Even blogsp... er example.com has an option where you can use your own domain.
I even bought the domain in case I need to use it so feel free to block *.example.com and I'll use the domain already sitting on a server on standby.
I'm currently using that domain for other things, but it can be deployed in minutes.
However, there's a big difference as that service is just full of spam, it's not the same as the botnet actually doing the spamming.
I know those uses, didn't say they weren't legit, but you can use a subdomain off your own domain with those same dynamic services. There's no reason why you must use a subdomain off the dynamic dns services domain itself, unless you're just cheap, that's all we're talking about.
Except it's not as easily scalable and exposes them to an actual registrar.
Besides, did I say this was the end-all-be-all solution?
No, this solution just stops the current rash of hundreds of thousands of problem children machines from communicating with each other.
Besides, just because someone can get around certain types of security is no reason not to employ that security method. Security is done in layers and you keep piling layers on top of layers because removing a single layer opens and old vulnerability which will be quickly exploited.
For instance, the dumb botnets probing my site to infect it still use the default Perl user agent "libwww-perl" which is easy to block to stop those attacks. However, a smarter version of the botnet bothers to set the user agent so his Perl script claims it's MSIE "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" which makes it harder to stop as it appears to be a real browser.
Does that mean I stop blocking "libwww-perl" just because it's easily changed?
Nope, it's just another security layer.
Fast Flux is exactly what we're discussing here and the list of DNS servers built into the current code infecting machines is less than 10.
I did research this topic before posting ;)