Add eTLD+1 to the DNS documents published by Packetbeat

[andrewkroh]

The effective top level domain plus one more label is really useful for clustering DNS requests (hostnames). For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.".

This was the basis for the aggregations used in Detecting DNS Tunnels with Packetbeat and Watcher.

I used a Groovy script to do this in the blog post, but this has several downsides.

• You cannot do a terms aggregations in Kibana with the eTLD+1 value because you cannot use a Groovy scripted field.
• The method used in the blog post to get the eTLD+1 value was naive. For example, it didn't work correctly for www.google.co.uk because it would return co.uk resulting in a huge cluster of domains. This uses the data from http://publicsuffix.org so it will correctly return google.co.uk.

Unrelated changes

• Removed non-ascii characters from the AMQP field descriptions in etc/fields.
• Optimized the AppVeyor config. There were a lot of failures reaching out to Sourceforge to get mingw.

This change depends on the SOCKS5 PR which adds the golang.org/x/net/publicsuffix dep.

[monicasarbu]

@andrewkroh Nice one! Is ready for review?

[andrewkroh]

It can be reviewed, but not merged. There's a dependency on the SOCKS proxy PR which adds a common dependency. I'll add the review label as soon as it's mergeable.

[andrewkroh]

This is now ready to go. I rebased it to pull in the golang.org/x/net/publicsuffix dep and added tests.

[dedemorton]

I don't understand why you changed Packetbeat to Docs/Fields.Asciidoc here.

[andrewkroh]

Me either. 😕 I used make update re-build the Packetbeat docs because I added a field. I'll open a new PR to undo this change.