Zero day threat detection based on fast flux detection and aggregation

What is claimed is: 1. A system configured to detect fast flux in a network, the system comprising: a network interface communicatively coupled to the network; a processor communicatively coupled to the network interface and memory storing instructions that, when executed, cause the processor to receive, from a Domain Name System (DNS) resolution service, proxy, or monitor, one or more DNS records with associated time-to-live (TTL) parameters; analyze the TTL parameters of the one or more DNS records for an indication of a fast flux technique comprising utilization of numerous Internet Protocol (IP) addresses for a qualified domain name whereby the IP addresses are swapped out due to the TTL parameters in the one or more DNS records; and provide a notification instantly to a plurality of nodes responsive to the indication of the fast flux technique to blacklist associated domains by the plurality of nodes for zero day protection from the associated domains. 2. The system of claim 1 , wherein the one or more DNS records are analyzed through maintenance of a list of short TTLs and the one or more DNS records in the list are checked over time. 3. The system of claim 1 , wherein the indication is based on continual use of extremely short TTLs of less than 30 seconds over time. 4. The system of claim 1 , wherein the indication is based on scoring over time based on the TTLs and use of disparate hostnames in successive DNS queries. 5. The system of claim 1 , wherein the memory storing instructions that, when executed, further cause the processor to maintain a list of domains associated with the one or more DNS records; and analyze the TTL parameters of the list of domains for behavior over time to detect the indication. 6. The system of claim 1 , wherein the memory storing instructions that, when executed, further cause the processor to add a domain associated with the indication to a blacklist and propagate the addition to a plurality of nodes in a distributed security system. 7. The system of claim 1 , wherein the memory storing instructions that, when executed, further cause the processor to perform data analytics over time on the TTLs and hostnames in the one or more DNS records to detect suspicious behavior for the indication. 8. The system of claim 1 , wherein the notification is provided to a cloud-based security system which blacklists a domain associated with the indication. 9. A method for detecting fast flux a network, the method comprising: receiving, from a Domain Name System (DNS) resolution service, proxy, or monitor, one or more DNS records with associated time-to-live (TTL) parameters; analyzing the TTL parameters of the one or more DNS records for an indication of a fast flux technique comprising utilization of numerous Internet Protocol (IP) addresses for a qualified domain name whereby the IP addresses are swapped out due to the TTL parameters in the one or more DNS records; and providing a notification instantly to a plurality of nodes responsive to the indication of the fast flux technique to blacklist associated domains by the plurality of nodes for zero day protection from the associated domains. 10. The method of claim 9 , wherein the one or more DNS records are analyzed through maintenance of a list of short TTLs and the one or more DNS records in the list are checked over time. 11. The method of claim 9 , wherein the indication is based on continual use of extremely short TTLs of less than seconds over time. 12. The method of claim 9 , wherein the indication is based on scoring over time based on the TTLs and use of disparate hostnames in successive DNS queries. 13. The method of claim 9 , further comprising: maintaining a list of domains associated with the one or more DNS records; and analyzing the TTL parameters of the list of domains for behavior over time to detect the indication. 14. The method of claim 9 , further comprising: adding a domain associated with the indication to a blacklist and propagate the addition to a plurality of nodes in a distributed security system. 15. The method of claim 9 , further comprising: performing data analytics over time on the TTLs and hostnames in the one or more DNS records to detect suspicious behavior for the indication. 16. The method of claim 9 , wherein the notification is provided to a cloud-based security system which blacklists a domain associated with the indication. 17. A non-transitory computer readable medium comprising instructions executable by a processor, which in response to such execution causes the processor to perform operations comprising: receiving, from a Domain Name System (DNS) resolution service, proxy, or monitor, one or more DNS records with associated time-to-live (TTL) parameters; analyzing the TTL parameters of the one or more DNS records for an indication of a fast flux technique comprising utilization of numerous Internet Protocol (IP) addresses for a qualified domain name whereby the IP addresses are swapped out due to the TTL parameters in the one or more DNS records; and providing a notification instantly to a plurality of nodes responsive to the indication of the fast flux technique to blacklist associated domains by the plurality of nodes for zero day protection from the associated domains. 18. The non-transitory computer readable medium of claim 17 , wherein the one or more DNS records are analyzed through maintenance of a list of short TTLs and the one or more DNS records in the list are checked over time. 19. The non-transitory computer readable medium of claim 17 , wherein the indication is based on continual use of extremely short TTLs of less than sec seconds over time. 20. The non-transitory computer readable medium of claim 17 , wherein the indication is based on scoring over time based on the TTLs and use of disparate hostnames in successive DNS queries.