Skip to main content

Please log into UltraDNS for full Help Center and Community access

Detecting Fast Flux DNS with UltraDNS

Enrique Somoza
  • Community team

When it comes to DNS-based attack techniques, Fast Flux is one of the trickiest to pin down. It’s not new—but it’s still highly effective, and it remains a favorite among threat actors looking to keep malicious infrastructure online and out of reach.

What Is Fast Flux?

It’s a tactic where the domain name resolves to many different IPs, usually across a botnet. Those IPs switch rapidly—sometimes dozens of times per hour—to stay ahead of blacklists and defenders.

There are two main versions:
- Single-Flux: A records change often.
- Double-Flux: Both A records and NS records rotate, adding more complexity.

Why It’s Hard to Catch

Fast Flux can look like a CDN or modern load-balancer. You’ll see lots of IPs, low TTLs, and frequent changes. None of that is inherently malicious, which is why it slips past basic detection.

Where UltraDNS Comes In

This is where the UltraDNS Private Data Lake comes in. By capturing detailed resolution patterns across billions of queries, it gives security teams the historical visibility they need to spot Fast Flux activity over time. With it, you can:

  • Track how often and how quickly IPs rotate for a given domain
  • Identify domains with unusually high response set churn
  • Flag TTL patterns that deviate from normal traffic
  • Surface associations with known bad infrastructure

This kind of historical insight makes a big difference. It’s not just about what’s happening now—it’s about seeing the patterns over time.

Here’s a quick look at TTL changes over a 24-hour period for a domain flagged for Fast Flux behavior. Low and shifting TTLs are a red flag:

Learn more and stay ahead

We recently published a deep dive on the fundamentals of Fast Flux DNS, how it works, and what you can do to stop it. Check it out here:
Fast Flux DNS: What It Is & How to Stop It

If you're exploring how to better protect your organization from DNS-layer threats—or how to use UltraDNS data to detect these behaviors—drop us a comment or join the conversation here in the Community. We’d love to hear how you’re tackling it.


Want help building Fast Flux detection workflows with Private Data Lake? Reach out to your account team—we’re happy to collaborate.

Related to