eTLD+1 seems to be eTLD+2 in some cases

willemdh · September 30, 2020, 3:15pm

Hello,

Noticed in the packetbeat_dns_tunneling ml job that some etld+1's seem incorrect:

The third column is dns.question.etld_plus_one

Afaik an etld+1 should consist of 2 parts and 1 dot?

For example dns.question.name 13.125.16.12.in-addr.arpa 's dns.question.etld_plus_one is 12.in-addr.arpa in our data.

Is this a bug or expected for in-addr.arpa reverse DNS lookups?

Grtz

Willem

willemdh · October 15, 2020, 6:49pm

Anyone?

willemdh · November 2, 2020, 1:50pm

Noone?

willemdh · November 16, 2020, 10:45am

Trying to prevent autoclose nr 3..

system · December 14, 2020, 12:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Weird etdl+1 Beats packetbeat	3	440	October 21, 2019
[ES5.1.2] Help with Detecting DNS Tunnels with PacketBeat+Watcher Beats packetbeat	9	1820	April 8, 2017
Detect DNS tunneling Beats packetbeat	15	3053	July 5, 2017
ODD DNS issue with packages.elastic.co Beats	4	546	May 23, 2017
Packetbeat-DNS index and template correction Beats packetbeat	7	2621	June 22, 2016