eTLD+1 seems to be eTLD+2 in some cases

Elastic Stack Beats
1

Hello,

Noticed in the packetbeat_dns_tunneling ml job that some etld+1's seem incorrect:

image

The third column is dns.question.etld_plus_one

Afaik an etld+1 should consist of 2 parts and 1 dot?

For example dns.question.name 13.125.16.12.in-addr.arpa 's dns.question.etld_plus_one is 12.in-addr.arpa in our data.

Is this a bug or expected for in-addr.arpa reverse DNS lookups?

Grtz

Willem

2

Anyone?

3

Noone?

4

Trying to prevent autoclose nr 3..

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.