DNS labeling
DNS labeling layer 7
Contents
Introduction
As already described in the tutorial chapter alarm-register-and-control
the plugin dnsDecode can tag flows which match a malware black list. If you do not enable the alarm mode it will produce
all flows, the ones where the DNS request record matches a black list record will produce output in the dnsMalType column.
Moreover it labels the IP addresses of the answer records with the corresponding country and organization,
if DNS_WHO=1, see the dns ip-whois-labeling tutorial.