Kibana event.dataset.keyword: dns -- How to include encrytped port 853 DNS?

[RagnarSTS]

How do I add port 853 to the built in kibana functions that determine something is DNS? event.dataset.keyword: DNS only includes 53, 5353, and 137.

tl;dr
Port 853 DNS has been a thing and seems stable for a while in my environment. Obviously I could make new dashboards and such to show port 853 traffic along with 53 and 5353, but I think the correct answer is to edit the existing built in identifier to include 853 as DNS everywhere without hacking together some new thing to see requests.

Cleanly show an incoming standard 53 request on one side of a firewall, and see the equivalent request go out on the other side for upstream 853. Just be able to compare response times, etc.

[dougburks]

Assuming you're using Zeek instead of Suricata for metadata, event.dataset is set to dns for logs coming from Zeek's dns.log. Zeek automatically logs any name lookups seen on ports 53, 5353, and 137 to dns.log. If port 853 is encrypted, then it would seem that Zeek won't be able to determine that it's a name lookup and therefore won't log it to dns.log. Zeek should still log some metadata about the connection to conn.log and so you should be able to find that via the Kibana Connections dashboard or via the Connections queries in Hunt.

[RagnarSTS]

Confirm using zeek, and 853 traffic does show up fine under connections and queries for it work fine. I simply wish for the traffic to be categorized properly. Large quantities of DNS traffic over short periods of time are indicative of a problem, and if one were simply packet counting on the encrypted side, without being properly categorized it makes it easier to overlook.
.. So I need to edit zeek's configs ...