Help with datasets and DNS

Hi guys,
I am using Suricata 6.0.0 and I want to setup rule with dataset for DNS requests.

Here is my setup:

alert dns any any → any any (msg:“DNS Query BLACKLISTED DOMAIN”;dns.query;to_sha256;dataset:isset,bad-domain;sid:900002; rev:1; )

type: sha256
load: /etc/suricata/rules/domains_blck.lst
memcap: 100mb

domains_blck.lst: (one value sha256 for

However when I do request for there is no alert and no errors in the log for it.

What am I doing wrong ?

Does the dns record generated ("evet_type":"dns") match the domain ? (and subsequently the sha256?)

Hi Peter,

it does:

However I changed the hash in the file with:
echo -n | sha256sum
4d09faeba081444a05f1d8da8bf9625de41970cb6aacee57858b5bdec347cf04 -

but still no success.

Btw how exactly Suricata checks it, if works, will alert ?