T1568.001: Fast Flux DNS
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.[1][2][3]
The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.[3]
In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.
Analyst context for executives and security teams
Fast Flux DNS matters because it can keep command-and-control reachable while making blocking by a single IP address unreliable. For leaders, the practical issue is whether DNS, egress, and incident response processes can recognize and respond to rapidly changing infrastructure tied to one domain across Linux, macOS, Windows, and ESXi environments.
Executive priority
Prioritize this as a resilience and response-readiness issue, not just a malware indicator issue. Teams should be able to show whether they collect DNS evidence, can correlate short-lived domain-to-IP mappings, and have a process for containment when IP-based blocking is insufficient. The ATT&CK relationships to multiple groups and RAT/Trojan software make this a useful control-validation scenario for managed detection, IR preparation, and audit evidence around command-and-control monitoring.
Technical view
This is a command-and-control sub-technique of Dynamic Resolution. Validate coverage for domains that resolve to many changing A records with short TTLs, and for possible double-flux patterns where name server records also change. Because ATT&CK provides no official detection text for this object, use the related DET0485 detection strategy as the ATT&CK-supported detection context and test whether local telemetry can support fast-flux analytics without depending only on static IP indicators.
Likely telemetry
- DNS query and response logs from recursive resolvers or DNS security controls
- Passive DNS or historical domain-to-IP resolution records
- DNS TTL values, A record churn, and name server record changes
- Network egress logs such as firewall, proxy, or flow records showing repeated connections to changing IPs for the same domain
- Endpoint network connection telemetry from Linux, macOS, Windows, and ESXi where available
Detection direction
- Validate analytics for high-frequency IP rotation behind a single fully qualified domain name, especially with short TTL values.
- Look for single-flux behavior in A record churn and double-flux behavior involving changing name server records.
- Correlate DNS observations with outbound connections so detections are not limited to one IP address that may disappear quickly.
- Tune for legitimate high-availability or content-delivery patterns to reduce false positives; the key distinction requires local baselines and domain context.
- Use relationship context carefully: ATT&CK records use by menuPass, Gamaredon Group, TA505, gh0st RAT, njRAT, and Amadey, but local attribution should not be inferred from fast-flux behavior alone.
Mitigation priorities
- Confirm DNS logging retention and accessibility before an incident; without historical resolution data, response teams may lose the infrastructure trail.
- Strengthen egress control and investigation workflows around domains, not only IP addresses.
- Ensure SOC playbooks include rapid domain containment, resolver-level blocking where appropriate, and review of affected hosts that contacted rotating infrastructure.
- Review whether managed detection or internal detection engineering explicitly covers Dynamic Resolution and the related DET0485 fast-flux detection strategy.
- Use incident response exercises to test whether teams can preserve DNS, network, and endpoint evidence across supported platforms.
Analyst notes and limits
ATT&CK identifies this as T1568.001, Fast Flux DNS, a command-and-control sub-technique under Dynamic Resolution. The core defensive value is validating whether the organization can detect and respond to C2 infrastructure designed to outlast simple IP blocking. Relationship context shows ATT&CK-recorded use by several groups and software families, which supports prioritizing detection validation but does not prove current exposure or attribution.
The official ATT&CK detection field is not provided for this object. Recommendations therefore rely on the supplied behavior description, platforms, tactics, external references, and the relationship stating that DET0485 detects this object. Local DNS architecture, logging retention, encrypted DNS use, resolver visibility, and egress-control design will determine actual coverage.
Fast Flux DNS
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.[1][2][3]
The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.[3]
In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1568 | Dynamic Resolution | This object subtechnique of Dynamic Resolution. |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0092: TA505
G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
S1025: Amadey
S0032: gh0st RAT
S0385: njRAT
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2759e9319b70… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MehtaFastFluxPt1
Mehta, L. (2014, December 17). Fast Flux Networks Working and Detection, Part 1. Retrieved March 6, 2017.
Open source URL -
[2]
MehtaFastFluxPt2
Mehta, L. (2014, December 23). Fast Flux Networks Working and Detection, Part 2. Retrieved March 6, 2017.
Open source URL -
[3]
Fast Flux - Welivesecurity
Albors, Josep. (2017, January 12). Fast Flux networks: What are they and how do they work?. Retrieved March 11, 2020.
Open source URL -
[4]
mitre-attack T1568.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.