eTLD+1 seems to be eTLD+2 in some cases

Hello,

Noticed in the packetbeat_dns_tunneling ml job that some etld+1's seem incorrect:

image

The third column is dns.question.etld_plus_one

Afaik an etld+1 should consist of 2 parts and 1 dot?

For example dns.question.name 13.125.16.12.in-addr.arpa 's dns.question.etld_plus_one is 12.in-addr.arpa in our data.

Is this a bug or expected for in-addr.arpa reverse DNS lookups?

Grtz

Willem

Anyone?

Noone?

Trying to prevent autoclose nr 3..

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.