# DNS Enrichment ## Overview NetObserv Flow can be configured to resolve IP addresses to hostnames. The following settings allow this feature to be tuned to the needs of your environment. ## Configurations ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_ENABLE This setting enables DNS reverse lookups of IP addresses found in the received flow records. Disabling this feature will also disable looking up hostnames defined in the file referenced here: `EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH`. * Valid Values * `true`, `false` * Default * `false` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_NAMESERVER\_IP The default behavior of the collector is to use the operating system's configured name resolution to resolve IP addresses to hostnames. Optionally, a nameserver can be specified in this setting, which will be used instead. {% hint style="info" %} If configured, this setting *MUST* contain a valid IP address. {% endhint %} * Default * *empty* ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_NAMESERVER\_TIMEOUT If `EF_PROCESSOR_ENRICH_IPADDR_DNS_NAMESERVER_IP` contains a valid IP address, this setting contains the timeout period, in milliseconds, for queries to the name server. * Default * `3000` (milliseconds) ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_RESOLVE\_PRIVATE If DNS resolution is enabled (`EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE` is `true`) this option specifies whether private IP addresses will be resolved to hostnames. * Valid Values * `true`, `false` * Default * `true` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_RESOLVE\_PUBLIC If DNS resolution is enabled (`EF_PROCESSOR_ENRICH_IPADDR_DNS_ENABLE` is `true`) this option specifies whether public IP addresses will be resolved to hostnames. * Valid Values * `true`, `false` * Default * `true` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_USERDEF\_PATH This setting specifies the path to the file containing user-defined hostname mappings. The feature is enabled if a path is configured, otherwise it is disabled. If there is a conflict between the hostname returned by a DNS query and what is defined in this file, this file wins. An example of the format of this file is: ```yaml '192.0.2.1': 'host1' '192.0.2.2': 'host2' ``` * Default * `''` * Recommended * `/etc/elastiflow/hostname/user_defined.yml` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_USERDEF\_REFRESH\_RATE The file specified in `EF_PROCESSOR_ENRICH_IPADDR_DNS_USERDEF_PATH` can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of `0` disables refreshing of the values. * Default * `15` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_INCLEXCL\_PATH For more control of when enrichment is applied, IP addresses can be included or excluded from hostname enrichment by Autonomous System or CIDR. This setting specifies the path to this file. For more details on the format of this file and the behavior of the include/exclude functionality, refer to: [Scoping Enrichment with Include/Exclude](/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_udm.md#scoping-enrichment-with-include-exclude) * Default * `''` * Recommended * `/etc/elastiflow/hostname/incl_excl.yml` ### EF\_PROCESSOR\_ENRICH\_IPADDR\_DNS\_INCLEXCL\_REFRESH\_RATE The file specified in `EF_PROCESSOR_ENRICH_IPADDR_DNS_INCLEXCL_PATH` can be loaded automatically to refresh values without restarting the collector. This value specifies the refresh interval, in minutes, that the file will be reloaded. The value of `0` disables refreshing of the values. * Default * `15` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/flowcoll/configuration/enrichment-options/ip-address-enrichment/enrich_ip_hostname.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.