Platforms for implementing an analytics framework for dns security

What is claimed is: 1 . (canceled) 2 . A system for an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising: a processor configured to: receive a DNS data stream; process the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages; and perform a mitigation action based on the identified bad network domain; and a memory coupled to the processor and configured to provide the processor with instructions. 3 . The system recited in claim 2 , wherein the DNS data stream includes DNS query and DNS response data. 4 . The system recited in claim 2 , wherein the bad network domain is associated with a Fully Qualified Domain Name (FQDN). 5 . The system recited in claim 2 , wherein the processor is further configured to: determine a host is infected based on detecting a DNS query request to the bad network domain from the host. 6 . The system recited in claim 2 , wherein the processor is further configured to: determine a host is infected based on detecting a DNS query request to the bad network domain from the host; and perform another mitigation action based on the determined infected host. 7 . The system recited in claim 2 , wherein the mitigation action includes one or more of the following: generate a firewall rule based on the bad network domain; configure a network device to block network communications with the bad network domain; and quarantine an infected host, wherein the infected host is determined to be infected based on an association with the bad network domain. 8 . The system recited in claim 2 , wherein the processor is further configured to: identify a source IP address, a source host, or an attempt to query the bad network domain. 9 . The system recited in claim 2 , wherein the processor is further configured to: store the time series collection of passive DNS traffic data in an observation cache. 10 . The system recited in claim 2 , wherein the processor is further configured to: receive DNS data that is collected from an agent executed on a DNS appliance. 11 . The system recited in claim 2 , wherein the processor is further configured to: extract a plurality of features from the DNS data stream to determine whether a network domain is associated with a fast flux based on the extracted plurality of features. 12 . A method of an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising: receiving a DNS data stream; processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages; and performing a mitigation action based on the identified bad network domain. 13 . The method of claim 12 , wherein the DNS data stream includes DNS query and DNS response data. 14 . The method of claim 12 , wherein the bad network domain is associated with a Fully Qualified Domain Name (FQDN). 15 . The method of claim 12 , further comprising: determining a host is infected based on detecting a DNS query request to the bad network domain from the host. 16 . The method of claim 12 , further comprising: determining a host is infected based on detecting a DNS query request to the bad network domain from the host; and performing another mitigation action based on the determined infected host. 17 . A computer program product for an online platform implementing an analytics framework for domain detection on passive DNS traffic, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for: receiving a DNS data stream; processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages; and performing a mitigation action based on the identified bad network domain. 18 . The computer program product recited in claim 17 , wherein the DNS data stream includes DNS query and DNS response data. 19 . The computer program product recited in claim 17 , wherein the bad network domain is associated with a Fully Qualified Domain Name (FQDN). 20 . The computer program product recited in claim 17 , further comprising computer instructions for: determining a host is infected based on detecting a DNS query request to the bad network domain from the host. 21 . The computer program product recited in claim 17 , further comprising computer instructions for: determining a host is infected based on detecting a DNS query request to the bad network domain from the host; and performing another mitigation action based on the determined infected host.