Zero day threat detection based on fast flux detection and aggregation

What is claimed is: 1. A method in a cloud-based security system, comprising: operating a Domain Name System (DNS) resolution service, proxy, or monitor in the cloud-based security system; receiving DNS records with time-to-live (TTL) parameters; checking the TTL parameters for indication of a fast flux technique; detecting domains performing the fast flux technique based on the DNS records; and performing DNS queries for one or more users of the cloud-based security system and operating in a tap mode for DNS requests not being performed for the one or more users. 2. The method in a cloud-based security system of claim 1 , wherein the detecting is based on the cloud-based security system having a large, distributed view of ongoing network activity and monitoring and analyzing short TTLs up to 30 seconds and behavior over time based on the DNS records. 3. The method in a cloud-based security system of claim 1 , further comprising: sending notifications for any clients who visited the detected domains for maintenance thereon. 4. The method in a cloud-based security system of claim 1 , further comprising: performing DNS queries for one or more users of the cloud-based security system; receiving the DNS records responsive to the DNS queries; and caching the DNS records locally until expiration per the TTL parameters responsive to not detecting the fast flux technique. 5. The method in a cloud-based security system of claim 1 , wherein the receiving the DNS records is responsive to operating a tap mode in the cloud-based security system. 6. The method in a cloud-based security system of claim 1 , further comprising: propagating the detected domains to various nodes in the cloud-based security system for blacklisting. 7. The method in a cloud-based security system of claim 1 , further comprising: receiving data requests from a plurality of users of the cloud-based security system; and processing the data requests to detect security threats comprising checking associated domains for the data requests for the detected domains. 8. The method in a cloud-based security system of claim 7 , wherein the security threats are any of malware, spyware, viruses, email spam, and data leakage. 9. The method in a cloud-based security system of claim 7 , further comprising: blocking the data requests if an associated domain is on a blacklist including the detected domains. 10. The method in a cloud-based security system of claim 1 , further comprising: receiving an initial blacklist from a node in a cloud-based security system or initializing the initial blacklist; receiving updates related to domains performing fast flux techniques from other nodes in the cloud-based security system; and adding new entries to the blacklist based on the updates with each entry including an aging factor. 11. The method in a cloud-based security system of claim 10 , further comprising: checking and updating existing entries in the blacklist based on associated aging factors. 12. A cloud-based security system, comprising: a plurality of nodes communicatively coupled to one or more users; and a Domain Name System (DNS) service providing a resolution service, proxy, or monitor in the cloud-based security system; wherein the DNS service is configured to receive DNS records with time-to-live (TTL) parameters; check the TTL parameters for indication of a fast flux technique; detect domains performing the fast flux technique based on the DNS records; and perform DNS queries for one or more users of the cloud-based security system and operate in a tap mode for DNS requests not being performed for the one or more users. 13. The cloud-based security system of claim 12 , wherein the detected domains are determined based on the cloud-based security system having a large, distributed view of ongoing network activity and monitoring and analyzing short TTLs up to 30 seconds and behavior over time based on the DNS records. 14. The cloud-based security system of claim 12 , wherein the DNS service is further configured to: perform DNS queries for one or more users of the cloud-based security system; receive the DNS records responsive to the DNS queries; and cache the DNS records locally until expiration per the TTL parameters responsive to not detecting the fast flux technique. 15. The cloud-based security system of claim 13 , wherein the DNS service is further configured to: receive the DNS records responsive to operating a tap mode in the cloud-based security system. 16. The cloud-based security system of claim 12 , wherein the DNS service is further configured to propagate a blacklist to the plurality of nodes based on the detected domains. 17. The cloud-based security system of claim 12 , wherein each of the plurality of nodes is configured to: receive data requests from a plurality of users of the cloud-based security system; process the data requests to detect security threats comprising checking associated domains for the data requests for the blacklisted domains; and block the data requests if an associated domain is on a blacklist. 18. A node in a cloud-based security system, comprising: a network interface, a data store, and a processor communicatively coupled to one another; and memory storing computer executable instructions, and in response to execution by the processor, the computer executable instructions cause the processor to perform steps of operate a Domain Name System (DNS) resolution service, proxy, or monitor in the cloud-based security system; receive DNS records with time-to-live (TTL) parameters; check the TTL parameters for indication of a fast flux technique; detect domains performing the fast flux technique based on the DNS records; and perform DNS queries for one or more users of the cloud-based security system and operate in a tap mode for DNS requests not being performed for the one or more users.