1. Home
  2. Techniques
  3. Enterprise
  4. Dynamic Resolution
  5. Fast Flux DNS

Dynamic Resolution: Fast Flux DNS

ID Name
T1568.001 Fast Flux DNS
T1568.002 Domain Generation Algorithms
T1568.003 DNS Calculation

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.[1][2][3]

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.[3]

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

ID: T1568.001
Sub-technique of:  T1568
Tactic: Command and Control
Platforms: ESXi, Linux, Windows, macOS
Version: 1.1
Created: 11 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1025 Amadey

Amadey has used fast flux DNS for its C2.[4]
G0047 Gamaredon Group

Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.[5][6][7] Additionally, Gamaredon Group has used a low-frequency variant of the single-flux method.[8]

S0032 gh0st RAT

gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.[9]
G0045 menuPass

menuPass has used dynamic DNS service providers to host malicious domains.[10]
S0385 njRAT

njRAT has used a fast flux DNS for C2 IP resolution.[11]
G0092 TA505

TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.[12]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0485 Detection Strategy for Dynamic Resolution using Fast Flux DNS AN1331

Identify repeated DNS resolutions where the same domain name returns multiple IPs in short succession, combined with low TTL values and high query volume from unusual processes. Correlate with process lineage (e.g., Office apps spawning abnormal DNS lookups).
AN1332

Monitor resolver logs and auditd events for domains resolving to a rotating set of IPs within very short TTL intervals. Correlate high query rates from non-browser applications (e.g., python, curl).
AN1333

Use unified logs to identify processes issuing repeated DNS queries where the resolved IP addresses change frequently within very short TTL values. Correlate with outbound network traffic to validate C2-like patterns.
AN1334

Monitor ESXi syslog and esxcli outputs for abnormal DNS resolver behavior, such as frequent domain-to-IP changes or unauthorized modifications of DNS settings used by management agents. Correlate domain lookups with short TTL values.

References

  1. Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.
  2. Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.
  3. Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020.
  4. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  5. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  6. Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024.
  1. Silent Push. (2023, September 7). From Russia with a 71: Uncovering Gamaredon's fast flux infrastructure. New Apex domains and ASN/IP diversity patterns discovered. Retrieved July 28, 2025.
  2. Hunt.io. (2025, April 8). State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure. Retrieved July 23, 2025.
  3. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  4. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  5. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  6. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.