Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is Double flux in cybersecurity?
Double flux is an advanced fast-flux DNS technique where attackers rapidly rotate both the IP addresses for a malicious domain and the authoritative name servers that resolve it. This makes phishing sites, malware delivery pages, and command-and-control infrastructure harder to trace, block, or take down.
In single flux, only the domain’s A or AAAA records change frequently. In double flux, attackers also rotate NS records, adding another layer of resilience and anonymity. ICANN describes this as pairing a service network that hosts malicious services with a second service network that hosts DNS servers.
How does it work?
Attackers usually rely on compromised machines in a botnet. These machines act as temporary proxies or DNS nodes. When defenders block one IP address or name server, the domain quickly resolves through another node.
| Technique | What changes | Main impact |
|---|---|---|
| Single flux | Domain IP addresses | Hides malicious hosting |
| Double flux | Domain IPs and name servers | Hides hosting and DNS infrastructure |
CISA, NSA, and partners warn that fast flux techniques help cybercriminals and nation-state actors create resilient, highly available C2 infrastructure.
Why is it dangerous?
Double flux turns malicious infrastructure into a moving target. Security teams may block one domain resolution path, but another path can appear within minutes.
MITRE maps fast-flux DNS to ATT&CK sub-technique T1568.001 under Dynamic Resolution, where adversaries hide command-and-control channels behind rapidly changing IP addresses.
How can organizations detect it?
Common warning signs include unusually low DNS TTL values, frequent A/AAAA record changes, rapidly changing NS records, domains resolving to many unrelated geographies, and repeated traffic to newly observed or suspicious domains.
Key indicators of a double flux attack
Security teams can often identify suspicious DNS behavior by watching for patterns such as:
- Frequent changes in domain IP addresses within short time intervals
- Constant rotation of authoritative name servers
- Very low DNS Time-to-Live (TTL) values
- Connections to domains linked to multiple global locations at once
- Sudden spikes in outbound DNS requests from endpoints
- Repeated communication with newly registered or low-reputation domains
Monitoring these indicators alongside endpoint activity and network traffic helps organizations detect malicious infrastructure before attackers establish persistence.
FAQs
No. It is not malware by itself. It is an infrastructure evasion technique commonly used to support malware, phishing, botnets, and C2 operations.
No. Domain fluxing changes domain names frequently. Double flux changes both IP address records and name server records for a domain.
Use protective DNS, DNS filtering, threat intelligence, endpoint hardening, and network monitoring together. FIRST defines double fast flux as updating both A/AAAA and NS records to hide malicious activity.