Suricata

Output from suricata --dump-config

$ suricata --dump-config | grep dns
outputs.1.eve-log.types.4 = dns
outputs.1.eve-log.types.4.dns = (null)
outputs.1.eve-log.types.4.dns.custom = (null)
outputs.1.eve-log.types.4.dns.custom.0 = a
outputs.1.eve-log.types.4.dns.custom.1 = aaaa
outputs.1.eve-log.types.4.dns.custom.2 = cname

eve.json output from the same host

  "proto": "TCP",
  "dns": {
    "version": 2,
    "type": "answer",
    "id": 51890,
    "flags": "8400",
    "qr": true,
    "aa": true,
    "rrname": "90.254.202.209.in-addr.arpa",
    "rrtype": "PTR",
    "rcode": "NOERROR",
    "answers": [
      {
        "rrname": "90.254.202.209.in-addr.arpa",
        "rrtype": "PTR",
        "ttl": 3600,
        "rdata": "advertising.lycos.at" 
      },

I guess it depends a bit.
I was under the impression that only the specified lookups/responses in the custom field would be logged (A,AAAA,CNAME in this case), but when DNS response/requests are grouped it will also log other types of DNS records if there is at least one A/AAAA/CNAME in there.

So depending on your point of view on this, is it a bug with the custom field? Or if not, it is a new feature?

In eve dns v2, what is logged depends on the request type. You limit it, so you could only log requests/responses where the type is of "A", and so on. Of course the response can contain a whole lot more than A records.

Also, the v2 output does not support custom. Try "types" (see https://suricata.readthedocs.io/en/suricata-5.0.0/output/eve/eve-json-output.html#dns). Perhaps custom should be a hidden alias for types as this could be a common mistake for people upgrading from older versions.

Stian: Can you retest after changing "custom" to "types"?