diff --git a/elk-hole.zip b/elk-hole.zip
deleted file mode 100644
index 1cd4addd99d3a2b4248ded6f6896be7641479ef3..0000000000000000000000000000000000000000
Binary files a/elk-hole.zip and /dev/null differ
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index 3d92af056b5d0ee30ec1e2dd0c58e8b8916aaf53..08daaaee60df94dbe81d06782fa2a84e57c8f244 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -73,6 +73,12 @@ filter {
 
 # to do cached and cached reverse
 
+      else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+        mutate {
+          add_tag => [ "cached NXDOMAIN" ]
+        }
+      }
+
       else if [NODATA-IPv4] {
         mutate {
           add_tag => [ "NODATA" ]
@@ -157,11 +163,6 @@ filter {
         }
       }
 
-      else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
-        mutate {
-          add_tag => [ "cached NXDOMAIN" ]
-        }
-      }