Does anyone have a recommended way to handle a sensor that also runs a DNS resolver/forwarder?
Since the requests “originate” at the sensor there is no other side of the traffic for Zeek to see. This generates a weird.log possible_split_routing entry for every forwarded DNS request.
Is this generally avoided by moving DNS off the firewall/sensor, or are there other ways of handling this?
Thanks,
Michael