We are maintaining some authoritative DNS resolvers and consider to use Packetbeat / Elasticsearch for statistic generation, alerting and so on. Its very nice that Packetbeat is capable of matching queries with responses and writes the result into the field "dns.type".
But we wonder how packetbeat is doing that? The reason for this question is that we have a few events with dns.type = query (in our setup we should only have answer) which are logged with the following errormessage:
Another query with the same DNS ID from this client was received so this query was closed without receiving a response
So could it be, that Packetbeat is not capable to match a query with a response if the client has to make a retransmit? In our opinion Packetbeat should match query and response by using qname+ports+ip+id but we guess it uses only id+ip. Is that correct?