NOERROR in CLIENT_QUERY messages

[misaki-kawakami]

We use afpacket sniffer to collect messages and then send the data to Elastic & Prometheus loggers. Each message type, whether CLIENT_QUERY or CLIENT_RESPONSE, contains thedns.rcode key. In the case of CLIENT_RESPONSE it matches the expected types. However, in the case of CLIENT_QUERY, the status NOERROR is logged for all messages.

We can work with this in Elastic. The problem is with the Prometheus logger and the interpretation of the metric dnscollector_top_noerror_domains, where all CLIENT_QUERY messages are counted because their dns.rcode is NOERROR.

So, for example, a domain that is in top_nonexistent_domains is also in top_noerror_domains. I'm not sure if this is the expected behaviour.

[dmachard]

Can you use the filtering transform to drop queries for the prometheus logger?

transforms:
  filtering:
    log-queries: false
    log-replies: true

[misaki-kawakami]

We don't want to drop queries. We would like to keep metrics like qtypes_total.