This is a very clear example of what is Fast-Flux Domains.
at ANSWER SECTION
1) low TTL value (10 seconds)
2) different networks /16
3) different ASN for every IP address
4) CNAME for several IP address
dig 1476529054.xiazaidown.com ; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> 1476529054.xiazaidown.com ... ;; ANSWER SECTION: 1476529054.xiazaidown.com. 600 IN CNAME xzz.dns-vip.net. xzz.dns-vip.net. 10 IN A 18.104.22.168 xzz.dns-vip.net. 10 IN A 22.214.171.124 xzz.dns-vip.net. 10 IN A 126.96.36.199 xzz.dns-vip.net. 10 IN A 188.8.131.52 xzz.dns-vip.net. 10 IN A 184.108.40.206
Looking for more NS-type information
A NS pointing to CNAME ( RFC1034 says, “Domain names in RRs which point at another name should always point at the primary name and not the alias”)
dig -t ns 1476529054.xiazaidown.com ; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> -t ns 1476529054.xiazaidown.com ... ;; ANSWER SECTION: 1476529054.xiazaidown.com. 572 IN CNAME xzz.dns-vip.net. ;; AUTHORITY SECTION: dns-vip.net. 600 IN SOA ns1.dnsv5.com. enterprise3dnsadmin.dnspod.com. 1476625792 3600 180 1209600 180
So, by looking again to xzz.dns-vip.net we can see that was pointing to the same IP address found first time.
; <<>> DiG 9.9.5-9+deb8u7-Debian <<>> xzz.dns-vip.net ..... ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52226 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; ANSWER SECTION: xzz.dns-vip.net. 9 IN A 220.127.116.11 xzz.dns-vip.net. 9 IN A 18.104.22.168 xzz.dns-vip.net. 9 IN A 22.214.171.124 xzz.dns-vip.net. 9 IN A 126.96.36.199 xzz.dns-vip.net. 9 IN A 188.8.131.52
When a domain changes only the A-type at ANSWER SECTION we call such domains as Fast-Flux Single-Flux, but when a domain changes its IP address on both ANSWER SECTION and AUTHORITY SECTION we call Double-Flux domains.
I have been reading a lot of papers since Holz et al. (Measuring and Detecting Fast-Flux Service Networks) , and there are more then 20 distinct features just for single- and double-flux domain using active probing (when we send queries to a domain), however for passive monitoring (using network sensors) sky is the limit!