Hello,
Noticed in the packetbeat_dns_tunneling
ml job that some etld+1's seem incorrect:
The third column is dns.question.etld_plus_one
Afaik an etld+1 should consist of 2 parts and 1 dot?
For example dns.question.name
13.125.16.12.in-addr.arpa
's dns.question.etld_plus_one
is 12.in-addr.arpa
in our data.
Is this a bug or expected for in-addr.arpa
reverse DNS lookups?
Grtz
Willem