Software Engineering Institute

In this paper we demonstrate that there are name servers that exhibit IP address flux, a behavior that falls outside the prescribed parameters. We demonstrate this flux in two types of data: passively collected DNS messages and the contents of several large, top-level domains' official zone files. The community of name server operators has previously indicated that there is no benign use case for such behavior and has attempted to quash it. The continued existence of such behavior is an indicator of malicious name server activity and the inadequacy of attempts to control it.