Create a config flag in the DNS logger to limit events to only the ones in the custom field
I am currently running Suricata with the following YAML for dns logging:
- dns: custom: [a, aaaa, cname]
But even with this Suricata logs big zone transfers if any of the records contains A,AAAA or Cname it will log all of it. In big AD environments this will create JSON blobs that are quite big.