satta
commented
4 years ago Suricata will get support for more DNS data from its parser: OISF/suricata#5331 We need to make sure that this does not impact the DNS parser and pDNS aggregator and also make use of the additional information.
ISC's passive DNS specification paper suggests to also include the RRs from the Authorities section in the response packet in the RRsets considered for inclusion in the database. FEVER currently only includes the Answers section in the data sent to the server. We should adjust our behaviour to match the one in the paper.