Microsoft-Windows-DNS-Client

107 events across 2 channels

Event ID	Title	Channel
1000	There are currently no IPv4 DNS servers configured for any interface on this …	Operational
1001	Interface: %1 Total DNS Server Count: %2 Index: %3 Address: %6 (%4).	Operational
1002	The DNS server being queried for interface %1 has changed to %3.	Operational
1003	The following DNS server(s) were successfully validated as active servers that …	Operational
1004	The following DNS server(s) were successfully validated as active servers that …	System
1005	The client was unable to validate the following as active DNS server(s) that can …	Operational
1006	The client was unable to validate the following as active DNS server(s) that can …	System
1007	The primary DNS suffix for this machine is missing.	Operational
1008	The primary DNS suffix for this machine is missing.	System
1009	The primary DNS suffix for this machine does not match the Active Directory …	Operational
1010	The primary DNS suffix for this machine does not match the Active Directory …	System
1011	There was an error while attempting to read the local hosts file.	Operational
1012	There was an error while attempting to read the local hosts file.	System
1013	Name resolution for the name %1 timed out after none of the configured DNS …	Operational
1014	Name resolution for the name %1 timed out after none of the configured DNS …	System
1015	Name resolution for the name %1 timed out after the DNS server %3 did not …	Operational
1016	A name not found error was returned for the name %1.	Operational
1017	The DNS server's response to a query for name %1 indicates that no records of …	Operational
1018	The response for the query %1 was a Link Local IP address %3.	Operational
1019	There are currently no IPv6 DNS servers configured for any interface on this …	Operational
1020	Read DNS Name Resolution Policy Table: Key Name %1: DNSSEC Settings: …	Operational
1021	Matched Effective policy for query name %1: Key Name %2: …	Operational
1022	Name resolution for the name, %1, will not fall back to LLMNR or NetBIOS.	Operational
1023	Name resolution policy table has been corrupted.	System
1024	Transaction ID of the response for query %1 from server %3 did not match.	Operational
1025	The DNS server IP %3 of the response for query %1 is not configured on the …	Operational
1026	The question (%2) in the response from server %4 does not match the original …	Operational
1027	DNS Name resolution for the name, %1, failed because the client was unable to …	Operational
1028	Matched effective policy for query name %1: Key Name %2: …	Operational
3000	DNS Query is initiated for the name %1 and for the type %2 with query options …	Operational
3001	DNS Query operation is completed with result %1.	Operational
3002	DNS Cache lookup is initiated for the name %1 and for the type %2 with query …	Operational
3003	DNS Cache lookup operation for the name %1 and for the type %2 is completed with …	Operational
3004	DNS FQDN Query is initiated for the name %1 and for the type %2 with query …	Operational
3005	DNS FQDN Query operation for the name %1 and for the type %2 is completed with …	Operational
3006	DNS query is called for the name %1, type %2, query options %3, Server List %4, …	Operational
3007	DnsQueryEx for the name %1 is pending.	Operational
3008	DNS query is completed for the name %1, type %2, query options %3 with status %4 …	Operational
3009	Network query initiated for the name %1 (is parallel query %2) on network index …	Operational
3010	DNS Query sent to DNS Server %3 for name %1 and type %2.	Operational
3011	Received response from DNS Server %3 for name %1 and type %2 with response …	Operational
3012	NETBIOS query is initiated for name %1 on network index %2 with inteface count …	Operational
3013	NETBIOS query is completed for name %1 with status %2 and results %3.	Operational
3014	NETBIOS query for the name %1 is pending.	Operational
3015	DnsQueryEx is canceled for the name %1.	Operational
3016	Cache lookup called for name %1, type %2, options %3 and interface index %4.	Operational
3018	Cache lookup for name %1, type %2 and option %3 returned %4 with results %5.	Operational
3019	Query wire called for name %1, type %2, interface index %3 and network index %4.	Operational
3020	Query response for name %1, type %2, interface index %3 and network index %4 …	Operational
3023	Initiating resolver operation %1, name %2, flag %3, client PID %4.	Operational
3024	Server %1 failed to validate DDR certificate for original address %2 with status …	System
8001	Unable to start DNS Client service.	System
8002	Unable to start DNS Client service because the system failed to allocate memory …	System
8003	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8004	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8005	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8006	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8007	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8008	The system failed to register network adapter with settings: Adapter Name : %1 …	System
8009	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8010	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8011	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8012	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8013	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8014	The system failed to register pointer (PTR) resource records (RRs) for network …	System
8015	The system failed to register host (A or AAAA) resource records (RRs) for …	System
8016	The system failed to register host (A or AAAA) resource records (RRs) for …	System
8017	The system failed to register host (A or AAAA) resource records for network …	System
8018	The system failed to register host (A or AAAA) resource records (RRs) for …	System
8019	The system failed to register host (A or AAAA) resource records (RRs) for …	System
8020	The system failed to register host (A or AAAA) resource records (RRs) for …	System
8021	The system failed to update and remove registration for the network adapter with …	System
8022	The system failed to update and remove registration for the network adapter with …	System
8023	The system failed to update and remove registration for the network adapter with …	System
8024	The system failed to update and remove registration for the network adapter with …	System
8025	The system failed to update and remove registration for the network adapter with …	System
8026	The system failed to update and remove the DNS registration for the network …	System
8027	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8028	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8029	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8030	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8031	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8032	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System
8033	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8034	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8035	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8036	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8037	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8038	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System
8040	A DNS interception provider has been loaded.	System
8042	A DNS interception provider performed an illegal operation.	System
8043	DNS-over-HTTPS query initiated to server %1 for the name %2, on interface %3, …	Operational
8044	DNS-over-TLS query initiated to server %1 for the name %2, on interface %3, with …	Operational
8045	DNS-over-HTTPS request to server %1 with template %2 returned HTTP status $3.	Operational
8046	DNS-over-HTTPS request to server %1 with template %2 failed with error %3.	Operational
8047	DNS-over-TLS request to server %1 with hostname %2 failed with error %3.	Operational
8048	DNS-over-HTTPS request failed to obtain valid SSL certificate from server %1, …	System
8049	DNS-over-TLS request failed to obtain valid SSL certificate from server %1, with …	System
8050	Windows DNS Client process mitigations: SystemCall: %1, ExtensionPoint: %2, …	Operational
60004	Error: %1 Location: %2 Context: %3.	Operational
60005	Warning: %1 Location: %2 Context: %3.	Operational
60006	Transitioned to State: %1 Context: %2.	Operational
60007	Updated Context: %1 Update Reason: %2.	Operational
60008	Name resolution policy table has been corrupted.	Operational
60101	SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 …	Operational
60102	SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 …	Operational
60103	Interface Guid: %1 IfIndex: %2 Interface Luid: %3 ReferenceContext: %4.	Operational

Event ID 1000 — There are currently no IPv4 DNS servers configured for any interface on this host.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

There are currently no IPv4 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Fields

Name	Description
`Location`	—
`Context`	—

Event ID 1001 — Interface: %1 Total DNS Server Count: %2 Index: %3 Address: %6 (%4).

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Interface: %1 Total DNS Server Count: %2 Index: %3 Address: %6 (%4)

Fields

Name	Description
`Interface`	—
`Total_DNS_Server_Count`	—
`Index`	—
`Address`	—
`TotalServerCount`	—
`DynamicAddress`	—
`AddressLength`	—

Event ID 1002 — The DNS server being queried for interface %1 has changed to %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The DNS server being queried for interface %1 has changed to %3

Fields

Name	Description
`Interface`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—

Event ID 1003 — The following DNS server(s) were successfully validated as active servers that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The following DNS server(s) were successfully validated as active servers that can service this client. %2

Fields

Name	Description
`AddressLength`	—
`Address`	—

Event ID 1004 — The following DNS server(s) were successfully validated as active servers that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The following DNS server(s) were successfully validated as active servers that can service this client. {Address}

Fields

Name	Description
`Address`	—

Event ID 1005 — The client was unable to validate the following as active DNS server(s) that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable, or may be incorrectly configured. %2

Fields

Name	Description
`AddressLength`	—
`Address`	—

Event ID 1006 — The client was unable to validate the following as active DNS server(s) that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable; or may be incorrectly configured. {Address}

Fields

Name	Description
`Address`	—

Event ID 1007 — The primary DNS suffix for this machine is missing.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS

Fields

Name	Description
`ErrorCode`	—
`Location`	—
`Context`	—

Event ID 1008 — The primary DNS suffix for this machine is missing.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS

Fields

Name	Description
`ErrorCode`	—
`Location`	—
`Context`	—

Event ID 1009 — The primary DNS suffix for this machine does not match the Active Directory domain that it is currently joined to.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The primary DNS suffix for this machine (%1) does not match the Active Directory domain (%2) that it is currently joined to.

Fields

Name	Description
`DnsSuffix`	—
`AdSuffix`	—

Event ID 1010 — The primary DNS suffix for this machine does not match the Active Directory domain that it is currently joined to.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The primary DNS suffix for this machine (%1) does not match the Active Directory domain (%2) that it is currently joined to.

Fields

Name	Description
`DnsSuffix`	—
`AdSuffix`	—

Event ID 1011 — There was an error while attempting to read the local hosts file.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

There was an error while attempting to read the local hosts file.

Fields

Name	Description
`ErrorCode`	—
`Location`	—
`Context`	—

Event ID 1012 — There was an error while attempting to read the local hosts file.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

There was an error while attempting to read the local hosts file.

Fields

Name	Description
`ErrorCode`	—
`Location`	—
`Context`	—

Event ID 1013 — Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—

Event ID 1014 — Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Level: 3
Samples: 1

Message

Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—

Example Event

system:
  provider: Microsoft-Windows-DNS-Client
  guid: 1C95126E-7EEA-49A9-A3FE-A378B03DDB4D
  event_source_name: ''
  event_id: 1014
  version: 1
  level: 3
  task: 1014
  opcode: 0
  keywords: 4611686018695823360
  time_created: '2023-11-06T06:25:49.753506+00:00'
  event_record_id: 1706
  correlation: {}
  execution:
    process_id: 1916
    thread_id: 3540
  channel: System
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-20
event_data:
  QueryName: wpad
  AddressLength: 128
  Address: 02000000C0A85C02000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
  ClientPID: 2556
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 1015 — Name resolution for the name %1 timed out after the DNS server %3 did not respond.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Name resolution for the name %1 timed out after the DNS server %3 did not respond.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—

Event ID 1016 — A name not found error was returned for the name %1.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

A name not found error was returned for the name %1. Check to ensure that the name is correct. The response was sent by the server at %3.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1017 — The DNS server's response to a query for name %1 indicates that no records of the type queried are available, but could indicate that other records...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The DNS server's response to a query for name %1 indicates that no records of the type queried are available, but could indicate that other records for the same name are present.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1018 — The response for the query %1 was a Link Local IP address %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The response for the query %1 was a Link Local IP address %3. The response was sent by the server at %5.

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`DnsAddressLength`	—
`DnsAddress`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1019 — There are currently no IPv6 DNS servers configured for any interface on this host.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

There are currently no IPv6 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Fields

Name	Description
`Location`	—
`Context`	—

Event ID 1020 — Read DNS Name Resolution Policy Table: Key Name %1: DNSSEC Settings: DnsSecValidationRequired %2, DnsQueryOverIPSec %3, DnsEncryption %4 Direct Acc...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Read DNS Name Resolution Policy Table: Key Name %1: DNSSEC Settings: DnsSecValidationRequired %2, DnsQueryOverIPSec %3, DnsEncryption %4 Direct Access Settings: DirectAccessServerList %5, EnableRemoteIPSEC %6  RemoteEncryption %7 ProxyType %8 ProxyName %9

Fields

Name	Description
`KeyName`	—
`DnsSecValidationRequired`	—
`DnsQueryOverIPSec`	—
`DnsEncryption`	—
`DirectAccessServerList`	—
`RemoteIPSEC`	—
`RemoteEncryption`	—
`ProxyType`	—
`ProxyName`	—

Event ID 1021 — Matched Effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Matched Effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList %6, ProxyType %7 ProxyName %8

Fields

Name	Description
`QueryName`	—
`KeyName`	—
`DnsSecValidationRequired`	—
`DnsQueryOverIPSec`	—
`DnsEncryption`	—
`DirectAccessServerList`	—
`ProxyType`	—
`ProxyName`	—

Event ID 1022 — Name resolution for the name, %1, will not fall back to LLMNR or NetBIOS.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Name resolution for the name, %1, will not fall back to LLMNR or NetBIOS

Fields

Name	Description
`QueryName`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 1023 — Name resolution policy table has been corrupted.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule %1 failed with error %2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 1024 — Transaction ID of the response for query %1 from server %3 did not match.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Transaction ID of the response for query %1 from server %3 did not match

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1025 — The DNS server IP %3 of the response for query %1 is not configured on the client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The DNS server IP %3 of the response for query %1 is not configured on the client

Fields

Name	Description
`QueryName`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1026 — The question (%2) in the response from server %4 does not match the original question %1.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

The question (%2) in the response from server %4 does not match the original question %1

Fields

Name	Description
`QueryName`	—
`ResponseQuestion`	—
`AddressLength`	—
`Address`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 1027 — DNS Name resolution for the name, %1, failed because the client was unable to contact DNS servers.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Name resolution for the name, %1, failed because the client was unable to contact DNS servers. At least one of the interfaces is not in a private network and name resolution will not fall back to LLMNR or NetBIOS

Fields

Name	Description
`QueryName`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 1028 — Matched effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Matched effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList %6, ProxyType %7 ProxyName %8 GenericServerList %9 IdnConfig %10

Fields

Name	Description
`QueryName`	—
`KeyName`	—
`DnsSecValidationRequired`	—
`DnsQueryOverIPSec`	—
`DnsEncryption`	—
`DirectAccessServerList`	—
`ProxyType`	—
`ProxyName`	—
`GenericServerList`	—
`IdnConfig`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3000 — DNS Query is initiated for the name %1 and for the type %2 with query options %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Query is initiated for the name %1 and for the type %2 with query options %3

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—

Event ID 3001 — DNS Query operation is completed with result %1.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Query operation is completed with result %1

Fields

Name	Description
`Status`	—

Event ID 3002 — DNS Cache lookup is initiated for the name %1 and for the type %2 with query options %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Cache lookup is initiated for the name %1 and for the type %2 with query options %3

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—

Event ID 3003 — DNS Cache lookup operation for the name %1 and for the type %2 is completed with result %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Cache lookup operation for the name %1 and for the type %2 is completed with result %3

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`Status`	—

Event ID 3004 — DNS FQDN Query is initiated for the name %1 and for the type %2 with query options %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS FQDN Query is initiated for the name %1 and for the type %2 with query options %3

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—

Event ID 3005 — DNS FQDN Query operation for the name %1 and for the type %2 is completed with result %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS FQDN Query operation for the name %1 and for the type %2 is completed with result %3

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`Status`	—

Event ID 3006 — DNS query is called for the name %1, type %2, query options %3, Server List %4, isNetwork query %5, network index %6, interface index %7, is asynch...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS query is called for the name %1, type %2, query options %3, Server List %4, isNetwork query %5, network index %6, interface index %7, is asynchronous query %8

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—
`ServerList`	—
`IsNetworkQuery`	—
`NetworkQueryIndex`	—
`InterfaceIndex`	—
`IsAsyncQuery`	—

Event ID 3007 — DnsQueryEx for the name %1 is pending.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DnsQueryEx for the name %1 is pending

Fields

Name	Description
`QueryName`	—

Event ID 3008 — DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—
`QueryStatus`	—
`QueryResults`	—

Sigma Rules

DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks

Showing 5 of 6 matching Sigma rules.

Event ID 3009 — Network query initiated for the name %1 (is parallel query %2) on network index %3 with interface count %4 with first interface name %5, local addr...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Network query initiated for the name %1 (is parallel query %2) on network index %3 with interface count %4 with first interface name %5, local addresses %6 and Dns Servers %7

Fields

Name	Description
`QueryName`	—
`IsParallelNetworkQuery`	—
`NetworkIndex`	—
`InterfaceCount`	—
`AdapterName`	—
`LocalAddress`	—
`DNSServerAddress`	—
`ClientPID`	—
`QueryBlob`	—
`ParentBlob`	—

Event ID 3010 — DNS Query sent to DNS Server %3 for name %1 and type %2.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS Query sent to DNS Server %3 for name %1 and type %2

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`DnsServerIpAddress`	—
`ClientPID`	—

Event ID 3011 — Received response from DNS Server %3 for name %1 and type %2 with response status %4.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Received response from DNS Server %3 for name %1 and type %2 with response status %4

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`DnsServerIpAddress`	—
`ResponseStatus`	—
`ClientPID`	—
`SendBlob`	—
`SendBlobContext`	—

Event ID 3012 — NETBIOS query is initiated for name %1 on network index %2 with inteface count %3 with first interface name %4 and local addresses %5.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

NETBIOS query is initiated for name %1 on network index %2 with inteface count %3 with first interface name %4 and local addresses %5

Fields

Name	Description
`QueryName`	—
`NetworkIndex`	—
`InterfaceCount`	—
`AdapterName`	—
`LocalAddress`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3013 — NETBIOS query is completed for name %1 with status %2 and results %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

NETBIOS query is completed for name %1 with status %2 and results %3

Fields

Name	Description
`QueryName`	—
`Status`	—
`QueryResults`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3014 — NETBIOS query for the name %1 is pending.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

NETBIOS query for the name %1 is pending

Fields

Name	Description
`QueryName`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3015 — DnsQueryEx is canceled for the name %1.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DnsQueryEx is canceled for the name %1

Fields

Name	Description
`QueryName`	—

Event ID 3016 — Cache lookup called for name %1, type %2, options %3 and interface index %4.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Cache lookup called for name %1, type %2, options %3 and interface index %4

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—
`InterfaceIndex`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3018 — Cache lookup for name %1, type %2 and option %3 returned %4 with results %5.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Cache lookup for name %1, type %2 and option %3 returned %4 with results %5

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`QueryOptions`	—
`Status`	—
`QueryResults`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3019 — Query wire called for name %1, type %2, interface index %3 and network index %4.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Query wire called for name %1, type %2, interface index %3 and network index %4

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`InterfaceIndex`	—
`NetworkIndex`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3020 — Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6

Fields

Name	Description
`QueryName`	—
`QueryType`	—
`NetworkIndex`	—
`InterfaceIndex`	—
`Status`	—
`QueryResults`	—
`ClientPID`	—
`QueryBlob`	—

Event ID 3023 — Initiating resolver operation %1, name %2, flag %3, client PID %4.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Initiating resolver operation %1, name %2, flag %3, client PID %4

Fields

Name	Description
`OperationName`	—
`Name`	—
`Flag`	—
`ClientPID`	—

Event ID 3024 — Server %1 failed to validate DDR certificate for original address %2 with status %3.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

Server %1 failed to validate DDR certificate for original address %2 with status %3

Fields

Name	Description
`ActualServer`	—
`OriginalServer`	—
`Status`	—

Event ID 8001 — Unable to start DNS Client service.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

Unable to start DNS Client service. Could not start the Remote Procedure Call (RPC) interface for this service. To correct the problem, you may restart the RPC and DNS Client services. To do so, use the following commands at a command prompt: (1) type 'net start rpc' to start the RPC service, and (2) type 'net start dnscache' to start the DNS Client service. See event details for specific error code information.

Fields

Name	Description
`ErrorCode`	—

Event ID 8002 — Unable to start DNS Client service because the system failed to allocate memory and may be out of available memory.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

Unable to start DNS Client service because the system failed to allocate memory and may be out of available memory. Try closing any applications not in use or reboot the computer. See event details for specific error code information.

Fields

Name	Description
`ErrorCode`	—

Event ID 8003 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS Server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS Server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The cause of this DNS registration failure was because the DNS update request timed out after being sent to the specified DNS Server. This is probably because the authoritative DNS server for the name being updated is not running.

You can manually retry registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still  persist, contact your network systems administrator to verify network conditions.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8004 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The cause of this DNS registration failure was because of DNS server failure. This may be due to a zone transfer that has locked the DNS server for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific Domain Suffix that was indicated above.) You can manually retry registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8005 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason it could not register was because either: (a) the DNS server does not support the DNS dynamic update protocol, or (b) the primary zone authoritative for the registering names does not currently accept dynamic updates.

To add or register a DNS host (A or AAAA) resource record using the specific DNS name for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8006 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason it could not register was because the DNS server refused the dynamic update request. This could happen for the following reasons: (a) current DNS update policies do not allow this computer to update the DNS domain name configured for this adapter, or (b) the authoritative DNS server for this DNS domain name does not support the DNS dynamic update protocol.

To register a DNS host (A or AAAA) resource record using the specific DNS domain name for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8007 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not register the DNS update request because of a security related problem. This could happen for the following reasons: (a) the DNS domain name that your computer is trying to register could not be updated because your computer does not have the right permissions, or (b) there might have been a problem negotiating valid credentials with the DNS server to update.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8008 — The system failed to register network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain Suffix : %3 DNS server list :...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the DNS update request could not be completed was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8009 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because the update request that was sent to the specified DNS server timed out. This is probably because the authoritative DNS server for the name being registered is not running.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8010 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The cause was DNS server failure. This may be because the reverse lookup zone is busy or missing on the DNS server that your computer needs to update. In most cases, this is a minor problem because it does not affect normal (forward) name resolution.

If reverse (address-to-name) resolution is required for your computer, you can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8011 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because (a) either the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone where these records are to be registered does not allow dynamic updates.

To register DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8012 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because the DNS server refused the update request. The cause of this could be (a) your computer is not allowed to update the adapter-specified DNS domain name, or (b) because the DNS server authoritative for the specified name does not support the DNS dynamic update protocol.

To register the DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8013 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8014 — The system failed to register pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-spec...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8015 — The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary D...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8016 — The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary D...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8017 — The system failed to register host (A or AAAA) resource records for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary Domain ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8018 — The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary D...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8019 — The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary D...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8020 — The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Primary D...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8021 — The system failed to update and remove registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server it sent the update request to timed out. The most likely cause of this failure is that the DNS server authoritative for the zone where the registration was originally made is either not running or unreachable through the network at this time.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8022 — The system failed to update and remove registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server it sent the update to failed the update request. A possible cause of this failure is that the DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8023 — The system failed to update and remove registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not currently accept DNS dynamic updates.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8024 — The system failed to update and remove registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not perform the update request was the DNS server contacted refused update request. The cause of this is (a) this computer is not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for the zone that requires updating does not support the DNS dynamic update protocol.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8025 — The system failed to update and remove registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specific Domain...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not perform the update request was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8026 — The system failed to update and remove the DNS registration for the network adapter with settings: Adapter Name : %1 Host Name : %2 Adapter-specifi...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove the DNS registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not update to remove this DNS registration because of a system problem. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8027 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone that requires update is not running.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8028 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address : %6

The system could not remove these PTR RRs because the DNS server failed the update request. A possible cause is that a zone transfer is in progress, causing a lock for the zone at the DNS server authorized to perform the updates for these RRs.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8029 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because either the DNS server does not support the DNS dynamic update protocol or the authoritative zone that contains these RRs does not accept dynamic updates.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8030 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because the DNS server refused the update request. The cause of this might be (a) this computer is not allowed to update the specified DNS domain name specified by these settings, or (b) because the DNS server authorized to perform updates for the zone that contains these RRs does not support the DNS dynamic update protocol.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8031 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because of a security related problem. The cause of this could be that (a) your computer does not have permissions to remove and update the specific DNS domain name or IP addresses configured for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8032 — The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 Ada...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because because of a system problem. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8033 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

         The system could not remove these host (A or AAAA) RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone where these RRs need to be updated is either not currently running or reachable on the network.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8034 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not remove these host (A or AAAA) RRs because the DNS server failed the update request. A possible cause is that a zone transfer is in progress, causing a lock for the zone at the DNS server authorized to perform the updates for these RRs.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8035 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these host (A or AAAA) RRs does not currently accept DNS dynamic updates.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8036 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The request to remove these records failed because the DNS server refused the update request. The cause of this might be that either (a) this computer is not allowed to update the DNS domain name specified by these settings, or (b) because the DNS server authorized to perform updates for the zone that contains these RRs does not support the DNS dynamic update protocol.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8037 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure was because of a security related problem. The cause of this could be that (a) your computer does not have permissions to remove and update the specific DNS domain name or IP addresses configured for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8038 — The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter with settings: Adapter Name : %1 Host Name : %2 ...

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the update request failed was because of a system problem. See event details for specific error code information.

Fields

Name	Description
`AdapterName`	—
`HostName`	—
`AdapterSuffixName`	—
`DnsServerList`	—
`SentUpdateServer`	—
`Ipaddress`	—
`ErrorCode`	—

Event ID 8040 — A DNS interception provider has been loaded.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

A DNS interception provider has been loaded. This provider can overwrite any DNS resolution result. If this is unexpected, please contact the machine/domain admin.

           Interception Dll: %1

Fields

Name	Description
`Interception_Dll`	—
`DllName`	—

Event ID 8042 — A DNS interception provider performed an illegal operation.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

A DNS interception provider performed an illegal operation. 

           Interception Dll: %1

Fields

Name	Description
`Interception_Dll`	—
`DllName`	—

Event ID 8043 — DNS-over-HTTPS query initiated to server %1 for the name %2, on interface %3, using template %4, client PID %5.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS-over-HTTPS query initiated to server %1 for the name %2, on interface %3, using template %4, client PID %5

Fields

Name	Description
`Server`	—
`NameQuery`	—
`InterfaceName`	—
`Template`	—
`ClientPID`	—

Event ID 8044 — DNS-over-TLS query initiated to server %1 for the name %2, on interface %3, with hostname %4, client PID %5.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS-over-TLS query initiated to server %1 for the name %2, on interface %3, with hostname %4, client PID %5

Fields

Name	Description
`Server`	—
`NameQuery`	—
`InterfaceName`	—
`Hostname`	—
`ClientPID`	—

Event ID 8045 — DNS-over-HTTPS request to server %1 with template %2 returned HTTP status $3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS-over-HTTPS request to server %1 with template %2 returned HTTP status $3

Fields

Name	Description
`Server`	—
`TemplateName`	—
`StatusCode`	—

Event ID 8046 — DNS-over-HTTPS request to server %1 with template %2 failed with error %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS-over-HTTPS request to server %1 with template %2 failed with error %3

Fields

Name	Description
`Server`	—
`TemplateName`	—
`ErrorCode`	—

Event ID 8047 — DNS-over-TLS request to server %1 with hostname %2 failed with error %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

DNS-over-TLS request to server %1 with hostname %2 failed with error %3

Fields

Name	Description
`Server`	—
`Hostname`	—
`ErrorCode`	—

Event ID 8048 — DNS-over-HTTPS request failed to obtain valid SSL certificate from server %1, with template %2, due to: %3.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

DNS-over-HTTPS request failed to obtain valid SSL certificate from server %1, with template %2, due to: %3. WinHTTP flags: %4

Fields

Name	Description
`Server`	—
`Template`	—
`Error`	—
`ErrorBits`	—

Event ID 8049 — DNS-over-TLS request failed to obtain valid SSL certificate from server %1, with hostname %2, due to: %3.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Message

DNS-over-TLS request failed to obtain valid SSL certificate from server %1, with hostname %2, due to: %3. WinHTTP flags: %4

Fields

Name	Description
`Server`	—
`Hostname`	—
`Error`	—
`ErrorBits`	—

Event ID 8050 — Windows DNS Client process mitigations: SystemCall: %1, ExtensionPoint: %2, DynamicCode: %3, CFG: %4, BinarySignature: %5, FontDisable: %6, ImageLo...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Windows DNS Client process mitigations: SystemCall: %1, ExtensionPoint: %2, DynamicCode: %3, CFG: %4, BinarySignature: %5, FontDisable: %6, ImageLoad: %7, ChildProcess: %8. Enforce mitigations: %9

Fields

Name	Description
`SystemCallDisable`	—
`ExtensionPointDisable`	—
`DynamicCode`	—
`ControlFlowGuard`	—
`BinarySignature`	—
`FontDisable`	—
`ImageFlow`	—
`ChildProcess`	—
`EnforcementKey`	—

Event ID 60004 — Error: %1 Location: %2 Context: %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Error: %1 Location: %2 Context: %3

Fields

Name	Description
`Error`	—
`Location`	—
`Context`	—
`ErrorCode`	—

Event ID 60005 — Warning: %1 Location: %2 Context: %3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Warning: %1 Location: %2 Context: %3

Fields

Name	Description
`Warning`	—
`Location`	—
`Context`	—
`WarningCode`	—

Event ID 60006 — Transitioned to State: %1 Context: %2.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Transitioned to State: %1 Context: %2

Fields

Name	Description
`NextState`	—
`Context`	—

Event ID 60007 — Updated Context: %1 Update Reason: %2.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Updated Context: %1 Update Reason: %2

Fields

Name	Description
`Updated_Context`	—
`Update_Reason`	—
`Context`	—
`UpdateReasonCode`	—

Event ID 60008 — Name resolution policy table has been corrupted.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule %1 failed with error %2

Fields

Name	Description
`RuleName`	—
`ErrorCode`	—

Event ID 60101 — SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6

Fields

Name	Description
`SourceAddress`	—
`SourcePort`	—
`DestinationAddress`	—
`DestinationPort`	—
`Protocol`	—
`ReferenceContext`	—

Event ID 60102 — SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6

Fields

Name	Description
`SourceAddress`	—
`SourcePort`	—
`DestinationAddress`	—
`DestinationPort`	—
`Protocol`	—
`ReferenceContext`	—

Event ID 60103 — Interface Guid: %1 IfIndex: %2 Interface Luid: %3 ReferenceContext: %4.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Message

Interface Guid: %1 IfIndex: %2 Interface Luid: %3 ReferenceContext: %4

Fields

Name	Description
`Interface_Guid`	—
`IfIndex`	—
`Interface_Luid`	—
`ReferenceContext`	—
`IfGuid`	—
`IfLuid`	—