Fast flux DNS is a technique used by attackers to hide malicious servers behind a constantly rotating set of IP addresses. By configuring extremely short TTL values (often 60-300 seconds) and rapidly cycling the A records for a domain through hundreds or thousands of IP addresses — typically compromised machines in a botnet — the attacker makes it nearly impossible to identify and block the actual infrastructure hosting their operation.
I think of fast flux as the DNS equivalent of a shell game. The domain name stays the same, but the IP address behind it changes every few minutes. By the time a security team identifies and blocks one IP, the domain has already moved on to another.
How Fast Flux Works
Single Flux
In single-flux networks, only the A records (the IP addresses) rotate:
# At time T+0
malicious.com → 192.168.1.100 (compromised machine #1)
# At time T+60 seconds
malicious.com → 10.20.30.40 (compromised machine #2)
# At time T+120 seconds
malicious.com → 172.16.50.60 (compromised machine #3)
The TTL is set to 60-300 seconds. Each time a resolver's cache expires and it re-queries, it gets a different IP from a round-robin pool of compromised machines. These machines act as proxies, forwarding traffic to the actual backend server (called the "mothership") that hosts the malicious content.
The compromised machines are just relay points. Even if one is taken down or blocked, the domain immediately rotates to another.
Double Flux
Double-flux networks take it further by also rotating the NS records — the nameservers themselves:
# At time T+0
malicious.com NS → ns1.proxy-botnet.com (compromised nameserver #1)
ns1.proxy-botnet.com → 203.0.113.10
# At time T+300
malicious.com NS → ns2.proxy-botnet.com (compromised nameserver #2)
ns2.proxy-botnet.com → 198.51.100.20
With double flux, not only are the content servers hidden behind rotating proxies, but the DNS infrastructure itself is distributed across the botnet. This makes it extremely difficult to disrupt the domain's resolution.
Architecture
User → DNS Query → Rotating NS (if double flux)
↓
Rotating A records
↓
Compromised Proxy Machine #N
↓
Mothership (actual malicious server)
The mothership never appears in any DNS record. It communicates with the proxy layer through a separate channel (often its own command-and-control mechanism).
What Fast Flux Is Used For
Fast flux networks support various malicious operations:
- Phishing sites — hosting credential harvesting pages that are difficult to take down because the IP keeps changing
- Malware distribution — serving malware downloads from a domain that cannot be blocked by IP
- Botnet command and control — providing resilient C2 infrastructure that survives individual node takedowns
- Spam infrastructure — hosting URLs in spam emails that remain accessible despite IP-based blocking
- Illegal marketplaces — running persistent web services that resist law enforcement takedowns
The Storm Worm (2007) was one of the first major botnets to use fast flux extensively. The Avalanche network (disrupted in 2016 after a multi-year international operation) used double-flux techniques to support phishing, malware, and money mule recruitment across hundreds of domains.
How to Detect Fast Flux
Fast flux domains have distinctive DNS characteristics that set them apart from legitimate CDN or load-balanced domains:
Low TTL Values
Legitimate domains typically use TTL values of 300-3600 seconds (5 minutes to 1 hour). Fast flux domains use TTLs of 60-300 seconds or even 0.
# Check TTL
dig malicious-domain.com A
# If TTL is consistently under 300 seconds, investigate further
High IP Diversity
A fast flux domain resolves to many different IP addresses over a short period, often spanning different ASNs, countries, and network types:
# Query repeatedly and compare results
for i in $(seq 1 10); do dig +short suspicious.com A; sleep 60; done
# Fast flux: different IPs each time, across many networks
# Legitimate CDN: same set of IPs from a known provider
Geographic and ASN Scatter
Legitimate services using multiple IPs typically have them in the same ASN (their CDN provider) or a small number of related networks. Fast flux IPs are scattered across residential ISPs, hosting providers, and geographic regions because they are compromised machines.
Residential IP Addresses
Fast flux networks often use compromised home computers and routers. The IP addresses resolve to residential ISP ranges rather than datacenter or CDN networks.
You can use the IP Location tool to check whether IPs associated with a domain are in residential or datacenter ranges.
DNS Record Type Patterns
Fast flux domains typically have only A records (and sometimes NS records for double flux). They rarely have SPF, DKIM, or other records associated with legitimate services.
Detection Metrics
For automated detection, calculate these metrics for suspect domains:
| Metric | Legitimate CDN | Fast Flux |
|---|---|---|
| TTL | 300-3600s | 60-300s |
| Unique IPs per hour | 2-10 (stable set) | 50-500+ (rotating) |
| ASN diversity | 1-3 ASNs | 10-100+ ASNs |
| Geographic spread | 2-5 countries | 20+ countries |
| IP type | Datacenter | Mostly residential |
| NS record stability | Stable | Rotating (double flux) |
How to Defend Against It
DNS-Based Blocking
Block known fast flux domains at the resolver level using threat intelligence feeds:
- Response Policy Zones (RPZ) — configure your resolver to return NXDOMAIN or redirect for known fast flux domains
- Commercial threat feeds — services like Farsight DNSDB, DomainTools, and similar provide fast flux domain lists
- Community blocklists — open-source threat intelligence platforms track known fast flux infrastructure
Behavioral Detection
Deploy DNS analytics that detect fast flux characteristics automatically:
- Flag domains with TTL consistently under 300 seconds
- Alert on domains that resolve to more than 10 unique IPs per hour
- Correlate IP diversity with ASN and geographic spread
- Cross-reference resolved IPs against known botnet and residential IP databases
Network-Level Defenses
- Block resolution of known fast flux domains at your DNS resolver
- Monitor for connections to rapidly changing IPs — a single domain resolving to residential IPs across many countries is suspicious
- Use DNS firewalls that incorporate real-time threat intelligence
- Report fast flux domains to their registrars and to organizations like the Anti-Phishing Working Group (APWG)
Mitigation Checklist
- DNS threat intelligence feeds are integrated with your resolver
- RPZ or equivalent domain blocking is configured
- Monitoring detects domains with abnormally low TTL values
- IP diversity analysis flags domains resolving to many scattered IPs
- Resolved IPs are cross-referenced against botnet and residential databases
- DNS query logs are retained for retrospective analysis
- Incident response procedures include fast flux domain investigation steps
Common Misconfigurations
- No DNS threat intelligence integration — your resolver happily resolves known fast flux domains
- Blocking by IP only — useless against fast flux because the IPs change constantly; you must block by domain name
- Ignoring low-TTL domains — treating them as normal when they are a key indicator of fast flux
- Confusing fast flux with legitimate CDNs — CDNs also use multiple IPs, but from known datacenter ranges with consistent ASNs; fast flux uses residential IPs across diverse networks
Ethical Note
Studying fast flux networks is an important part of threat intelligence research. You can analyze fast flux behavior passively using historical DNS data from services like Farsight DNSDB or VirusTotal without interacting with the malicious infrastructure directly. Never set up your own fast flux network or use compromised machines for research.
This article is part of the Complete Guide to DNS Attacks and DNS Security. See also: DNS Hijacking, DNS Tunneling Attack.