache Size is the value you're looking for. If it's 0, you just flushed the DNS cache.

Example with output (ran immediately after flushing the DNS cache, so the cache size is 0):

$ systemd-resolve --statistics
DNSSEC supported by current servers: no

Transactions
Current Transactions: 0
  Total Transactions: 5538

Cache
  Current Cache Size: 0
          Cache Hits: 3482
        Cache Misses: 2096

DNSSEC Verdicts
              Secure: 0
            Insecure: 0
               Bogus: 0
       Indeterminate: 0

How to flush the DNS cache when using BIND


BIND or "named" acts as an authoritative name server for one or more specific domain, as well as a recursive resolver for the DNS system generally, and it can act as a caching DNS server. Bind had three major revisions, with BIND4 and BIND8 being technically obsolete, and BIND9 being the supported version, which features DNSSEC in addition to other features and enhancements.

To check if BIND (the service name is "named") is active on your system (though note that most cases it's active only if you install and enable it explicitly), you could run:

systemctl is-active named

When active is returned by this command, it means the service is active on your system.

On older systems, or systems without systemd, you could check the service status instead, using

service named status

To flush the DNS cache for BIND (named), use:

sudo rndc flush

Checking if the DNS cache has been cleared is a bit more complicated for BIND. After flushing the DNS cache, run the command that follows below to dump the cache:

sudo rndc dumpdb -cache

The cache file is now saved in /var/named/data/cache_dump.db. You can look at this file as root to check if there are any cached DNS entries:

sudo cat /var/named/data/cache_dump.db

If the cache was flushed (so there are no cached DNS entries), this file should look like this:

$ sudo cat /var/named/data/cache_dump.db 

;
; Start view _default
;
;
; Cache dump of view '_default' (cache _default)
;
$DATE 20190711141232
;
; Address database dump
;
; [edns success/4096 timeout/1432 timeout/1232 timeout/512 timeout]
; [plain success/timeout]
;
;
; Unassociated entries
;
;
; Bad cache
;

If it contains entries like the ones that follow below, the DNS cache was not flushed:

102397 IN DNSKEY 256 3 8 (
  AwEAAeVDC34GZILwsQJy97K6Fst4P3XYZrXL
  yrkausYzStEjSUulgh+iLgHg0y7FIF890+sI
  jXsk7KLJUmCOWfYWPorNKEOKLk5Zx/4M6D3I
  HZE3O3m/Eahrc28qQzmTLxiMZAW65MvR2UO3
  LxVtYOPBEBiDgAQA47x2JLsJYtavCzNL5WiU
  k59OgvHmDqmcC7VXYBhK8V8Tic089XJgExGe
  plKWUt9yyc31ra1swJX51XsOaQz17+vyLVH8
  AZP26KvKFiZeoRbaq6vl+hc8HQnI2ug5rA2z
  oz3MsSQBvP1f/HvqsWxLqwXXKyDD1QM639U+
  XzVB8CYigyscRP22QFnwKIU=
  ) ; ZSK; alg = RSASHA256 ; key id = 25266

How to flush the DNS cache when using Dnsmasq


Dnsmasq is a DNS forwarder and DHCP server that can be used as a caching DNS server.

To check if dnsmasq is active on your system, you could run:

systemctl is-active dnsmasq

When active is returned by this command, it means the service is active on your system.

On older systems, or systems without systemd, you could check the service status instead, using:

service dnsmasq status

To flush the DNS cache when using Dnsmasq, restart its service:

sudo systemctl restart dnsmasq

On older systems, or systems without systemd, use this command to flush the DNS cache for Dnsmasq:

sudo service dnsmasq restart

I couldn't find a way of checking if the dnsmasq has been flushed.

How to flush the DNS cache when using nscd


nscd is a name service cache daemon.

To check if nscd is active on your system (though note that most cases it's active only if you install and enable it explicitly), you could run:

systemctl is-active nscd

When "active" is returned by this command, it means the service is active on your system.

On older systems, or systems without systemd, you could check the service status instead, using:

service nscd status

While most guides you'll find online mention to restart the nscd service, that doesn't actually flush the DNS cache, since the files are still stored in /var/db/nscd, and are used after the nscd service starts again. What you actually want to do to flush the DNS cache for nscd is to invalidate the cache.

To invalidate the hosts cache (to flush the DNS hosts cache) when using nscd, use:

sudo nscd --invalidate=hosts

To check if the DNS cache was flushed, run:

sudo nscd -g

And look under the hosts section (if you have multiple enabled), and you should see 0 as the value for used data pool size if the DNS cache was just flushed. It will slowly increase as the DNS are used to access various hosts / domains names.

Example with output (after the DNS cache was flushed):

$ sudo nscd -g
nscd configuration:

              0  server debug level
         1m  5s  server runtime
              5  current number of threads
             32  maximum number of threads
              0  number of times clients had to wait
             no  paranoia mode enabled
           3600  restart internal
              5  reload count
.......................................
hosts cache:

            yes  cache is enabled
            yes  cache is persistent
            yes  cache is shared
            211  suggested size
         216064  total data pool size
              0  used data pool size
           3600  seconds time to live for positive entries
             20  seconds time to live for negative entries
              0  cache hits on positive entries
              0  cache hits on negative entries
              5  cache misses on positive entries
......................................