Describe the bug
I want to re-open the issue described at #11663. I came across the same issue and can confirm that the original reporter was accurate. This rule should be written to use the DstIpAddr as the pivot, not the SrcIpAddr. As the NXDOMAIN responses are "responses" logs, they all come from the DNS servers. In this case, the IPs of interest are the destination IPs, which are the IPs that originally sent in the request.
To Reproduce
n/a
Expected behavior
see above
Screenshots
see above
Describe the bug
I want to re-open the issue described at #11663. I came across the same issue and can confirm that the original reporter was accurate. This rule should be written to use the DstIpAddr as the pivot, not the SrcIpAddr. As the NXDOMAIN responses are "responses" logs, they all come from the DNS servers. In this case, the IPs of interest are the destination IPs, which are the IPs that originally sent in the request.
To Reproduce
n/a
Expected behavior
see above
Screenshots
see above