[Infoblox NIOS] Incorrectly sets client.domain for DNS queries

[pa-jberanek]

Just started testing the Infoblox NIOS integration as a replacement for a Logstash pipeline we currently use instead.

It's generally looking good, but I discovered what looks like an issue me - when parsing DNS query logs, the integration seems to be setting client.domain to the DNS question, and not anything to do with the client.

For example, parsing this log section:

queries: client @0x7fd7deef2ea8 10.14.1.249#53198 (accounts.google.com): query: accounts.google.com IN A + (10.10.10.10)

Leads to:

"dns": {
      "question": {
        "registered_domain": "google.com",
        "top_level_domain": "com",
        "name": "accounts.google.com",
        "subdomain": "accounts",
        "type": "A",
        "class": "IN"
      },
      "header_flags": [
        "RD"
      ]
    },
"client": {
      "port": 53198,
      "domain": "accounts.google.com",
      "ip": "10.14.1.249"
    },

I was looking at this, as I was attempting to implement a "processor" for this integration, in order to detect the client IP, and apply a 'dns' processor to it, so we could do reverse lookups on the IPs, before the data is sent to Elastic Cloud, where private IPs cannot be turned into hostnames. (See #2532 )

[pa-jberanek]

BIND 9 query log format documentation, by the way https://bind9.readthedocs.io/en/v9_16_25/logging-categories.html#:~:text=has%20been%20specified.-,The%20query%20log%20entry,-first%20reports%20a

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[pa-jberanek]

Thank you, I have now verified this fix. 👍