Identifying and using dns contextual flows

What is claimed is: 1 . A method comprising: capturing, by a device in a network, domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network; capturing, by the device, session data for an encrypted session of the client; making, by the device, a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier; and performing, by the device, a mediation action in response to the determination that the encrypted session is malicious. 2 . The method as in claim 1 , wherein the determination that the encrypted session is malicious comprises a determination that the encrypted session is associated with malware or a determination that the encrypted session includes exfiltrated data. 3 . The method as in claim 1 , wherein the mediation action comprises at least one of: blocking traffic associated with the encrypted session or generating an alert. 4 . The method as in claim 1 , wherein the session data comprises at least one of: a subject alternative name of a Transport Layer Security (TLS) certificate for the encrypted session or a server name indicator of a TLS extension used in the encrypted session. 5 . The method as in claim 1 , wherein the captured DNS response data comprises one or more of: a number of characters in a domain name specified in the DNS response, a number of records in the DNS response, or time to live (TTL) information included in the DNS response. 6 . The method as in claim 1 , wherein the DNS response and traffic of the encrypted session flow through the device, and wherein the device captures the DNS response data and the session data by intercepting the DNS response and the traffic of the encrypted session. 7 . The method as in claim 1 , further comprising: applying, by the device, a weighting to the DNS response data based on the DNS service that sent the DNS response to the client. 8 . The method as in claim 1 , further comprising: applying, by the device, a weighting to the DNS response data based on whether the DNS response is encrypted or signed. 9 . The method as in claim 1 , wherein the determination that the encrypted session is malicious is based in part on a history of DNS services used by the client. 10 . An apparatus, comprising: one or more network interfaces to communicate with a network; a processor coupled to the network interfaces and configured to execute one or more processes; and a memory configured to store a process executable by the processor, the process when executed operable to: capture domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network; capture session data for an encrypted session of the client; make a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier; and perform a mediation action in response to the determination that the encrypted session is malicious. 11 . The apparatus as in claim 10 , wherein the determination that the encrypted session is malicious comprises a determination that the encrypted session is associated with malware or includes exfiltrated data. 12 . The apparatus as in claim 10 , wherein the mediation action comprises at least one of: blocking traffic associated with the encrypted session or generating an alert. 13 . The apparatus as in claim 10 , wherein the session data comprises at least one of: a subject alternative name of a Transport Layer Security (TLS) certificate for the encrypted session or a server name indicator of a TLS extension used in the encrypted session. 14 . The apparatus as in claim 10 , wherein the captured DNS response data comprises one or more of: a number of characters in a domain name specified in the DNS response, a number of records in the DNS response, or time to live (TTL) information included in the DNS response. 15 . The apparatus as in claim 10 , wherein the DNS response and traffic of the encrypted session flow through the device, and wherein the device captures the DNS response data and the session data by intercepting the DNS response and the traffic of the encrypted session. 16 . The apparatus as in claim 10 , wherein the process when executed is further operable to: applying, by the device, a weighting to the DNS response data based on one or more of: the DNS service that sent the DNS response to the client, whether the DNS response is encrypted, or whether the DNS response is signed. 17 . The apparatus as in claim 10 , wherein the determination that the encrypted session is malicious is based in part on a history of DNS services used by the client. 18 . The apparatus as in claim 10 , wherein the process when executed is further operable to: receive the DNS response data from the DNS service. 19 . A tangible, non-transitory, computer-readable medium storing program instructions that cause a device in a network to execute a process comprising: capturing, by the device, domain name system (DNS) response data from a DNS response sent by a DNS service to a client in the network; capturing, by the device, session data for an encrypted session of the client; making, by the device, a determination that the encrypted session is malicious by using the captured DNS response data and the captured session data as input to a machine learning-based or rule-based classifier; and performing, by the device, a mediation action in response to the determination that the encrypted session is malicious. 20 . The computer-readable medium as in claim 19 , wherein the determination that the encrypted session is malicious comprises a determination that the encrypted session is associated with malware or a determination that the encrypted session includes exfiltrated data.