check_fast_flux
Detect fast-flux DNS behavior by performing multiple query rounds to identify rapidly rotating IP addresses and TTLs, a common sign of botnet or malicious infrastructure.
Instructions
Detect fast-flux DNS behavior: performs multiple rounds of A/AAAA queries and checks whether IP addresses are rotating rapidly on each DNS query (a sign of botnet or malicious infrastructure). Compares IP answer sets and TTLs across rounds to identify rapidly rotating infrastructure used to hide malicious activity.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| domain | Yes | Domain to check (e.g., example.com) | |
| format | No | Output verbosity. Auto-detected if omitted. | |
| rounds | No | Number of query rounds (3-5, default 3). | |
| force_refresh | No | Bypass cache and run a fresh check. Useful after DNS changes. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| score | Yes | ||
| passed | Yes | ||
| category | Yes | ||
| findings | Yes |