I'm not sure how much I can help you here, but maybe can provide a high level answer.

Generally speaking, the correlation searches in ES run against the CIM datamodels. There are multiple datamodels for things like Intrusion Detection, Network Traffic, Email, etc. And so the goal is to map the data in your dns data to the fields defined in the datamodel. These are all search time configurations.

Each datamodel is defined by a tag or set of tags. So if you want the dns data to show up, then an eventtype/tag need to be configured to mark it appropriately.

Next, the datamodels use certain fields. For example, there may be a field called src and another called dest. So you need to create those fields for dns data if they don't exist. For example, if you have a field called destination, then you'd want to create a field alias of that called dest, because that's the field expected by the datamodel.

Once that's done, any correlation search running against that datamodel will include your dns data. This allows you to map multiple sources of data to one datamodel so the correlation searches won't really need modified.

One other thing to note is where you store those search time operations (field mappings, etc). ES needs to be made aware of apps that it needs to take into consideration. There are some default rules for apps it allows like "TA-xxx" or "Splunk-TA_xxx" or something to that effect. But if you have your config in an app like mycompany_config_dns_mappings, then you'll need to import that app into ES. I don't recall off hand how to do that, but I'm sure it's documented.

I'm not sure if this is sort of what you were looking or helpful at all, but thought I'd share what I know. Also, we are a few versions behind on ES, so I apologize if any of this outdated or has been changed. And here is the link to the Network Resolution Datamodel documentation, which is probably where your data would need to be mapped to.

http://docs.splunk.com/Documentation/CIM/4.5.0/User/NetworkResolutionDNS