Hi @colinsurprenant,
Thanks for the updates, and confirmation there's a problem to fix.
I've applied your logic to our test cluster, and am waiting for some log entries. We have multiple entires inn resolv.conf, so I've switched the LS conf files to use only one on nameserver.
I have had some, but no-where near as many so far as before. Probably needs a couple of hours though.
One oddity is this, however -
[2019-04-25T20:19:43,370][WARN ][logstash.filters.dns ] DNS: timeout on resolving address. {:field=>"[destination-address]", :value=>"209.112.114.33"}
root@elk00:~# nslookup
> 209.112.114.33
;; Truncated, retrying in TCP mode.
33.114.112.209.in-addr.arpa name = k4.nstld.com.
33.114.112.209.in-addr.arpa name = l4.nstld.com.
33.114.112.209.in-addr.arpa name = a22.verisigndns.com.
33.114.112.209.in-addr.arpa name = f4.nstld.com.
33.114.112.209.in-addr.arpa name = ns2.euro909.com.
33.114.112.209.in-addr.arpa name = a23.verisigndns.com.
33.114.112.209.in-addr.arpa name = ns0.netnames.net.
33.114.112.209.in-addr.arpa name = ns1.netnames.net.
33.114.112.209.in-addr.arpa name = ns1.ascio.net.
33.114.112.209.in-addr.arpa name = ns2.domainnetwork.se.
33.114.112.209.in-addr.arpa name = ns3.ascio.net.
33.114.112.209.in-addr.arpa name = ns2.dnsvisa.com.
33.114.112.209.in-addr.arpa name = g4.nstld.com.
33.114.112.209.in-addr.arpa name = a21.verisigndns.com.
33.114.112.209.in-addr.arpa name = ns2.webipdns.com.au.
33.114.112.209.in-addr.arpa name = ns3.netnames.net.
33.114.112.209.in-addr.arpa name = ns5.netnames.net.
33.114.112.209.in-addr.arpa name = a2.verisigndns.com.
33.114.112.209.in-addr.arpa name = pdns1.cscdns.net.
33.114.112.209.in-addr.arpa name = indom30.indomco.fr.
33.114.112.209.in-addr.arpa name = ns7.netnames.net.
33.114.112.209.in-addr.arpa name = indom10.indomco.com.
33.114.112.209.in-addr.arpa name = dns1.cscdns.net.
33.114.112.209.in-addr.arpa name = indom130.indomco.org.
Not sure if the switch to TCP might have caused the filter a problem?
Andy