Fast-Flux Detection
developer/v1/dns/fast-fluxDetects fast-flux DNS behavior — a technique used by botnets, phishing infrastructure, and malware command-and-control servers to evade takedowns by rotating through many IPs with very short TTLs. Performs multiple rounds of A and AAAA queries across multiple DoH resolvers with delays between rounds, comparing IP sets and TTLs to flag rotation patterns.
What It Does
Executes 3–5 rounds of A and AAAA queries with configurable delays. For each round, records the unique IP set and minimum TTL. Enriches every observed IP with ASN, network owner, and country via Team Cymru, then computes the AS-fraction diversity metric (Holz et al.). Flags fast-flux when minimum TTL is below 300 seconds AND IP-set rotation is observed AND multiple IPs are seen AND the IPs do not predominantly belong to a known CDN edge ASN (Cloudflare, Fastly, Akamai, CloudFront, etc.). Rotates across multiple public DoH resolvers (Cloudflare, Google, Quad9) to reduce resolver-side caching from masking rotation. Returns per-round metrics, per-IP ASN/country detail, an explicit CDN-rotation classification, and a verdict with supporting evidence.
Why It's Useful
Fast-flux detection is a key input for blocking phishing and malware C2 traffic. Unlike static threat feeds that list known-bad domains, fast-flux detection catches active infrastructure before it lands in a feed. ASN diversity is the primary signal that distinguishes a botnet (many ASNs, many countries) from a CDN (few ASNs, anycast edge) — combining it with TTL and rotation analysis dramatically reduces the false positives that plague naive fast-flux detection. Complements the domain-threat check by adding behavioral analysis to reputation-based lookup.
Use Cases
SOC triage with CDN false-positive elimination
A domain has surfaced in SIEM alerts. Run the endpoint to distinguish botnet rotation from CDN rotation: ASN diversity (Holz AS-fraction), known-CDN allowlist, residential-ISP PTR signature, and double-flux NS rotation are aggregated into a single verdict. A domain whose IPs sit on Cloudflare (AS 13335) is correctly classified as `is_cdn_rotation: true`, not fast-flux — eliminating the noise that makes most fast-flux tooling unusable.
High-confidence escalation decisions without the alert fatigue that comes from naive TTL-only checks.
Detect double-flux command-and-control
Investigate a suspected C2 domain. The endpoint runs both A-record rotation detection AND NS-rotation tracking across multiple rounds. A domain whose authoritative nameservers also rotate (`is_double_flux: true`) is exhibiting the advanced fast-flux signature catalogued as MITRE ATT&CK T1568.001 — a strong indicator of sophisticated criminal infrastructure rather than commodity phishing.
Distinguishes "likely phishing operator" from "sophisticated criminal infrastructure" for incident-response prioritization.
Protective DNS rule tuning
Use the confidence levels (`high` / `medium` / `low`) to drive protective-DNS policy: auto-block on `is_fast_flux: true` + `confidence: "high"` + `is_double_flux: true`; rate-limit / quarantine on medium; pass through on low. The structural gating (3+ ASNs, ASN-diversity ≥ 0.5, residential-PTR count) ensures legitimate CDNs are never blocked.
Operationally usable blocking thresholds that don't require a security analyst to manually exception every CDN-fronted SaaS your users visit.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to probe for fast-flux behaviorExample: example.com |
samples | number | Optional | Number of query rounds (2–5, default 3). More rounds give stronger signal at cost of longer response time.Example: 3 |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
is_fast_flux | boolean | Whether fast-flux behavior is detected (rotation + low TTL + ≥3 IPs + not CDN) |
is_cdn_rotation | boolean | True when IP rotation is explained by known CDN edge ASNs — distinguishes legitimate CDN from malicious flux |
confidence | string | Confidence: low, medium, high. High requires ≥3 ASNs and AS-fraction diversity ≥ 0.5 |
rounds | number | Number of query rounds executed |
total_unique_ips | number | Total distinct IPs observed across all rounds |
unique_asns | number | Distinct ASNs across the observed IPs |
unique_countries | number | Distinct ISO country codes across the observed IPs |
asn_diversity_ratio | number | Holz AS-fraction (unique_ASNs - 1) / (unique_IPs - 1). 0 = single AS, 1 = every IP in a different AS |
min_ttl | number | Minimum TTL observed |
ip_set_changes | number | Number of rounds where IP set differed from prior round |
rounds_detail | array | Per-round breakdown: IPs, TTL, resolver, elapsed ms |
ip_asn_detail | array | Per-IP ASN, network owner (when known CDN), country, and is_cdn flag |
findings | array | Human-readable findings, including the ASN-spread interpretation |
limitations | array | Caveats — DoH caching, conservative CDN allowlist, best-effort ASN enrichment |
Code Examples
curl "https://api.edgedns.dev/v1/dns/fast-flux" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=example.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/fast-flux?domain=example.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/fast-flux',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'example.com'
}
)
data = response.json()
print(data)Read the full Fast-Flux Detection guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Fast-Flux Detection endpoint live in the playground.