diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index 14516620af936ff48fbcf7275b2fdd1242eeffc0..e45a65e78c59053d72573ef14d96fe96b08a29c4 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -131,18 +131,20 @@ filter {
         }
       }
 
-      else if [domain_request] and [message] =~ "cached" {
+     
+
+      else if [message] =~ "cached" and [message] =~ "CNAME" {
         mutate {
-          add_tag => [ "cached domain to ip" ]
-        }
-        geoip {
-          source => "ip_response"
+          add_tag => [ "cached domain to ip cname" ]
         }
       }
 
-      else if [message] =~ "cached" and [message] =~ "CNAME" {
+	  else if [domain_request] and [message] =~ "cached" {
         mutate {
-          add_tag => [ "cached domain to ip cname" ]
+          add_tag => [ "cached domain to ip" ]
+        }
+        geoip {
+          source => "ip_response"
         }
       }