Hi TonyLeeVT,

Agreeed that some of these extractions aren't doing exactly what's intended. Internally we're working on some updates however don't have a time frame just yet.

First the message_type needed some rework.

EVAL-message_type = if(match(_raw,"Response:|response:"),"Response",if(match(_raw,"query:\s(\S+)\s(\w+)\s(\S+)\s((?:\+|\-)\S*)\s\((\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)"),"Query","unknown"))

Then split the request and response regex.

[dns_request]
REGEX = client\s(?<dns_request_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_request_client_port>\d+).*\squery:\s(?<dns_request_queried_domain>\S+)\s(?<dns_request_class_name>\w+)\s(?<dns_request_type_name>\w+)\s(?<dns_request_setDC>(?:\+|\-)\S*)\s\((?<dns_request_name_serverIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)

[dns_response]
REGEX = \S+\s+(?<server_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\snamed\[(?<pid>\d+)\]\:\s(?<log_date>\S+)\s(?<log_time>\S+)\sclient\s(?<dns_response_client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<dns_response_client_port>\d+)?[\D]*\s(?<dns_response_protocol>\w+):\squery:\s(?<dns_response_queried_domain>\S+)\s(?<dns_response_class_name>\w+)\s(?<dns_response_type_name>\w+)\sresponse:\s(?<dns_response_rcode>\w+)\s(?<dns_response_flags>\S+)\s?(?<dns_response_RR_in_TEXT>[\S+\s+]*)?

And to deal with the multiple records within the response we can split out again

[dns_incepted]
REGEX=(?<dns_record>[^;]+)
SOURCE_KEY=dns_response_RR_in_TEXT
MV_ADD=true

[dns_records_extract]
 REGEX = (?<dns_answer_name>\S+)\s(?<dns_answer_ttl>\d+)\s(?<dns_class>\S+)\s(?<dns_type>\S+)\s(?<dns_rdata>\S+)
 SOURCE_KEY = dns_record
 MV_ADD=true

Hope this helps for now, however with all the changes it may be better to wait for the update.
Don