Obfuscation via Dynamic DNS

Dynamic DNS (DDNS) works by keeping the DNS updated with the correct IP address for a domain.

Many online resources, such as file servers, APIs, or web servers, run on internet connections that have their IP addresses changed frequently. This creates a problem if the operators of those endpoints want to give a hosted resource a specific domain name.

For example, if a web administrator is operating a website with a domain name of www.example.com and an IP address of 192.0.2.0, any time a user enters www.example.com into their browser, the DNS will direct them to the server at 192.0.2.0. If the server changes its IP address (e.g. if it was updated by the ISP), a dynamic DNS service can automatically update the DNS record to reflect this change.

Dynamic DNS (DDNS) is a legitimate online service for many end users. However, because the IP addresses are dynamic and the DDNS services are free or relatively cheap, DDNS services are commonly used to enable other attacks such as phishing, fast-flux, or malware command and control.

This can be used as an obfuscation technique to allow malicious actors to avoid detection by regularly changing their IP addresses. It differs from fast-flux in speed and aggressiveness - where fast-flux is constant, rapidly changing addresses, using Dynamic DNS updates less frequently.

(Adapted from: https://www.cloudflare.com/en-gb/learning/dns/glossary/dynamic-dns/)