Platforms for implementing an analytics framework for DNS security

What is claimed is: 1. A system for an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising: a processor configured to: receive a DNS data stream; process the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages, wherein the loyalty value is determined based at least in part on: an average time to live (TTL) of the plurality of DNS messages; a number of messages of a set of consecutive DNS messages collected against a fully qualified domain name (FQDN); a number of unique resolved IP addresses from the set of consecutive DNS messages over a period of time; a number of resolved IP addresses relating to DNS responses associated with the set of consecutive DNS messages; and a frequency of reuse of a target IP address, the loyalty value being higher in the event that the frequency of reuse of the target IP address is higher; perform a mitigation action based on the identified bad network domain; determine a host is infected based on detecting a DNS query request to the bad network domain from the host; and perform another mitigation action based on the determined infected host; and a memory coupled to the processor and configured to provide the processor with instructions. 2. The system recited in claim 1 , wherein the DNS data stream includes DNS query and DNS response data. 3. The system recited in claim 1 , wherein the bad network domain is associated with the Fully Qualified Domain Name (FQDN). 4. The system recited in claim 1 , wherein the processor is further configured to: determine a host is infected based on detecting a DNS query request to the bad network domain from the host. 5. The system recited in claim 1 , wherein the mitigation action includes one or more of the following: generate a firewall rule based on the bad network domain; configure a network device to block network communications with the bad network domain; and quarantine an infected host, wherein the infected host is determined to be infected based on an association with the bad network domain. 6. The system recited in claim 1 , wherein the processor is further configured to: identify a source IP address, a source host, or an attempt to query the bad network domain. 7. The system recited in claim 1 , wherein the processor is further configured to: store the time series collection of passive DNS traffic data in an observation cache. 8. The system recited in claim 1 , wherein the processor is further configured to: receive DNS data that is collected from an agent executed on a DNS appliance. 9. The system recited in claim 1 , wherein the processor is further configured to: extract a plurality of features from the DNS data stream to determine whether a network domain is associated with a fast flux based on the extracted plurality of features. 10. A method of an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising: receiving a DNS data stream; processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages, wherein the loyalty value is determined based at least in part on: an average time to live (TTL) of the plurality of DNS messages; a number of messages of a set of consecutive DNS messages collected against a fully qualified domain name (FQDN); a number of unique resolved IP addresses from the set of consecutive DNS messages over a period of time; a number of resolved IP addresses relating to DNS responses associated with the set of consecutive DNS messages; and a frequency of reuse of a target IP address, the loyalty value being higher in the event that the frequency of reuse of the target IP address is higher; performing a mitigation action based on the identified bad network domain; determining a host is infected based on detecting a DNS query request to the bad network domain from the host; and performing another mitigation action based on the determined infected host. 11. The method of claim 10 , wherein the DNS data stream includes DNS query and DNS response data. 12. The method of claim 10 , wherein the bad network domain is associated with the Fully Qualified Domain Name (FQDN). 13. The method of claim 10 , further comprising: determining a host is infected based on detecting a DNS query request to the bad network domain from the host. 14. A computer program product for an online platform implementing an analytics framework for domain detection on passive DNS traffic, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for: receiving a DNS data stream; processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of a plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages, wherein the loyalty value is determined based at least in part on: an average time to live (TTL) of the plurality of DNS messages; a number of messages of a set of consecutive DNS messages collected against a fully qualified domain name (FQDN); a number of unique resolved IP addresses from the set of consecutive DNS messages over a period of time; a number of resolved IP addresses relating to DNS responses associated with the set of consecutive DNS messages; and a frequency of reuse of a target IP address, the loyalty value being higher in the event that the frequency of reuse of the target IP address is higher; performing a mitigation action based on the identified bad network domain; determining a host is infected based on detecting a DNS query request to the bad network domain from the host; and performing another mitigation action based on the determined infected host. 15. The computer program product recited in claim 14 , wherein the DNS data stream includes DNS query and DNS response data. 16. The computer program product recited in claim 14 , wherein the bad network domain is associated with the Fully Qualified Domain Name (FQDN). 17. The computer program product recited in claim 14 , further comprising computer instructions for: determining a host is infected based on detecting a DNS query request to the bad network domain from the host.