Fast-Flux Detection: a beginner's guide

Fast-flux DNS is a technique criminals use to keep malicious infrastructure online by rotating the IP addresses a domain resolves to — often every few seconds, across a botnet of compromised home PCs or cloud VMs. A normal website changes IPs a few times a year when it switches hosts. A fast-flux domain changes IPs hundreds of times per day, never staying at any one address long enough for a threat feed or takedown to catch up. The technique was first documented by ICANN's SSAC in SAC 025 (2008), is catalogued as MITRE ATT&CK T1568.001, and remains the backbone of modern phishing, malware command-and-control, and credential-theft infrastructure.

You should care because **fast-flux detection catches active attack infrastructure before it lands in a static threat feed**. Reputation-based blocklists work well, but they're hours to days behind real rotation. Behavioral detection — watching TTL, IP-set changes, and network spread over time — catches campaigns while they're still live.

The hard problem: fast-flux looks like a CDN. Both rotate IPs. Both use short TTLs. Both serve different IPs to different users. The signal that distinguishes them is ASN diversity. Legitimate CDNs (Cloudflare, Fastly, Akamai, CloudFront) concentrate in a small number of ASNs — the CDN's own anycast networks. Fast-flux rotates across many ASNs because the hosts are compromised consumer endpoints scattered across hundreds of residential ISPs. The classical metric, from Holz et al.'s NDSS paper, is the AS-fraction: `(unique_ASNs - 1) / (unique_IPs - 1)`. A value near 0 means all IPs share one AS (CDN). Near 1 means every IP is in a different AS (botnet). Without this metric, naive fast-flux detectors flag every CDN as malicious, and operators learn to ignore the alerts.

Single-flux and double-flux. Single-flux rotates only the A records; the authoritative nameservers stay stable. Double-flux rotates the NS records too, so the entire delegation moves under the attacker's control with each query. Double-flux is harder to take down and a stronger indicator that something is deliberately evasive (Palo Alto Unit 42 — Fast-Flux 101).

The five things a real fast-flux check looks at:

• TTL. Under 300 seconds is suspicious; under 60 seconds is highly suspicious — but only when combined with the other signals below.

• IP-set rotation across rounds. Run the same query three times spaced a few seconds apart. Different IP sets each round = rotation is real.

• ASN diversity (the AS-fraction). Three or more distinct ASNs across the rotated IPs, with high AS-fraction, is the signature that distinguishes botnet from CDN.

• Reverse-DNS residential signature. Fast-flux IPs usually PTR back to dynamic residential ISP patterns: `.dyn.`, `.cable.`, `.broadband.`, `.dsl.`. CDN IPs PTR to static infrastructure names.

• NS rotation (double-flux). If the NS RRset itself rotates across rounds, this is advanced fast-flux and a much stronger indicator of intentional evasion than rotating A records alone.

Three questions a fast-flux check answers:

• Is this domain actively rotating across many unrelated networks, or is it just a CDN doing normal geo-load-balancing?

• If the rotation is real, is it single-flux (A only) or double-flux (NS too)?

• Are the rotated IPs sitting in residential ISP space — the giveaway for botnet hosting on consumer endpoints?

The cost of missing fast-flux activity is letting phishing and malware campaigns run unobstructed for the hours or days before static threat feeds catch up. The cost of naive fast-flux detection is alert fatigue from flagging every CDN. ASN diversity, residential PTR, and NS-rotation analysis together resolve both.

In one sentence: Detect fast-flux (fast-flux [DNS (Domain Name System)](/guides/dns-lookup)) DNS rotation used by botnets and malware

Detects fast-flux (fast-flux DNS (Domain Name System)) DNS behavior — a technique used by botnets, phishing infrastructure, and malware command-and-control servers to evade takedowns by rotating through many IPs with very short TTLs. Performs multiple rounds of A and AAAA queries across multiple DoH (DNS over HTTPS) resolvers with delays between rounds, comparing IP (Internet Protocol address) sets and TTLs to flag rotation patterns.

Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.

Here's what's actually happening behind the scenes when you call this endpoint:

Executes 3–5 rounds of A and AAAA queries with configurable delays. For each round, records the unique IP (Internet Protocol address) set and minimum TTL (time to live). Enriches every observed IP with ASN (Autonomous System Number), network owner, and country via Team Cymru, then computes the AS-fraction (Autonomous System fraction) diversity metric (Holz et al.). Flags fast-flux (fast-flux DNS (Domain Name System)) when minimum TTL is below 300 seconds AND IP-set rotation is observed AND multiple IPs are seen AND the IPs do not predominantly belong to a known CDN (Content Delivery Network) edge ASN (Cloudflare, Fastly, Akamai, CloudFront, etc.). Rotates across multiple public DoH (DNS over HTTPS) resolvers (Cloudflare, Google, Quad9) to reduce resolver-side caching from masking rotation. Returns per-round metrics, per-IP ASN/country detail, an explicit CDN-rotation classification, and a verdict with supporting evidence.

If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.

Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Fast-Flux Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.

Fast-flux detection is a key input for blocking phishing and malware C2 traffic. Unlike static threat feeds that list known-bad domains, fast-flux (fast-flux DNS (Domain Name System)) detection catches active infrastructure before it lands in a feed. ASN (Autonomous System Number) diversity is the primary signal that distinguishes a botnet (many ASNs, many countries) from a CDN (Content Delivery Network) (few ASNs, anycast edge) — combining it with TTL (time to live) and rotation analysis dramatically reduces the false positives that plague naive fast-flux detection. Complements the domain-threat check by adding behavioral analysis to reputation-based lookup.

Picture this in real life. Imagine an SOC analyst. Here's the situation they're walking into: A domain has surfaced in SIEM alerts. Run the endpoint to distinguish botnet rotation from CDN (Content Delivery Network) rotation: ASN (Autonomous System Number) diversity (Holz AS-fraction (Autonomous System fraction)), known-CDN allowlist, residential-ISP PTR (pointer (reverse DNS) record) signature, and double-flux (double-flux DNS (Domain Name System)) NS rotation are aggregated into a single verdict. A domain whose IPs sit on Cloudflare (AS 13335) is correctly classified as `is_cdn_rotation: true`, not fast-flux (fast-flux DNS) — eliminating the noise that makes most fast-flux tooling unusable. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Fast-Flux Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.

Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Fast-Flux Detection tool is built for you:

• Is my domain pointing to the right place right now?

• Did the DNS change I just made actually take effect everywhere in the world?

• Is anything in my DNS misconfigured in a way that could break email or break the website?

You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.

Who gets the most out of this. Founders running their own infrastructure, marketers coordinating launches, IT admins inheriting domains from a former employee, and ops engineers troubleshooting live outages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.

What happens if you skip this entirely. Skip it and you're flying blind on the one piece of config that decides whether your website and email work at all. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.

If you're still on the fence about whether the Fast-Flux Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — an SOC analyst, a threat intelligence analyst, and a network security engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.

Story 1: SOC triage with CDN false-positive elimination

Imagine you're an SOC analyst. A domain has surfaced in SIEM alerts. Run the endpoint to distinguish botnet rotation from CDN (Content Delivery Network) rotation: ASN (Autonomous System Number) diversity (Holz AS-fraction (Autonomous System fraction)), known-CDN allowlist, residential-ISP PTR (pointer (reverse DNS) record) signature, and double-flux (double-flux DNS (Domain Name System)) NS rotation are aggregated into a single verdict. A domain whose IPs sit on Cloudflare (AS 13335) is correctly classified as `is_cdn_rotation: true`, not fast-flux (fast-flux DNS) — eliminating the noise that makes most fast-flux tooling unusable.

Why it matters: High-confidence escalation decisions without the alert fatigue that comes from naive TTL-only checks.

Story 2: Detect double-flux command-and-control

Imagine you're a threat intelligence analyst. Investigate a suspected C2 domain. The endpoint runs both A-record rotation detection AND NS-rotation tracking across multiple rounds. A domain whose authoritative nameservers also rotate (`is_double_flux: true`) is exhibiting the advanced fast-flux (fast-flux DNS (Domain Name System)) signature catalogued as MITRE ATT&CK T1568.001 — a strong indicator of sophisticated criminal infrastructure rather than commodity phishing.

Why it matters: Distinguishes "likely phishing operator" from "sophisticated criminal infrastructure" for incident-response prioritization.

Story 3: Protective DNS rule tuning

Imagine you're a network security engineer. Use the confidence levels (`high` / `medium` / `low`) to drive protective-DNS policy: auto-block on `is_fast_flux: true` + `confidence: "high"` + `is_double_flux: true`; rate-limit / quarantine on medium; pass through on low. The structural gating (3+ ASNs, ASN-diversity ≥ 0.5, residential-PTR count) ensures legitimate CDNs are never blocked.

Why it matters: Operationally usable blocking thresholds that don't require a security analyst to manually exception every CDN-fronted SaaS your users visit.

Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Fast-Flux Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:

• Right before launching a new website or migrating to a new host.

• After making any DNS change, to confirm the new settings are live everywhere.

• When customers report that your site or email "just stopped working" out of nowhere.

• As a recurring monthly health check to catch silent misconfigurations early.

If you can see yourself in even one of those bullets, the Fast-Flux Detection tool will pay for itself the first time you use it.

Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Fast-Flux Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.

If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:

"Use the Fast-Flux Detection tool to check example.com and explain anything that looks wrong in plain language."

The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.

If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.

You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.

When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.

These tools pair naturally with Fast-Flux Detection. If you're already running this check, the related ones often answer the next question that comes up:

• Domain Threat Check — Check domain against malware and phishing databases

• DNS Lookup — Query any of 22 DNS record types or ALL at once with DNSSEC validation

• IP Reputation — Check IP against blacklists and threat feeds

If you're using an AI assistant through MCP (Model Context Protocol), you can ask it to run several of these in one go: "Check Fast-Flux Detection and the related tools for example.com and tell me what looks off."

If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.

DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.

IP (Internet Protocol address) — A unique number that identifies a computer on the internet, like a phone number for a server.

TTL (time to live) — How long, in seconds, a piece of information should be remembered before being looked up again.

CDN (Content Delivery Network) — A worldwide network of servers that store copies of your website close to your visitors so pages load fast.

DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.

ASN (Autonomous System Number) — A unique number assigned to a big network operator (like an ISP or cloud provider). Tells you who owns a chunk of the internet.

AS-fraction (Autonomous System fraction) — The Holz et al. metric for fast-flux detection: (unique ASNs - 1) / (unique IPs - 1). Near 0 means all IPs share one network (typical of a CDN). Near 1 means every IP is in a different network (typical of a botnet).

fast-flux (fast-flux DNS) — An attacker technique that rotates a domain's IP addresses across a botnet — sometimes every few seconds — to stay ahead of takedowns and threat-feed blocklists. Distinguished from CDN rotation by ASN diversity and residential-PTR signatures.

double-flux (double-flux DNS) — An advanced fast-flux variant that rotates the authoritative nameservers (NS records) in addition to the A records. Catalogued as MITRE ATT&CK T1568.001 and a strong indicator of sophisticated criminal infrastructure.

PTR (pointer (reverse DNS) record) — The reverse-DNS record that maps an IP back to a hostname. Residential-ISP PTRs (`.dyn.`, `.cable.`, `.broadband.`) on rotating IPs are a strong fast-flux signal — they indicate compromised consumer endpoints.