Utilizing service tagging for encrypted flow classification

What is claimed is: 1. A method, comprising: receiving, at a device in a network, domain name system (DNS) information for a domain, wherein the DNS information includes one or more service tags indicative of one or more services offered by the domain; populating, by the device, a local database of DNS information from the received DNS information; detecting, by the device, an encrypted traffic flow associated with the domain; identifying, by the device, a service of the one or more services offered by the domain as associated with the encrypted traffic flow based on information in the local database; and deprioritizing, by the device, the encrypted traffic flow based on the identified service of the one or more services. 2. The method as in claim 1 , further comprising: sending, by the device, a DNS request for the DNS information, wherein the DNS request includes a request for the one or more service tags indicative of the one or more services offered by the domain. 3. The method as in claim 2 , wherein the request for the one or more service tags is included in an extension mechanism for DNS (EDNS) field of the DNS request. 4. The method as in claim 1 , wherein the DNS information is received via a DNS response that includes the one or more service tags in an extension mechanism for DNS (EDNS) field. 5. The method as in claim 1 , wherein the received DNS information further comprises a reputation score associated with the domain, and wherein the encrypted traffic flow is deprioritized based on the reputation score associated with the domain. 6. The method as in claim 1 , wherein the device is located in an access network. 7. The method of claim 1 , wherein the service associated with the encrypted traffic flow is identified while the encrypted traffic flow is still encrypted. 8. An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: receive domain name system (DNS) information for a domain, wherein the DNS information includes one or more service tags indicative of one or more services offered by the domain; populate a local database of DNS information from the received DNS information; detect an encrypted traffic flow associated with the domain; identify a service of the one or more services offered by the domain as associated with the encrypted traffic flow based on information in the local database; and deprioritize the encrypted traffic flow based on the identified service of the one or more services. 9. The apparatus as in claim 8 , wherein the process when executed is further operable to: send a DNS request for the DNS information, wherein the DNS request includes a request for the one or more service tags indicative of the one or more services offered by the domain. 10. The apparatus as in claim 9 , wherein the request for the one or more service tags is included in an extension mechanism for DNS (EDNS) field of the DNS request. 11. The apparatus as in claim 10 , wherein the DNS information is received via a DNS response that includes the one or more service tags in an extension mechanism for DNS (EDNS) field. 12. The apparatus as in claim 8 , wherein the received DNS information further comprises a reputation score associated with the domain, and wherein the encrypted traffic flow is deprioritized based on the reputation score associated with the domain. 13. The apparatus as in claim 8 , wherein the apparatus is located in an access network. 14. The apparatus of claim 8 , wherein the service associated with the encrypted traffic flow is identified while the encrypted traffic flow is still encrypted. 15. A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: receiving, at a device in a network, domain name system (DNS) information for a domain, wherein the DNS information includes one or more service tags indicative of one or more services offered by the domain; populating, by the device, a local database of DNS information from the received DNS information; detecting, by the device, an encrypted traffic flow associated with the domain; identifying, by the device, a service of the one or more services offered by the domain as associated with the encrypted traffic flow based on information in the local database; and deprioritizing, by the device, the encrypted traffic flow based on the identified service of the one or more services. 16. The tangible, non-transitory, computer-readable medium as in claim 15 , wherein the process further comprises: altering, by the device, the received DNS information by stripping the one or more service tags; and forwarding, by the device, the altered DNS information to a client device, in response to a DNS request from the client device. 17. The tangible, non-transitory, computer-readable medium as in claim 16 , wherein the request for the one or more service tags is included in an extension mechanism for DNS (EDNS) field of the DNS request. 18. The tangible, non-transitory, computer-readable medium as in claim 15 , wherein the DNS information is received via a DNS response that includes the one or more service tags in an extension mechanism for DNS (EDNS) field. 19. The tangible, non-transitory, computer-readable medium as in claim 15 , wherein the received DNS information further comprises a reputation score associated with the domain, and wherein the encrypted traffic flow is deprioritized based on the reputation score associated with the domain. 20. The tangible, non-transitory, computer-readable medium as in claim 15 , wherein the service associated with the encrypted traffic flow is identified while the encrypted traffic flow is still encrypted.