Description:

A powerful DNS query processor primary designed to enrich DataFlows with DNS based APIs (e.g. RBLs, ShadowServer’s ASN lookup) but that can be also used to perform regular DNS lookups.

Tags:

dns, enrich, ip

Properties:

In the list below, the names of required properties appear in bold. Any other properties (not in bold) are considered optional. The table also indicates any default values, and whether a property supports the Expression Language Guide.

Name Default Value Allowable Values Description
Lookup value The value that should be used to populate the query Supports Expression Language: true
Results Parser None Split
RegEx
None Do not split results 		The method used to slice the results into attribute groups
Parser RegEx Choice between a splitter and regex matcher used to parse the results of the query into attribute groups. NOTE: This is a multiline regular expression, therefore, the DFM should decide how to handle trailing new line characters.
DNS Query Retries 1 The number of attempts before giving up and moving on
DNS Query Timeout 1500ms The amount of time to wait until considering a query as failed
DNS Servers A comma separated list of DNS servers to be used. (Defaults to system wide if none is used)
DNS Query Type TXT The DNS query type to be used by the processor (e.g. TXT, A)

Relationships:

Name Description
not found Where to route flow files after successfully enriching attributes with data
found Where to route flow files if data enrichment query rendered no results

Reads Attributes:

None specified.

Writes Attributes:

Name Description
enrich.dns.record*.group* The captured fields of the DNS query response for each of the records received

State management:

This component does not store state.

Restricted:

This component is not restricted.