diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index c473dd106ad9e6abc56d1264f019358d72645c4a..4aa838b46118bc0f88ac989b1f45cc3689b380e8 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -1,7 +1,7 @@
 #################################################################
-# logstash parsing logic and tagging for elk-hole				#
-# created by n9nes												#
-# feel free to star the rep - https://github.com/nin9s/elk-hole	#
+# logstash parsing logic and tagging for elk-hole               #
+# created by n9nes                                              #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
 #################################################################
 
 input {
@@ -20,7 +20,7 @@ filter {
       match => {
                 "message" => [
 
-# request - query type
+ # request - query type
  "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
  # reponse domain to ip
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
@@ -74,13 +74,13 @@ filter {
 # to do cached and cached reverse
 
 
-      if [request_from] {
+      if [request_from] and [message] =~ "query" {
         mutate {
           add_tag => [ "request and query type" ]
         }
       }
 
-      else if [ip_response] {
+      else if [ip_response] and [message] =~ "reply" {
         geoip {
           source => "ip_response"
         }
@@ -173,8 +173,7 @@ filter {
 
     dns {
       reverse => ["source_fqdn"]
-      action => "replace"
-#      nameserver => ["localhost"]
+      action => "replace"					  
       hit_cache_size => 4096
       hit_cache_ttl => 900
       failed_cache_size => 512