Double-flux networks are a more complex technique providing an additional layer of redundancy. Specifically, both the DNS A record sets and the authoritative NS records for a malicious domain are continually changed in a round robin manner and advertised into the fast-flux service network. From our observations of double-flux networks active in the wild, DNS and HTTP services are both served from the same upstream mothership node. Figure 2 below demonstrates the difference between a single-flux service network and double-flux service network. Please note that in the figure below that request caching is not taken into account and that the outbound request would usually emanate from the client's preferred nameserver instead of the client itself.

Fast flux DNS diagram

On the left-hand side, we depict a single-flux lookup: the client wants to resolve the address First, it asks the DNS root nameserver which name server is responsible for the top-level domain .com and receives an answer (omitted in the picture). In a second step, the client queries the .com nameserver for the domain and receives as an answer a referral to the nameserver Now the client can query the authoritative DNS server for the actual IP address of the address The authoritative nameserver answers with an IP address that the client can then attempt to initiate direct communication with. For a normal DNS lookup, the answer IP address usually remains constant over a certain period of time, whereas for single-flux nodes, the answer changes frequently.

At the right hand side, we depict a DNS lookup for an address within a double-flux domain. Again, the client wants to look up the address Once again, the first step (lookup at root nameserver) is omitted for sake of brevity. Next, the client queries the nameserver responsible for the top-level domain .com for the authoritative nameserver for the domain In a third step, the client then queries the authoritative DNS server for the address However, this authoritative nameserver is actually part of the double-flux scheme itself and its own IP address changes frequently. When a DNS request for is received from the client, the current authoritative nameserver forwards the queries to the mothership node for the required information. The client can them attempt to initiate direct communication with the target system (although this target system will itself be a dynamically changing front end flux-agent node).