Fast-Flux Detection: a beginner's guide
Detect fast-flux DNS rotation used by botnets and malware
Fast-flux DNS: the botnet technique that dodges takedowns
Fast-flux DNS is a technique criminals use to keep malicious infrastructure online by rotating the IP addresses their domains resolve to — often every few seconds, across a huge botnet of compromised home PCs or cloud VMs. A normal website might change IPs a few times a year when it switches hosts. A fast-flux domain changes IPs hundreds or thousands of times per day, never staying at any one address long enough for a threat feed or law-enforcement takedown to catch up. The technique has been used by spam operators since the early 2000s (ICANN SAC 025) and remains the backbone of modern phishing, malware command-and-control, and fast-rotating credential-theft pages.
You should care because **fast-flux detection catches active attack infrastructure before it lands in a static threat feed**. Reputation-based blocklists like Spamhaus DBL or Google Safe Browsing work well — but they're always a few hours to a few days behind real rotation. Behavioral detection that watches TTL and IP-set changes over time catches phishing and malware C2 while the campaign is still live, which is when blocking it actually prevents the damage.
The five things every fast-flux check looks at:
TTL under 300 seconds. Legitimate CDNs sometimes use short TTLs (Cloudflare, Akamai), but a domain with a 60-second TTL and no CDN fingerprint is suspicious.
IP-set rotation across query rounds. Running the same DNS query three times in thirty seconds and getting three different IP sets is strong fast-flux evidence.
Geographic and ASN dispersion. Legitimate infrastructure concentrates in a handful of ASNs (the hosting provider's). Fast-flux rotates across hundreds of unrelated ASNs — usually residential ISPs hosting infected endpoints.
Nameserver rotation. Advanced fast-flux ("double flux") rotates the authoritative nameservers too, not just the A records.
Consistency across public resolvers. Running the same query through Cloudflare (`1.1.1.1`), Google (`8.8.8.8`), and Quad9 (`9.9.9.9`) and getting different rotating answers is harder to attribute to normal load-balancing.
Three questions a fast-flux check answers:
Is this domain actively rotating IPs in a way consistent with botnet-style fast-flux?
Or is the short TTL just a CDN doing normal geo-routing?
Should this domain be blocked before it shows up on Spamhaus's list next Tuesday?
The cost of missing fast-flux activity is letting phishing and malware campaigns run unobstructed during the hours or days before static threat feeds catch up. The fix is to add behavioral detection to your blocking logic — every query that looks like it came from a rotating campaign gets scrutinized more aggressively. The classic reference is the Honeynet Project's Know Your Enemy: Fast-Flux Service Networks paper, and modern telemetry comes from the SIE framework and similar passive-DNS observatories.
The Fast-Flux Detection endpoint, in plain language
In one sentence: Detect fast-flux [DNS (Domain Name System)](/guides/dns-lookup) rotation used by botnets and malware
Detects fast-flux DNS (Domain Name System) behavior — a technique used by botnets, phishing infrastructure, and malware command-and-control servers to evade takedowns by rotating through many IPs with very short TTLs. Performs multiple rounds of A and AAAA queries across multiple DoH (DNS over HTTPS) resolvers with delays between rounds, comparing IP (Internet Protocol address) sets and TTLs to flag rotation patterns.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Executes 3–5 rounds of A and AAAA queries with configurable delays. For each round, records the unique IP (Internet Protocol address) set and minimum TTL (time to live). Flags fast-flux when minimum TTL is below 300 seconds AND at least one round observes a different IP set than the preceding round. Rotates across multiple public DoH (DNS over HTTPS) resolvers (Cloudflare, Google, Quad9) to reduce resolver-side caching from masking rotation. Returns per-round metrics, aggregated IP set, and a verdict with supporting evidence.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Fast-Flux Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Fast-flux detection is a key input for blocking phishing and malware C2 traffic. Unlike static threat feeds that list known-bad domains, fast-flux detection catches active infrastructure before it lands in a feed. Complements the domain-threat check by adding behavioral analysis to reputation-based lookup.
Picture this in real life. Imagine a threat intelligence analyst. Here's the situation they're walking into: Confirm a newly reported suspicious domain is using fast-flux hosting, strengthening the case for blocking and takedown. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Fast-Flux Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Fast-Flux Detection tool is built for you:
Is my domain pointing to the right place right now?
Did the DNS change I just made actually take effect everywhere in the world?
Is anything in my DNS misconfigured in a way that could break email or break the website?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the developer plan. The technical details: `GET /v1/dns/fast-flux`.
When would I actually use this?
If you're still on the fence about whether the Fast-Flux Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a threat intelligence analyst, a SOC analyst, and a network security engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Phishing Infrastructure Detection
Imagine you're a threat intelligence analyst. Confirm a newly reported suspicious domain is using fast-flux hosting, strengthening the case for blocking and takedown.
Why it matters: Corroborate threat-feed hits with behavioral evidence of rotating infrastructure.
Story 2: SOC Triage
Imagine you're an SOC analyst. Investigate a domain observed in SIEM alerts — confirm whether it uses fast-flux before escalating the alert.
Why it matters: Higher-confidence triage decisions with automated behavioral signals.
Story 3: Protective DNS Tuning
Imagine you're a network security engineer. Identify fast-flux domains passing through your protective DNS (Domain Name System) resolver to tune detection rules.
Why it matters: Reduce dwell time for fast-flux-hosted malware in your environment.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Fast-Flux Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before launching a new website or migrating to a new host.
After making any DNS change, to confirm the new settings are live everywhere.
When customers report that your site or email "just stopped working" out of nowhere.
As a recurring monthly health check to catch silent misconfigurations early.
If you can see yourself in even one of those bullets, the Fast-Flux Detection tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Fast-Flux Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Fast-Flux Detection tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/dns/fast-flux?domain=example.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to probe for fast-flux behavior | example.com |
samples | number | Optional | Number of query rounds (2–5, default 3). More rounds give stronger signal at cost of longer response time. | 3 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The queried domain |
is_fast_flux | boolean | Whether fast-flux behavior is detected |
confidence | string | Confidence: low, medium, high |
rounds | number | Number of query rounds executed |
total_unique_ips | number | Total distinct IPs observed across all rounds |
min_ttl | number | Minimum TTL (time to live) observed |
ip_set_changes | number | Number of rounds where IP (Internet Protocol address) set differed from prior round |
rounds_detail | array | Per-round breakdown: IPs, TTL (time to live), resolver, elapsed ms |
findings | array | Human-readable findings |
limitations | array | Caveats — e.g., DoH (DNS over HTTPS) resolver caching may mask rotation |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.
TTL (time to live) — How long, in seconds, a piece of information should be remembered before being looked up again.
DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.