FluxBuster is based on large-scale passive analysis of DNS traffic generated by hundreds of local recursive DNS
(RDNS) servers located in different networks and scattered across several different geographical locations.
Except for a few public recursive DNS
services, recursive resolvers are largely operated by organizations to serve their local clients.
Following testing by the criminal operators in April 2010, it reached a production peak of activity with 25,000 unique Recursive DNS
(RDNS) lookups per hour attempting to resolve to the botnet's command-and-control (CnC) servers.
The third variant of DNS cache poisoning involves beating the real answer to a recursive DNS
query back to the DNS server.