eTLD+1 seems to be eTLD+2 in some cases

Hello,

Noticed in the packetbeat_dns_tunneling ml job that some etld+1's seem incorrect:

image

The third column is dns.question.etld_plus_one

Afaik an etld+1 should consist of 2 parts and 1 dot?

For example dns.question.name 13.125.16.12.in-addr.arpa 's dns.question.etld_plus_one is 12.in-addr.arpa in our data.

Is this a bug or expected for in-addr.arpa reverse DNS lookups?

Grtz

Willem

Anyone?