Fast-Flux Detection
developer/v1/dns/fast-fluxDetects fast-flux DNS behavior — a technique used by botnets, phishing infrastructure, and malware command-and-control servers to evade takedowns by rotating through many IPs with very short TTLs. Performs multiple rounds of A and AAAA queries across multiple DoH resolvers with delays between rounds, comparing IP sets and TTLs to flag rotation patterns.
What It Does
Executes 3–5 rounds of A and AAAA queries with configurable delays. For each round, records the unique IP set and minimum TTL. Flags fast-flux when minimum TTL is below 300 seconds AND at least one round observes a different IP set than the preceding round. Rotates across multiple public DoH resolvers (Cloudflare, Google, Quad9) to reduce resolver-side caching from masking rotation. Returns per-round metrics, aggregated IP set, and a verdict with supporting evidence.
Why It's Useful
Fast-flux detection is a key input for blocking phishing and malware C2 traffic. Unlike static threat feeds that list known-bad domains, fast-flux detection catches active infrastructure before it lands in a feed. Complements the domain-threat check by adding behavioral analysis to reputation-based lookup.
Use Cases
Phishing Infrastructure Detection
Confirm a newly reported suspicious domain is using fast-flux hosting, strengthening the case for blocking and takedown.
Corroborate threat-feed hits with behavioral evidence of rotating infrastructure.
SOC Triage
Investigate a domain observed in SIEM alerts — confirm whether it uses fast-flux before escalating the alert.
Higher-confidence triage decisions with automated behavioral signals.
Protective DNS Tuning
Identify fast-flux domains passing through your protective DNS resolver to tune detection rules.
Reduce dwell time for fast-flux-hosted malware in your environment.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to probe for fast-flux behaviorExample: example.com |
samples | number | Optional | Number of query rounds (2–5, default 3). More rounds give stronger signal at cost of longer response time.Example: 3 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
is_fast_flux | boolean | Whether fast-flux behavior is detected |
confidence | string | Confidence: low, medium, high |
rounds | number | Number of query rounds executed |
total_unique_ips | number | Total distinct IPs observed across all rounds |
min_ttl | number | Minimum TTL observed |
ip_set_changes | number | Number of rounds where IP set differed from prior round |
rounds_detail | array | Per-round breakdown: IPs, TTL, resolver, elapsed ms |
findings | array | Human-readable findings |
limitations | array | Caveats — e.g., DoH resolver caching may mask rotation |
Code Examples
curl "https://api.edgedns.dev/v1/dns/fast-flux" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/fast-flux?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/fast-flux',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Fast-Flux Detection guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Fast-Flux Detection endpoint live in the playground.