Finding Fast Flux Fully Qualified Domain Names Using the SIE DNS Changes Channel
Fast Flux Labeled a National Security Threat
In April 2025, leading international cybersecurity authorities, including:
- The National Security Agency (NSA)
- The Cybersecurity and Infrastructure Security Agency (CISA)
- The Federal Bureau of Investigation (FBI)
- The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
- The Canadian Centre for Cyber Security (CCCS), and
- The New Zealand National Cyber Security Centre (NCSC-NZ)
released a “TLP-Clear” joint cybersecurity advisory entitled “Fast Flux: A National Security Threat.” The advisory describes fast flux as a technique used by threat actors such as Gamaredon, the Hive, and Nefilim ransomware operators, and bulletproof hosting (BPH) providers to hide the locations of malicious servers through the rapid changing of Domain Name System (DNS) records. Through the increased resilience of fast flux networks, these actors can better avoid blocking and takedowns while maintaining anonymity.
In the face of this activity, the advisory notes:
This advisory is meant to encourage service providers, especially Protective DNS (PDNS) providers, to help mitigate this threat by taking proactive steps to develop accurate, reliable, and timely fast flux detection analytics and blocking capabilities for their customers.
It also suggests, among other things (on PDF page 6 of 10):
1. Leverage threat intelligence feeds and reputation services to identify known fast flux domains and associated IP addresses, such as in boundary firewalls, DNS resolvers, and/or SIEM solutions.
2. Implement anomaly detection systems for DNS query logs to identify domains exhibiting high entropy or IP diversity in DNS responses and frequent IP address rotations. Fast flux domains will frequently cycle through tens or hundreds of IP addresses per day. […]
4. Review DNS resolution for inconsistent geolocation. Malicious domains associated with fast flux typically generate high volumes of traffic with inconsistent IP-geolocation information. […]
6. Develop fast flux detection algorithms to identify anomalous traffic patterns that deviate from usual network DNS behavior.
In 2008, this article’s author worked on the ICANN Fast Flux Working Group, so we were already familiar with the fast flux problem, but we’d been under the impression that it had largely faded from popularity due to bad guy use of free reverse proxy services instead. We decided to check if “what was old” in 2008 had become a “new thing” once again in 2025.
For the record, the authors of the joint advisory caution that:
Note: Some legitimate activity, such as common content delivery network (CDN) behaviors, may look like malicious fast flux activity. Protective DNS services, service providers, and network defenders should make reasonable efforts, such as allowlisting expected CDN services, to avoid blocking or impeding legitimate content.
We’re not suggesting that you block (or don’t block) anything, we’re simply sharing what we see in order to inform your decisions on security posturing.
Checking Data Using DomainTools SIE DNS Changes Channel
We decided to look at data from the DomainTools Security Information Exchange (SIE) DNS Changes channel. This channel has previously been described in “The Only Thing That’s Constant Is Change: The DNS Changes Channel (SIE Channel 214),” but the back-of-the-matchbook version is that DNS Changes shows, well, all DNS Changes.
We could pull a steady stream of select bits and bobs from that channel using nmsgtool and jq :
$ nmsgtool -C ch214 -J - | jq -r '"\(.message.rrname) \(.message.rrtype) \(.message.rdata)"'
A couple of random “A” records from that command pipeline (manually “defanged” for display here, with inter-record spaces added for improved readability) look like:
abfwdhoaaaaaaaamaf7orkhrfh7es.pop-de-cf.dash.pv-cdn[.]net. A ["18[.]155.153.15","18[.]155.153.45","18[.]155.153.64","18[.]155.153.122"]
fx-ws.gateio[.]ws. A ["35[.]74.11.211","35[.]79.26.8","43[.]206.206.2","52[.]194.27.153","52[.]199.207.174",
"54[.]178.108.173","54[.]249.172.29","57[.]182.0.16"]
Now, we just need a tool to spot fast fluxing domains from that stream of records. But how?
Identifying Fast Flux Domains Using the Mannheim Formula
Research previously done at the University of Mannheim (as described on page 115 of the ICANN Fast Flux Working Group Final Report mentioned above) made it easy to identify domains that are likely fast fluxing. Compute:
mannheim = (1.32 * number of unique ips seen) + (18.54* number of unique asns seen)
if mannheim > 142.38: the domain is likely fast fluxing
To compute that score, we’ll need to be able to map IPs to ASNs. We’ll map our IPs to ASNs using the free IP to ASN DNS zone that’s available from Oregon Routeviews.
If you’re making a substantial number of queries over a protracted period of time, you should probably download a copy of that zone and run it on a local DNS server to avoid dumping too much traffic onto the main public Routeviews server.
Note that there are two ways that a domain can attain the critical Mannheim threshold. You can reach it after:
- Multiple resolutions have been observed with sufficient cumulative IPs and ASNs across those multiple resolutions, OR
- Some fully qualified domain names (FQDNs) may be so “noisy” that even a single FQDN to IP resolution will be enough to “qualify.”
We decided to focus just on the later case for this simple proof of concept. We wrote a couple of pages of Python3 to see what we could find (see Appendix I for the actual code). We’ll just tack that routine onto the end of our command pipeline:
$ nmsgtool -C ch214 -J - | jq -r '"\(.message.rrname) \(.message.rrtype) \(.message.rdata)"' | \
./mannheim.py
Sample Hits Seen in DNS Changes Data
Running that code, we quickly encountered domains that satisfied the Mannheim criteria (defanged for display here):
x9.seed.bitcoin.wiz[.]biz. A 41[.]103.255.161 36947
x9.seed.bitcoin.wiz[.]biz. A 46[.]59.68.99 8473
x9.seed.bitcoin.wiz[.]biz. A 50[.]71.242.2 6327
x9.seed.bitcoin.wiz[.]biz. A 51[.]159.21.128 12876
x9.seed.bitcoin.wiz[.]biz. A 67[.]0.255.2 209
x9.seed.bitcoin.wiz[.]biz. A 68[.]113.241.44 20115
x9.seed.bitcoin.wiz[.]biz. A 79[.]157.120.160 3352
x9.seed.bitcoin.wiz[.]biz. A 80[.]228.205.35 9145
x9.seed.bitcoin.wiz[.]biz. A 86[.]59.164.133 5483
x9.seed.bitcoin.wiz[.]biz. A 96[.]235.162.248 701
x9.seed.bitcoin.wiz[.]biz. A 112[.]199.254.46 4773
x9.seed.bitcoin.wiz[.]biz. A 152[.]53.48.151 42473
x9.seed.bitcoin.wiz[.]biz. A 167[.]57.11.174 6057
x9.seed.bitcoin.wiz[.]biz. A 173[.]180.175.40 852
x9.seed.bitcoin.wiz[.]biz. A 185[.]228.112.234 198539
x9.seed.bitcoin.wiz[.]biz. A 194[.]156.188.249 35384
x9.seed.bitcoin.wiz[.]biz. A 195[.]26.86.119 43641
x9.seed.bitcoin.wiz[.]biz. A 205[.]172.59.6 395839
x9.seed.bitcoin.wiz[.]biz. A 212[.]100.51.145 198967
x9.seed.bitcoin.wiz[.]biz. A 213[.]227.147.244 60781
x9.seed.bitcoin.wiz[.]biz. A 216[.]174.68.160 7057
Those “detail lines” show the FQDN name, the record type, and an IP, plus the associated ASN originating that IP (the SET of reported lines represent the IPs seen for a single resolution of the name).
If you’d like, you can use Iris to look up the base domain name, IP, or ASN for more details. Given the name, this domain is likely a cryptocurrency “seeder” domain.
Note that while all of these (and the other domains shown as examples) meet the Mannheim criteria, we can still look more closely at each domain to confirm that it is truly fast fluxing. Here are some questions to consider in our examination:
- What is the time to live (TTL)? Fast flux domains normally have shorter time-to-live values.
- If you try re-resolving the domain several times at multiple public resolvers (such as 8.8.8.8 and 1.1.1.1) over the course of some minutes, how many unique IPs do you see over time? Where are those located? All in one place, or all over the place? Fast flux domains often span countries and continents, not just ISPs. Are they in consumer dynamic space?
- Can you determine the intent behind the domain? If you check Google or popular blocklists, is the domain mentioned in conjunction with spam, phishing, or malware?
Let’s do part of that analysis by checking the IPs from that first example – who controls them?
41[.]103.255.161 (AS36947) --> Algerie Telecom, DZ
46[.]59.68.99 (AS8473) --> Bahnhof AB, SE
50[.]71.242.2 (AS6327) --> Shaw Communications, Calgary Alberta CA
51[.]159.21.128 (AS12876) --> Scaleway, Paris FR
67[.]0.255.2 (AS209) --> Qwest/CenturyLink/Lumen, Monroe LA US
68[.]113.241.44 (AS20115) --> Charter Communications, Greenwood Village CO US
79[.]157.120.160 (AS3352) --> RIMA (Telefonica de Espana), Madrid ES
80[.]228.205.35 (AS9145) --> EWE-TEL, Oldenburg DE
86[.]59.164.133 (AS5483) --> Hungarian Telecom, Budapest HU
96[.]235.162.248 (AS701) --> Verizon, Ashburn VA US
112[.]199.254.46 (AS4773) --> M1 Ltd Mobile Broadband, SG
152[.]53.48.151 (AS42473) --> netcup GMBH, Karlsruhe DE
167[.]57.11.174 (AS6057) --> Antel Uruguay, Montevideo UY
173[.]180.175.40 (AS852) --> TELUS, New Westminster BC CA
185[.]228.112.234 (AS198539) --> yonet net, RU
194[.]156.188.249 (AS35384) --> Lambda Creative MB, Vilnius LT
195[.]26.86.119 (AS43641) --> Virtual Systems LLC, Kiyv UA
205[.]172.59.6 (AS395839) --> Hostkey USA, Albany NY US
212[.]100.51.145 (AS198967) --> BITel Broadband, Guetersloh DE
213[.]227.147.244 (AS60781) --> Leaseweb NL, Amsterdam NL
216[.]174.68.160 (AS7057) --> Managed Network Systems Inc., Windsor ON CA
That’s a diverse set of IP addresses! Other entries we saw appear to at least superficially satisfy the Mannheim criteria:
seed.bitnodes[.]io. A 2[.]86.48.36 6799
seed.bitnodes[.]io. A 37[.]25.47.141 48101
seed.bitnodes[.]io. A 37[.]143.118.174 48926
seed.bitnodes[.]io. A 38[.]22.137.15 11550
seed.bitnodes[.]io. A 41[.]203.13.218 37153
seed.bitnodes[.]io. A 50[.]21.167.161 29909
seed.bitnodes[.]io. A 65[.]25.115.92 10796
seed.bitnodes[.]io. A 66[.]118.249.213 393626
seed.bitnodes[.]io. A 66[.]219.196.170 29933
seed.bitnodes[.]io. A 69[.]36.54.173 19310
seed.bitnodes[.]io. A 87[.]207.45.218 9141
seed.bitnodes[.]io. A 93[.]139.133.70 5391
seed.bitnodes[.]io. A 94[.]74.105.231 136907
seed.bitnodes[.]io. A 95[.]110.234.93 31034
seed.bitnodes[.]io. A 103[.]241.82.214 132770
seed.bitnodes[.]io. A 109[.]168.144.98 12683
seed.bitnodes[.]io. A 176[.]212.73.94 50543
seed.bitnodes[.]io. A 180[.]159.63.155 4812
seed.bitnodes[.]io. A 183[.]88.244.125 45758
seed.bitnodes[.]io. A 185[.]87.45.95 6752
seed.bitnodes[.]io. A 189[.]124.200.21 28220
seed.bitnodes[.]io. A 193[.]22.128.21 56469
seed.bitnodes[.]io. A 207[.]5.28.136 22646
seed.bitnodes[.]io. A 213[.]142.182.169 42155
seed.bitnodes[.]io. A 217[.]155.35.149 13037
cdn.s5dw94f8s[.]com. A 24[.]144.81.17 14061
cdn.s5dw94f8s[.]com. A 24[.]144.89.52 14061
cdn.s5dw94f8s[.]com. A 43[.]229.154.15 40065
cdn.s5dw94f8s[.]com. A 43[.]229.154.149 40065
cdn.s5dw94f8s[.]com. A 43[.]229.154.151 40065
cdn.s5dw94f8s[.]com. A 45[.]12.89.47 3258
cdn.s5dw94f8s[.]com. A 45[.]12.89.49 3258
cdn.s5dw94f8s[.]com. A 64[.]23.140.63 14061
cdn.s5dw94f8s[.]com. A 64[.]23.226.155 14061
cdn.s5dw94f8s[.]com. A 67[.]198.228.73 35908
cdn.s5dw94f8s[.]com. A 67[.]198.228.84 35908
cdn.s5dw94f8s[.]com. A 67[.]198.228.126 35908
cdn.s5dw94f8s[.]com. A 67[.]229.49.107 35908
cdn.s5dw94f8s[.]com. A 67[.]230.179.82 25820
cdn.s5dw94f8s[.]com. A 74[.]211.106.25 25820
cdn.s5dw94f8s[.]com. A 80[.]251.212.153 25820
cdn.s5dw94f8s[.]com. A 89[.]208.251.238 25820
cdn.s5dw94f8s[.]com. A 98[.]126.18.115 35908
cdn.s5dw94f8s[.]com. A 103[.]94.185.216 40065
cdn.s5dw94f8s[.]com. A 103[.]99.178.58 40065
cdn.s5dw94f8s[.]com. A 103[.]99.178.95 40065
cdn.s5dw94f8s[.]com. A 103[.]99.178.251 40065
cdn.s5dw94f8s[.]com. A 103[.]99.179.16 40065
cdn.s5dw94f8s[.]com. A 103[.]99.179.101 40065
cdn.s5dw94f8s[.]com. A 103[.]99.179.160 40065
cdn.s5dw94f8s[.]com. A 103[.]99.179.189 40065
cdn.s5dw94f8s[.]com. A 103[.]225.199.115 40065
cdn.s5dw94f8s[.]com. A 104[.]194.83.97 25820
cdn.s5dw94f8s[.]com. A 104[.]194.85.111 25820
cdn.s5dw94f8s[.]com. A 104[.]194.88.48 25820
cdn.s5dw94f8s[.]com. A 128[.]199.4.73 14061
cdn.s5dw94f8s[.]com. A 134[.]122.30.12 14061
cdn.s5dw94f8s[.]com. A 143[.]198.56.172 14061
cdn.s5dw94f8s[.]com. A 147[.]182.240.82 14061
cdn.s5dw94f8s[.]com. A 173[.]242.113.97 25820
cdn.s5dw94f8s[.]com. A 185[.]186.146.139 40065
cdn.s5dw94f8s[.]com. A 185[.]186.146.197 40065
cdn.s5dw94f8s[.]com. A 185[.]186.147.48 40065
cdn.s5dw94f8s[.]com. A 185[.]186.147.216 40065
cdn.s5dw94f8s[.]com. A 185[.]194.148.10 40065
cdn.s5dw94f8s[.]com. A 199[.]180.117.54 25820
cdn.s5dw94f8s[.]com. A 199[.]180.119.105 25820
cdn.s5dw94f8s[.]com. A 202[.]91.34.178 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.183 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.186 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.188 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.190 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.193 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.197 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.203 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.205 40065
cdn.s5dw94f8s[.]com. A 202[.]91.34.206 40065
chia.ctrlaltdel[.]ch. A 2[.]51.119.242 5384
chia.ctrlaltdel[.]ch. A 27[.]89.54.86 2516
chia.ctrlaltdel[.]ch. A 31[.]28.59.98 8439
chia.ctrlaltdel[.]ch. A 39[.]74.93.214 4837
chia.ctrlaltdel[.]ch. A 46[.]125.101.166 8412
chia.ctrlaltdel[.]ch. A 46[.]147.54.139 12768
chia.ctrlaltdel[.]ch. A 70[.]27.254.127 577
chia.ctrlaltdel[.]ch. A 77[.]245.112.250 39001
chia.ctrlaltdel[.]ch. A 79[.]22.73.60 3269
chia.ctrlaltdel[.]ch. A 79[.]116.75.255 57269
chia.ctrlaltdel[.]ch. A 79[.]117.55.52 57269
chia.ctrlaltdel[.]ch. A 79[.]151.227.161 3352
chia.ctrlaltdel[.]ch. A 83[.]35.248.131 3352
chia.ctrlaltdel[.]ch. A 83[.]192.253.107 3215
chia.ctrlaltdel[.]ch. A 86[.]127.1.116 8708
chia.ctrlaltdel[.]ch. A 90[.]76.128.30 3215
chia.ctrlaltdel[.]ch. A 92[.]101.11.35 12389
chia.ctrlaltdel[.]ch. A 93[.]244.119.59 3320
chia.ctrlaltdel[.]ch. A 109[.]245.64.125 15958
chia.ctrlaltdel[.]ch. A 111[.]90.85.108 4721
chia.ctrlaltdel[.]ch. A 115[.]133.203.156 4788
chia.ctrlaltdel[.]ch. A 116[.]115.69.43 139007
chia.ctrlaltdel[.]ch. A 124[.]121.187.228 17552
chia.ctrlaltdel[.]ch. A 136[.]33.151.63 16591
chia.ctrlaltdel[.]ch. A 147[.]53.206.118 35612
chia.ctrlaltdel[.]ch. A 152[.]173.171.198 7418
chia.ctrlaltdel[.]ch. A 173[.]17.220.55 30036
chia.ctrlaltdel[.]ch. A 174[.]92.204.120 577
chia.ctrlaltdel[.]ch. A 174[.]102.138.64 10796
chia.ctrlaltdel[.]ch. A 176[.]226.128.171 8369
chia.ctrlaltdel[.]ch. A 188[.]73.185.237 12668
chia.ctrlaltdel[.]ch. A 205[.]206.79.193 852
opencdnmsdl3.jomodns[.]com. A 60[.]188.66.43 136190
opencdnmsdl3.jomodns[.]com. A 61[.]170.99.43 4812
opencdnmsdl3.jomodns[.]com. A 106[.]225.194.43 134238
opencdnmsdl3.jomodns[.]com. A 111[.]170.25.43 151185
opencdnmsdl3.jomodns[.]com. A 111[.]170.165.43 151185
opencdnmsdl3.jomodns[.]com. A 175[.]12.90.43 151823
opencdnmsdl3.jomodns[.]com. A 183[.]61.177.43 4134
opencdnmsdl3.jomodns[.]com. A 218[.]94.231.43 134770
opencdnmsdl3.jomodns[.]com. A 218[.]94.232.43 134770
opencdnmsdl3.jomodns[.]com. A 220[.]169.152.43 4134
rotate.aprs2[.]net. A 84[.]232.6.113 29119
rotate.aprs2[.]net. A 85[.]90.180.26 24822
rotate.aprs2[.]net. A 86[.]123.190.5 8708
rotate.aprs2[.]net. A 109[.]72.122.50 60860
rotate.aprs2[.]net. A 138[.]122.96.101 28458
rotate.aprs2[.]net. A 146[.]83.63.90 23140
rotate.aprs2[.]net. A 148[.]135.19.38 35916
rotate.aprs2[.]net. A 192[.]146.137.137 5767
Some of these FQDNs appear to putatively be related to cryptocurrencies, but for the purpose of this note, we won’t definitively categorize any domains, and simply note that we’re successfully identified the existence of names that appear to at least superficially satisfy the Mannheim criteria with just a single resolution.
Integrate Fast Flux Detection Into Security Protocols
The resurgence of fast flux techniques in 2025 underscores the evolving nature of cyber threats and the need for continuous vigilance in cybersecurity practices. By leveraging the SIE DNS Changes Channel and employing tools like nmsgtool and jq, organizations can effectively identify fast flux domains. The Mannheim formula provides a simple method for detecting these domains, helping to protect networks from the sophisticated tactics of cybercriminals.
Want to check out the curiosities you can see in the DNS Changes Channel at SIE? Schedule a demo for more information.
Appendix I. mannheim.py proof-of-concept Python3 source code
$ cat mannheim.py
#!/usr/local/bin/python3
""" Watch ch214 for potential fast flux domains: """
# Sample run:
# $ nmsgtool -C ch214 -J - | \
# jq -r '"\(.message.rrname) \(.message.rrtype) \(.message.rdata)"' | \
# ./mannheim.py
#
# Due to use of dns.resolver library, to kill a running job
# ctrl-Z
# kill %1 (or whatever's the appropriate job)
import sys
import re
import dns.resolver
my_resolver = dns.resolver.Resolver()
# set to your preferred resolver IPs
my_resolver.nameservers = ['8.8.8.8','8.8.4.4']
group_of_lines = []
lines_in_group = 0
# skip FQDNs returning four or fewer IPs
min_lines = 4
cached_asns = {}
just_a_records = r"\bA\b"
# set the exclusions to ignore whatever you're fairly confident will NOT fastflux
# you can expand this to taste
exclusions = r"(amazon|akamai|akadns\.net|netflix|hbo|hulu|epicgames|"+\
r"nintendo\.com|tiktok|apple\-dns\.net|twitch\.tv|"+\
r"adobedc\.net|opendns\.com|barracuda\.com|duolingo\.com|"+\
r"grammarly|intuit\.com|myfritz\.net|google\.com|"+\
r"azure\.(com|net)|incapsula\.com|cloudflare\.com|"+\
r"parkingcrew\.net|dns-parking\.com|googledomains\.com|"+\
r"sedoparking\.com|ksx\.la|office\.com|login\.gov|github\.io|"+\
r"outlook\.com|googleapis\.com|kaspersky\.com)"
while True:
line = sys.stdin.readline()
line = line.rstrip()
# we may have some records that don't have exactly three entries when split
# catch/ignore those
try:
(domain, rrtype, rdata) = line.split(" ")
if re.search(just_a_records, rrtype):
if not re.search(exclusions, domain):
rdata = rdata.replace("[","").replace("]","")
rdata_array = rdata.split(",")
length_of_rdata = len(rdata_array)
if length_of_rdata > min_lines:
ips_seen = set()
ips_seen.clear()
asns_seen = set()
asns_seen.clear()
is_fast_flux = False
for entries in rdata_array:
entries = entries.replace('"',"")
ips_seen.add(entries)
(o1, o2, o3, o4) = entries.split(".")
if entries in cached_asns:
asn = cached_asns[entries]
asns_seen.add(asn)
# Some RFC 1918 address space (won't be in Routeviews)
elif (o1 == "10") or ((o1 == "172") and (o2 == "16")):
continue
# specific prefix not in Routeviews IP to ASN
elif (o1 == "66") and (o2 == "196") and o3 in ('121', '120'):
continue
# specific prefix not in Routeviews IP to ASN
elif (o1 == "198") and (o2 == "18") and (o3 == "88"):
continue
else:
reversed_ip = o4 + "." + o3 + "." + o2 + "." + o1
check_asn_name = reversed_ip + ".asn.routeviews.org"
try:
answers = my_resolver.resolve(check_asn_name, \
'TXT')
for ipval in answers:
(p5, p6, p7) = str(ipval).split(" ")
p5 = p5.replace('"',"")
cached_asns[entries] = p5
asns_seen.add(p5)
except dns.exception.DNSException as e:
print("ip to asn error:", entries)
continue
# see page 115 of
# https://gnso.icann.org/sites/default/files/
# filefield_5973/fast-flux-final-report-06aug09-en.pdf
mannheim = (1.32*len(ips_seen)) + (18.54*len(asns_seen))
if mannheim > 142.38:
is_fast_flux = True
if is_fast_flux:
for entries_2 in rdata_array:
entries_2 = entries_2.replace('"',"")
print(domain, rrtype, entries_2, \
cached_asns[entries_2])
print()
except: # pylint: disable=bare-except
continue
