Fast Flux
A DNS evasion technique used by botnets and phishing kits that rapidly rotates the A records for a hostname through hundreds of compromised IPs, often every few minutes.
Fast flux is the practice of binding a hostname to a constantly-rotating set of IP addresses, usually compromised residential or small-business hosts acting as reverse proxies in front of the real C2 server. Single-flux changes only the A records (TTLs of 60-300 seconds, dozens of IPs per response). Double-flux also rotates the authoritative nameservers themselves, making takedown harder. The pattern is a strong indicator of malicious infrastructure: legitimate services almost never need to rotate IPs that aggressively. Passive DNS feeds surface fast-flux clusters by tracking IPs per name and names per IP over time.
Related terms
See also
Referenced on
- Complete Guide to DNS Attacks and DNS Security (Prevention, Testing & Mitigation)
- DNS Over HTTPS Abuse: How Encrypted DNS Creates Security Blind Spots
- Fast Flux DNS: How Botnets Hide Behind Rapidly Rotating IP Addresses
- How Expired Name Servers Become Domain Hijacking Vectors
- What Is DNS TTL? How Time to Live Controls Caching, Propagation, and Performance