Tutorial: DNS labelling

Introduction

As already described in the tutorial chapter alarm-register-and-control the plugin dnsDecode can tag flows which match a malware black list. If you do not enable the alarm mode it will produce all flows, the ones where the DNS request record matches a black list record will produce output in the dnsMalType column. Moreover it labels the IP addresses of the answer records with the corresponding country and organization, if DNS_WHO=1, see dns ip-whois-labeling