Using “magic” DNS-resolutions to track suspicious domains

In Summary :

“Sleeping cycles” are a set of oscillating domain name resolutions. They can be spotted in passive DNS data by looking for changing DNS resolutions. A domain name resolves to a C&C IP and switches after some time to a parking IP. Time passes and the resolution switches back to the C&C IP. Parking IPs can be reserved IP addresses like 127.0.0.2 or IPs of public services like 216.58.213.206 (google.com) or “magic” IPs like 40.40.40.40, which will be discussed in this article.
Public available passive DNS databases are mostly not fine grained enough to record those cycles. They get fed by public DNS resolvers, which usually do not see C&C IP resolutions that often. A better approach is to query DNS resolutions of potential C&C domain names regularly or to use the internally recorded passive DNS data of organizations, which are infected by malware. [...]

kindly refer the following link as follow up :
https://ift.tt/2Q8yEpS