Help with datasets and DNS

Hi guys,
I am using Suricata 6.0.0 and I want to setup rule with dataset for DNS requests.

Here is my setup:

Rule:
alert dns any any → any any (msg:“DNS Query BLACKLISTED DOMAIN”;dns.query;to_sha256;dataset:isset,bad-domain;sid:900002; rev:1; )

Suricata.yml:
datasets:
bad-domain:
type: sha256
load: /etc/suricata/rules/domains_blck.lst
memcap: 100mb

domains_blck.lst: (one value sha256 for test.xyz)
b682109cba2ce81a7a25d8979eb5860b9be131d24ff6b2dd6c210d9e5c6dcd59

However when I do request for test.xyz there is no alert and no errors in the log for it.

What am I doing wrong ?

Does the dns record generated ("evet_type":"dns") match the domain ? (and subsequently the sha256?)

Hi Peter,

it does:
“dns”:{“type”:“query”,“id”:32445,“rrname”:“test.xyz”,“rrtype”:“A”,“tx_id”:0}

However I changed the hash in the file with:
echo -n test.xyz | sha256sum
4d09faeba081444a05f1d8da8bf9625de41970cb6aacee57858b5bdec347cf04 -

but still no success.

Btw how exactly Suricata checks it, if test.xyz works, will abc.test.xyz alert ?