Microsoft-Windows-DNSServer

167 events across 2 channels

Event ID	Title	Channel
256		Audit
256	QUERY_RECEIVED: TCP=.	Analytical
257		Audit
257	RESPONSE_SUCCESS: TCP=.	Analytical
258		Audit
258	RESPONSE_FAILURE: TCP=.	Analytical
259		Audit
259	IGNORED_QUERY: TCP=.	Analytical
260		Audit
260	RECURSE_QUERY_OUT: TCP=.	Analytical
261		Audit
261	RECURSE_RESPONSE_IN: TCP=.	Analytical
262		Audit
262	RECURSE_QUERY_TIMEOUT: TCP=.	Analytical
263		Audit
263	DYN_UPDATE_RECV: TCP=.	Analytical
264		Audit
264	DYN_UPDATE_RESPONSE: TCP=.	Analytical
265		Audit
265	IXFR_REQ_OUT: TCP=.	Analytical
266		Audit
266	IXFR_REQ_RECV: TCP=.	Analytical
267		Audit
267	IXFR_RESP_OUT: TCP=.	Analytical
268		Audit
268	IXFR_RESP_RECV: TCP=.	Analytical
269		Audit
269	AXFR_REQ_OUT: TCP=.	Analytical
270		Audit
270	AXFR_REQ_RECV: TCP=.	Analytical
271		Audit
271	AXFR_RESP_OUT: TCP=.	Analytical
272		Audit
272	AXFR_RESP_RECV: TCP=.	Analytical
273		Audit
273	XFR_NOTIFY_RECV: Source=.	Analytical
274		Audit
274	XFR_NOTIFY_OUT: Destination=.	Analytical
275		Audit
275	XFR_NOTIFY_ACK_IN: Source=.	Analytical
276		Audit
276	XFR_NOTIFY_ACK_OUT: Destination=.	Analytical
277		Audit
277	DYN_UPDATE_FORWARD: TCP=.	Analytical
278		Audit
278	DYN_UPDATE_RESPONSE_IN: TCP=.	Analytical
279		Audit
279	INTERNAL_LOOKUP_CNAME: TCP=.	Analytical
280		Audit
280	INTERNAL_LOOKUP_ADDITIONAL: TCP=.	Analytical
281		Audit
281	RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=.	Analytical
282		Audit
282	RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=.	Analytical
283		Audit
283	RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=.	Analytical
284		Audit
284	RESPONSE_SUCCESS: TCP=.	Analytical
285		Audit
285	RESPONSE_FAILURE: TCP=.	Analytical
286		Audit
286	RECURSE_ALIAS_FAILURE: TCP=.	Analytical
287		Audit
287	QUERY_RECEIVED: TCP=.	Analytical
288		Audit
288	DNSSEC_VALIDATION_FAILURE: QNAME=.	Analytical
289		Audit
289	RECURSE_QUERY_OUT: TCP=.	Analytical
290		Audit
290	RECURSE_RESPONSE_IN: TCP=.	Analytical
291		Audit
291	RECURSE_QUERY_TIMEOUT: TCP=.	Analytical
512		Audit
513	The zone %1 was deleted.	Audit
514		Audit
515	A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope …	Audit
516	A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of …	Audit
517	All resource records of type %1, name %2 were deleted from scope %4 of zone %3.	Audit
518	All resource records at Node name %1 were deleted from scope %3 of zone %2.	Audit
519		Audit
520		Audit
521	A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from …	Audit
522	The scope %1 was created in zone %2.	Audit
523	The scope %1 was deleted in zone %2.	Audit
525	The zone %1 was signed with following properties: DenialOfExistence=%2; …	Audit
526	The zone %1 was unsigned.	Audit
527	The zone %1 was re-signed with following properties: DenialOfExistence=%2; …	Audit
528	Rollover was started on the type %1 with GUID %2 of zone %3.	Audit
529	Rollover was completed on the type %1 with GUID %2 of zone %3.	Audit
530	The type %1 with GUID %2 of zone %3 was marked for retiral.	Audit
531	Manual rollover was triggered on the type %1 with GUID %2 of zone %3.	Audit
533	The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation …	Audit
534	DNSSEC setting metadata was exported %1 key signing key metadata from zone %2.	Audit
535	DNSSEC setting metadata was imported on zone %1.	Audit
536	A record of type %1, QNAME %2 was purged from scope %3 in cache.	Audit
537	The forwarder list on scope %2 has been reset to %1.	Audit
540	The root hints have been modified.	Audit
541		Audit
542	The scope %1 of DNS server was created.	Audit
543	The scope %1 of DNS server was deleted.	Audit
544	The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been …	Audit
545	The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 …	Audit
546	The trust point at %1 of type %2 has been removed.	Audit
547	The trust anchor for the root zone has been added.	Audit
548	A request to restart the DNS server service has been received.	Audit
549	The debug logs have been cleared from %1 on DNS server.	Audit
550	The in-memory contents of all the zones on DNS server have been flushed to their …	Audit
551	All the statistical data for the DNS server has been cleared.	Audit
552	A resource record scavenging cycle has been started on the DNS Server.	Audit
553		Audit
554	The resource record scavenging cycle has been terminated on the DNS Server.	Audit
555	The DNS server has been prepared for demotion by removing references to it from …	Audit
556	The information about the root hints on the DNS server has been written back to …	Audit
557	The addresses on which DNS server will listen has been changed to %1.	Audit
558	An immediate RFC 5011 active refresh has been scheduled for all trust points.	Audit
559	The zone %1 is paused.	Audit
560	The zone %1 is resumed.	Audit
561	The data for zone %1 has been reloaded from %2.	Audit
562	The data for zone %1 has been refreshed from the master server %2.	Audit
563	The secondary zone %1 has been expired and new data has been requested from the …	Audit
564	The zone %1 has been reloaded from the Active Directory.	Audit
565	The content of the zone %1 has been written to the disk and the notification has …	Audit
566	All DNS records at the node %1 in the zone %2 will have their aging time stamp …	Audit
567	The Active Directory-integrated zone %1 has been updated.	Audit
568	The key master role for zone %1 has been %2.	Audit
569	A %1 signing key (%2) descriptor has been added on the zone %3 with following …	Audit
570	A %1 signing key (%2) descriptor with GUID %3 has been updated on the zone %4.	Audit
571	A %1 signing key (%2) descriptor %4 has been removed from the zone %3.	Audit
572	The state of the %1 signing key (%2) %3 has been modified on zone %4.	Audit
573	A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been …	Audit
574	The client subnet with name %1, and value %2 has been added to the DNS server.	Audit
575	The client subnet with name %1 has been deleted from the DNS server.	Audit
576	The client subnet with name %1 has been updated on the DNS server.	Audit
577	A server level policy %6 for %1 has been created on server %2 with following …	Audit
578	A zone level policy %8 for %1 has been created on zone %6 on server %2 with …	Audit
579	A policy %6 to control recursion settings has been created on server %2 with …	Audit
580	The server level policy %1 has been deleted from server %2.	Audit
581	The zone level policy %1 has been deleted from zone %3 on server %2.	Audit
582	The policy %1 to control recursion settings has been deleted from server %2.	Audit
583	The server level policy %1 has been updated on server %2.	Audit
584	The zone level policy %1 has been updated on zone %3 of server %2.	Audit
585	The server level policy %1 for recursion has been updated on server %2.	Audit
586	The zone level policy %1 has been updated on zone %4 of server %2.	Audit
587	The zone level policy %1 has been updated on zone %5 of server %2.	Audit
588	The zone level policy %1 has been updated on zone %6 of server %2.	Audit
589	The server level policy %1 for recursion has been updated on server %2.	Audit
590	The Response Rate Limiting is configured on the DNS server %1.	Audit
591	A exceptionlist %1 against response rate limiting has been added on the DNS …	Audit
592	A exceptionlist %1 against response rate limiting has been deleted from server …	Audit
593	A exceptionlist %1 against response rate limiting has been updated on server %2.	Audit
594	The virtualization instance %1 with friendly name %2 was created.	Audit
595	The virtualization instance %1 was removed.	Audit
596	The virtualization instance %1 was updated.	Audit
597		Audit
597	QUERY_RECEIVED: Channel=.	Analytical
598		Audit
598	RESPONSE_SUCCESS: Channel=.	Analytical
599		Audit
599	RESPONSE_FAILURE: Channel=.	Analytical
600		Audit
600	IGNORED_QUERY: Channel=.	Analytical
601		Audit
601	IGNORED_QUERY: Channel=.	Analytical
602		Audit
602	DYN_UPDATE_RECV: Channel=.	Analytical
603		Audit
603	DYN_UPDATE_RESPONSE: Channel=.	Analytical

Event ID 256 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 256 — QUERY_RECEIVED: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

QUERY_RECEIVED: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; XID=%7; Port=%8; Flags=%9; PacketData=%11; AdditionalInfo = VirtualizationInstanceOptionValue: %12; GUID=%13

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 257 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`StaleRecordsPresent`	—

Event ID 257 — RESPONSE_SUCCESS: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_SUCCESS: TCP=%1; InterfaceIP=%2; Destination=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; DNSSEC=%9; RCODE=%10; Port=%11; Flags=%12; Scope=%13; Zone=%14; PolicyName=%15; PacketData=%17; AdditionalInfo= %18; ElapsedTime=%19; GUID=%20 %21

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`StaleRecordsPresent`	—

Event ID 258 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—

Event ID 258 — RESPONSE_FAILURE: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_FAILURE: TCP=%1; InterfaceIP=%2; Reason=%3; Destination=%4; QNAME=%5; QTYPE=%6; XID=%7; RCODE=%8; Port=%9; Flags=%10; Zone=%11; PolicyName=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance: %13; ElapsedTime=%16; GUID=%17

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—

Event ID 259 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Zone`	—
`PolicyName`	—
`AdditionalInfo`	—

Event ID 259 — IGNORED_QUERY: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IGNORED_QUERY: TCP=%1; InterfaceIP=%2; Source=%3; Reason=%4; QNAME=%5; QTYPE=%6; XID=%7; Zone=%8; PolicyName=%9; AdditionalInfo = VirtualizationInstance: %10

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Zone`	—
`PolicyName`	—
`AdditionalInfo`	—

Event ID 260 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Destination`	—
`InterfaceIP`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 260 — RECURSE_QUERY_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_QUERY_OUT: TCP=%1; Destination=%2; InterfaceIP=%3; RD=%4; QNAME=%5; QTYPE=%6; QXID=%7; XID=%8; Port=%9; Flags=%10; RecursionScope=%11; CacheScope=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17

Fields

Name	Description
`TCP`	—
`Destination`	—
`InterfaceIP`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 261 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RecursionDepth`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`QueriesAttached`	—

Event ID 261 — RECURSE_RESPONSE_IN: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_RESPONSE_IN: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; RemoteQueriesSent=%9; Port=%10; Flags=%11; RecursionScope=%12; CacheScope=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; QueriesAttached=%18

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RecursionDepth`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`QueriesAttached`	—

Event ID 262 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 262 — RECURSE_QUERY_TIMEOUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_QUERY_TIMEOUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; QTYPE=%5; QXID=%6; XID=%7; Port=%8; Flags=%9; RecursionScope=%10; CacheScope=%11; AdditionalInfo = VirtualizationInstance: %12; GUID=%13

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`AdditionalInfo`	—
`GUID`	—

Event ID 263 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`Port`	—
`Flags`	—
`Secure`	—
`BufferSize`	—
`PacketData`	—

Event ID 263 — DYN_UPDATE_RECV: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; Port=%6; Flags=%7; SECURE=%8; PacketData=%10

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`Port`	—
`Flags`	—
`Secure`	—
`BufferSize`	—
`PacketData`	—

Event ID 264 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—

Event ID 264 — DYN_UPDATE_RESPONSE: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_RESPONSE: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PolicyName=%9; PacketData=%11

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—

Event ID 265 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 265 — IXFR_REQ_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IXFR_REQ_OUT: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 266 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 266 — IXFR_REQ_RECV: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IXFR_REQ_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 267 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 267 — IXFR_RESP_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 268 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 268 — IXFR_RESP_RECV: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 269 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 269 — AXFR_REQ_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

AXFR_REQ_OUT: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 270 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 270 — AXFR_REQ_RECV: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

AXFR_REQ_RECV: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 271 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—

Event ID 271 — AXFR_RESP_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

AXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—

Event ID 272 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—

Event ID 272 — AXFR_RESP_RECV: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

AXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—

Event ID 273 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 273 — XFR_NOTIFY_RECV: Source=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

XFR_NOTIFY_RECV: Source=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 274 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 274 — XFR_NOTIFY_OUT: Destination=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

XFR_NOTIFY_OUT: Destination=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`QNAME`	—
`ZoneScope`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 275 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`BufferSize`	—
`PacketData`	—

Event ID 275 — XFR_NOTIFY_ACK_IN: Source=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4

Fields

Name	Description
`Source`	—
`InterfaceIP`	—
`BufferSize`	—
`PacketData`	—

Event ID 276 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Destination`	—
`InterfaceIP`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 276 — XFR_NOTIFY_ACK_OUT: Destination=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

XFR_NOTIFY_ACK_OUT: Destination=%1; InterfaceIP=%2; Zone=%3; PacketData=%5

Fields

Name	Description
`Destination`	—
`InterfaceIP`	—
`Zone`	—
`BufferSize`	—
`PacketData`	—

Event ID 277 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`ForwardInterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 277 — DYN_UPDATE_FORWARD: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_FORWARD: TCP=%1; ForwardInterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields

Name	Description
`TCP`	—
`ForwardInterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 278 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 278 — DYN_UPDATE_RESPONSE_IN: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_RESPONSE_IN: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`BufferSize`	—
`PacketData`	—

Event ID 279 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`Port`	—
`Flags`	—
`XID`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—

Event ID 279 — INTERNAL_LOOKUP_CNAME: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

INTERNAL_LOOKUP_CNAME: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11; GUID=%12

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`Port`	—
`Flags`	—
`XID`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—

Event ID 280 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`Port`	—
`Flags`	—
`XID`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—

Event ID 280 — INTERNAL_LOOKUP_ADDITIONAL: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

INTERNAL_LOOKUP_ADDITIONAL: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11; GUID=%12

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`Port`	—
`Flags`	—
`XID`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—

Event ID 281 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 281 — RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 282 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 282 — RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 283 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 283 — RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields

Name	Description
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`BufferSize`	—
`PacketData`	—

Event ID 284 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`DataTag`	—
`ElapsedTime`	—
`GUID`	—
`EDNSCorrelationTag`	—
`EDNSScopeName`	—
`StaleRecordsPresent`	—

Event ID 284 — RESPONSE_SUCCESS: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_SUCCESS: TCP=%1; InterfaceIP=%2; Destination=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; DNSSEC=%9; RCODE=%10; Port=%11; Flags=%12; Scope=%13; Zone=%14; PolicyName=%15; PacketData=%17; AdditionalInfo= %18; DataTag=%19; ElapsedTime=%20; GUID=%21; EDNSCorrelationTag=%22; EDNSScopeName=%23; %24

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`DataTag`	—
`ElapsedTime`	—
`GUID`	—
`EDNSCorrelationTag`	—
`EDNSScopeName`	—
`StaleRecordsPresent`	—

Event ID 285 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`EDNSCorrelationTag`	—
`EDNSScopeName`	—

Event ID 285 — RESPONSE_FAILURE: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_FAILURE: TCP=%1; InterfaceIP=%2; Reason=%3; Destination=%4; QNAME=%5; QTYPE=%6; XID=%7; RCODE=%8; Port=%9; Flags=%10; Zone=%11; PolicyName=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance: %13; ElapsedTime=%16; GUID=%17; EDNSCorrelationTag=%18; EDNSScopeName=%19

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`EDNSCorrelationTag`	—
`EDNSScopeName`	—

Event ID 286 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`ServerScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`AliasFailureReason`	—

Event ID 286 — RECURSE_ALIAS_FAILURE: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_ALIAS_FAILURE: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; Port=%9; Flags=%10; ServerScope=%11; CacheScope=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance %15; AliasFailureReason=%16

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`ServerScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`AliasFailureReason`	—

Event ID 287 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—
`EDNSExtendedRCodeBits`	—
`EDNSFlags`	—
`EDNSUdpPayloadSize`	—
`EDNSScopeName`	—
`EDNSVirtualizationInstance`	—
`EDNSDataTag`	—
`EDNSCorrelationTag`	—

Event ID 287 — QUERY_RECEIVED: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

QUERY_RECEIVED: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; XID=%7; Port=%8; Flags=%9; PacketData=%11; GUID=%12; EDNSExtendedRCodeBits=%13; EDNSFlags=%14; EDNSUdpPayloadSize=%15; EDNSScopeName=%16; EDNSVirtualizationInstance=%17; EDNSDataTag=%18; EDNSCorrelationTag=%19

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`GUID`	—
`EDNSExtendedRCodeBits`	—
`EDNSFlags`	—
`EDNSUdpPayloadSize`	—
`EDNSScopeName`	—
`EDNSVirtualizationInstance`	—
`EDNSDataTag`	—
`EDNSCorrelationTag`	—

Event ID 288 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`QNAME`	—
`RRTYPE`	—
`QueryGUID`	—
`QXID`	—
`XID`	—
`CacheNodeName`	—

Event ID 288 — DNSSEC_VALIDATION_FAILURE: QNAME=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DNSSEC_VALIDATION_FAILURE: QNAME=%1; RRTYPE=%2; QueryGUID=%3; QXID=%4; XID=%5; CacheNodeName=%6

Fields

Name	Description
`QNAME`	—
`RRTYPE`	—
`QueryGUID`	—
`QXID`	—
`XID`	—
`CacheNodeName`	—

Event ID 289 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Destination`	—
`InterfaceIP`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 289 — RECURSE_QUERY_OUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_QUERY_OUT: TCP=%1; Destination=%2; InterfaceIP=%3; RD=%4; QNAME=%5; QTYPE=%6; QXID=%7; XID=%8; Port=%9; Flags=%10; RecursionScope=%11; CacheScope=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; EDNSScopeName=%18; EDNSCorrelationTag=%19

Fields

Name	Description
`TCP`	—
`Destination`	—
`InterfaceIP`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 290 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RecursionDepth`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`QueriesAttached`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 290 — RECURSE_RESPONSE_IN: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_RESPONSE_IN: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; RemoteQueriesSent=%9; Port=%10; Flags=%11; RecursionScope=%12; CacheScope=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; QueriesAttached=%18; EDNSScopeName=%19; EDNSCorrelationTag=%20

Fields

Name	Description
`TCP`	—
`Source`	—
`InterfaceIP`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RecursionDepth`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`QueriesAttached`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 291 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`AdditionalInfo`	—
`GUID`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 291 — RECURSE_QUERY_TIMEOUT: TCP=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RECURSE_QUERY_TIMEOUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; QTYPE=%5; QXID=%6; XID=%7; Port=%8; Flags=%9; RecursionScope=%10; CacheScope=%11; AdditionalInfo = VirtualizationInstance: %12; GUID=%13; EDNSScopeName=%14; EDNSCorrelationTag=%15

Fields

Name	Description
`TCP`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`QXID`	—
`XID`	—
`Port`	—
`Flags`	—
`RecursionScope`	—
`CacheScope`	—
`AdditionalInfo`	—
`GUID`	—
`EDNSScopeName`	—
`EDNSCorrelationTag`	—

Event ID 512 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit
Level: 4
Samples: 1

Message

The zone %1 was created with settings: Type=%2; Lookup=%3; ReplicationScope=%4; ZoneFile=%5; [virtualization instance %6].

Fields

Name	Description
`Name`	—
`Type`	—
`Lookup`	—
`ReplicationScope`	—
`ZoneFile`	—
`VirtualizationID`	—

Example Event

system:
  provider: Microsoft-Windows-DNSServer
  guid: EB79061A-A566-4698-9119-3ED2807060E7
  event_source_name: ''
  event_id: 512
  version: 0
  level: 4
  task: 5
  opcode: 0
  keywords: 4611686018427912192
  time_created: '2022-04-07T08:13:51.370284+00:00'
  event_record_id: 4
  correlation: {}
  execution:
    process_id: 2208
    thread_id: 4676
  channel: Microsoft-Windows-DNSServer/Audit
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  Name: _msdcs.sigma.fr
  Type: Primary
  Lookup: Forward
  ReplicationScope: None
  ZoneFile: _msdcs.sigma.fr.dns
  VirtualizationID: .
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 513 — The zone %1 was deleted.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 was deleted. [virtualization instance: %2].

Fields

Name	Description
`Zone`	—
`VirtualizationID`	—

Event ID 514 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit
Level: 4
Samples: 1

Message

The zone %1 was updated. The %2 setting has been set to %3. [virtualization instance: %4].

Fields

Name	Description
`Zone`	—
`PropertyKey`	—
`NewValue`	—
`VirtualizationID`	—

Example Event

system:
  provider: Microsoft-Windows-DNSServer
  guid: EB79061A-A566-4698-9119-3ED2807060E7
  event_source_name: ''
  event_id: 514
  version: 0
  level: 4
  task: 5
  opcode: 0
  keywords: 4611686018427912192
  time_created: '2022-04-07T17:00:03.792940+00:00'
  event_record_id: 39
  correlation: {}
  execution:
    process_id: 2320
    thread_id: 764
  channel: Microsoft-Windows-DNSServer/Audit
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Zone: _msdcs.sigma.fr
  PropertyKey: SecondaryServers
  NewValue: deny zone transfers
  VirtualizationID: .
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 515 — A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6. [virtualization instance: %8].

Fields

Name	Description
`Type`	—
`NAME`	—
`TTL`	—
`BufferSize`	—
`RDATA`	—
`Zone`	—
`ZoneScope`	—
`VirtualizationID`	—

Event ID 516 — A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6.

Fields

Name	Description
`Type`	—
`NAME`	—
`TTL`	—
`BufferSize`	—
`RDATA`	—
`Zone`	—
`ZoneScope`	—
`VirtualizationID`	—

Event ID 517 — All resource records of type %1, name %2 were deleted from scope %4 of zone %3.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

All resource records of type %1, name %2 were deleted from scope %4 of zone %3. [virtualization instance: %5].

Fields

Name	Description
`Type`	—
`NAME`	—
`Zone`	—
`ZoneScope`	—
`VirtualizationID`	—

Event ID 518 — All resource records at Node name %1 were deleted from scope %3 of zone %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

All resource records at Node name %1 were deleted from scope %3 of zone %2. [virtualization instance: %4].

Fields

Name	Description
`NAME`	—
`Zone`	—
`ZoneScope`	—
`VirtualizationID`	—

Event ID 519 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit
Level: 4
Samples: 1

Message

A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6 via dynamic update from IP Address %8.

Fields

Name	Description
`Type`	—
`NAME`	—
`TTL`	—
`BufferSize`	—
`RDATA`	—
`Zone`	—
`ZoneScope`	—
`Source`	—

Example Event

system:
  provider: Microsoft-Windows-DNSServer
  guid: EB79061A-A566-4698-9119-3ED2807060E7
  event_source_name: ''
  event_id: 519
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 4611686018460942336
  time_created: '2022-04-07T17:30:00.948256+00:00'
  event_record_id: 46
  correlation: {}
  execution:
    process_id: 2320
    thread_id: 2992
  channel: Microsoft-Windows-DNSServer/Audit
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Type: 1
  NAME: win-fpv0dsic9o6
  TTL: 1200
  BufferSize: 4
  RDATA: 0A000285
  Zone: sigma.fr
  ZoneScope: Default
  Source: 10.0.2.133
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 520 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit
Level: 4
Samples: 1

Message

A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6 via dynamic update from IP Address %8.

Fields

Name	Description
`Type`	—
`NAME`	—
`TTL`	—
`BufferSize`	—
`RDATA`	—
`Zone`	—
`ZoneScope`	—
`Source`	—

Example Event

system:
  provider: Microsoft-Windows-DNSServer
  guid: EB79061A-A566-4698-9119-3ED2807060E7
  event_source_name: ''
  event_id: 520
  version: 0
  level: 4
  task: 3
  opcode: 0
  keywords: 4611686018460942336
  time_created: '2022-04-07T17:30:00.948254+00:00'
  event_record_id: 45
  correlation: {}
  execution:
    process_id: 2320
    thread_id: 2992
  channel: Microsoft-Windows-DNSServer/Audit
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  Type: 1
  NAME: win-fpv0dsic9o6
  TTL: 0
  BufferSize: 4
  RDATA: 0A000285
  Zone: sigma.fr
  ZoneScope: Default
  Source: 10.0.2.133
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 521 — A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6.

Fields

Name	Description
`Type`	—
`NAME`	—
`TTL`	—
`BufferSize`	—
`RDATA`	—
`Zone`	—
`ZoneScope`	—
`VirtualizationID`	—

Event ID 522 — The scope %1 was created in zone %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The scope %1 was created in zone %2. [virtualization instance: %3].

Fields

Name	Description
`ZoneScope`	—
`Zone`	—
`VirtualizationID`	—

Event ID 523 — The scope %1 was deleted in zone %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The scope %1 was deleted in zone %2. [virtualization instance: %3].

Fields

Name	Description
`ZoneScope`	—
`Zone`	—
`VirtualizationID`	—

Event ID 525 — The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorith...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.

Fields

Name	Description
`ZoneName`	—
`DenialOfExistence`	—
`DistributeTrustAnchor`	—
`DnsKeyRecordSetTtl`	—
`DSRecordGenerationAlgorithm`	—
`DSRecordSetTtl`	—
`EnableRfc5011KeyRollover`	—
`IsKeyMasterServer`	—
`KeyMasterServer`	—
`NSec3HashAlgorithm`	—
`NSec3Iterations`	—
`NSec3OptOut`	—
`NSec3RandomSaltLength`	—
`NSec3UserSalt`	—
`ParentHasSecureDelegation`	—
`PropagationTime`	—
`SecureDelegationPollingPeriod`	—
`SignatureInceptionOffset`	—

Event ID 526 — The zone %1 was unsigned.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 was unsigned.

Fields

Name	Description
`Zone`	—

Event ID 527 — The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgor...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.

Fields

Name	Description
`ZoneName`	—
`DenialOfExistence`	—
`DistributeTrustAnchor`	—
`DnsKeyRecordSetTtl`	—
`DSRecordGenerationAlgorithm`	—
`DSRecordSetTtl`	—
`EnableRfc5011KeyRollover`	—
`IsKeyMasterServer`	—
`KeyMasterServer`	—
`NSec3HashAlgorithm`	—
`NSec3Iterations`	—
`NSec3OptOut`	—
`NSec3RandomSaltLength`	—
`NSec3UserSalt`	—
`ParentHasSecureDelegation`	—
`PropagationTime`	—
`SecureDelegationPollingPeriod`	—
`SignatureInceptionOffset`	—

Event ID 528 — Rollover was started on the type %1 with GUID %2 of zone %3.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

Rollover was started on the type %1 with GUID %2 of zone %3.

Fields

Name	Description
`Type`	—
`GUID`	—
`Zone`	—

Event ID 529 — Rollover was completed on the type %1 with GUID %2 of zone %3.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

Rollover was completed on the type %1 with GUID %2 of zone %3.

Fields

Name	Description
`Type`	—
`GUID`	—
`Zone`	—

Event ID 530 — The type %1 with GUID %2 of zone %3 was marked for retiral.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The type %1 with GUID %2 of zone %3 was marked for retiral. The key will be removed after the rollover completion.

Fields

Name	Description
`Type`	—
`GUID`	—
`Zone`	—

Event ID 531 — Manual rollover was triggered on the type %1 with GUID %2 of zone %3.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

Manual rollover was triggered on the type %1 with GUID %2 of zone %3.

Fields

Name	Description
`Type`	—
`GUID`	—
`Zone`	—

Event ID 533 — The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover ...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion.

Fields

Name	Description
`GUID`	—
`Zone`	—

Event ID 534 — DNSSEC setting metadata was exported %1 key signing key metadata from zone %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

DNSSEC setting metadata was exported %1 key signing key metadata from zone %2.

Fields

Name	Description
`WithWithout`	—
`Zone`	—

Event ID 535 — DNSSEC setting metadata was imported on zone %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

DNSSEC setting metadata was imported on zone %1.

Fields

Name	Description
`Zone`	—

Event ID 536 — A record of type %1, QNAME %2 was purged from scope %3 in cache.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A record of type %1, QNAME %2 was purged from scope %3 in cache.

Fields

Name	Description
`QTYPE`	—
`QNAME`	—
`Scope`	—

Event ID 537 — The forwarder list on scope %2 has been reset to %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The forwarder list on scope %2 has been reset to %1.

Fields

Name	Description
`Forwarders`	—
`Scope`	—

Event ID 540 — The root hints have been modified.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The root hints have been modified.

Event ID 541 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit
Level: 4
Samples: 1

Message

The setting %1 on scope %2 has been set to %3.

Fields

Name	Description
`Setting`	—
`Scope`	—
`NewValue`	—

Example Event

system:
  provider: Microsoft-Windows-DNSServer
  guid: EB79061A-A566-4698-9119-3ED2807060E7
  event_source_name: ''
  event_id: 541
  version: 0
  level: 4
  task: 10
  opcode: 0
  keywords: 4611686018561605632
  time_created: '2022-04-07T08:13:51.370506+00:00'
  event_record_id: 5
  correlation: {}
  execution:
    process_id: 2208
    thread_id: 4676
  channel: Microsoft-Windows-DNSServer/Audit
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  Setting: AdminConfigured
  Scope: .
  NewValue: '1'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 542 — The scope %1 of DNS server was created.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The scope %1 of DNS server was created.

Fields

Name	Description
`RecursionScope`	—

Event ID 543 — The scope %1 of DNS server was deleted.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The scope %1 of DNS server was deleted.

Fields

Name	Description
`RecursionScope`	—

Event ID 544 — The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1.

Fields

Name	Description
`Name`	—
`KeyProtocol`	—
`BufferSize`	—
`Base64Data`	—
`CryptoAlgorithm`	—

Event ID 545 — The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1.

Fields

Name	Description
`Name`	—
`KeyTag`	—
`DigestType`	—
`BufferSize`	—
`Digest`	—
`CryptoAlgorithm`	—

Event ID 546 — The trust point at %1 of type %2 has been removed.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The trust point at %1 of type %2 has been removed.

Fields

Name	Description
`Name`	—
`Type`	—

Event ID 547 — The trust anchor for the root zone has been added.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The trust anchor for the root zone has been added.

Event ID 548 — A request to restart the DNS server service has been received.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A request to restart the DNS server service has been received.

Event ID 549 — The debug logs have been cleared from %1 on DNS server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The debug logs have been cleared from %1 on DNS server.

Fields

Name	Description
`FilePath`	—

Event ID 550 — The in-memory contents of all the zones on DNS server have been flushed to their respective files.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The in-memory contents of all the zones on DNS server have been flushed to their respective files.

Event ID 551 — All the statistical data for the DNS server has been cleared.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

All the statistical data for the DNS server has been cleared.

Event ID 552 — A resource record scavenging cycle has been started on the DNS Server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A resource record scavenging cycle has been started on the DNS Server.

Event ID 553 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

%1

Fields

Name	Description
`EventString`	—

Event ID 554 — The resource record scavenging cycle has been terminated on the DNS Server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The resource record scavenging cycle has been terminated on the DNS Server.

Event ID 555 — The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.

Event ID 556 — The information about the root hints on the DNS server has been written back to the persistent storage.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The information about the root hints on the DNS server has been written back to the persistent storage.

Event ID 557 — The addresses on which DNS server will listen has been changed to %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The addresses on which DNS server will listen has been changed to %1.

Fields

Name	Description
`ListenAddresses`	—

Event ID 558 — An immediate RFC 5011 active refresh has been scheduled for all trust points.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

An immediate RFC 5011 active refresh has been scheduled for all trust points.

Event ID 559 — The zone %1 is paused.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 is paused. [virtualization instance: %2].

Fields

Name	Description
`Zone`	—
`VirtualizationID`	—

Event ID 560 — The zone %1 is resumed.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 is resumed. [virtualization instance: %2].

Fields

Name	Description
`Zone`	—
`VirtualizationID`	—

Event ID 561 — The data for zone %1 has been reloaded from %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The data for zone %1 has been reloaded from %2. [virtualization instance: %3].

Fields

Name	Description
`Zone`	—
`FilePath`	—
`VirtualizationID`	—

Event ID 562 — The data for zone %1 has been refreshed from the master server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The data for zone %1 has been refreshed from the master server %2.

Fields

Name	Description
`Zone`	—
`MasterServer`	—

Event ID 563 — The secondary zone %1 has been expired and new data has been requested from the master server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The secondary zone %1 has been expired and new data has been requested from the master server %2.

Fields

Name	Description
`Zone`	—
`MasterServer`	—

Event ID 564 — The zone %1 has been reloaded from the Active Directory.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone %1 has been reloaded from the Active Directory.

Fields

Name	Description
`Zone`	—
`VirtualizationID`	—

Event ID 565 — The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers. [virtualization instance: %2].

Fields

Name	Description
`Zone`	—
`VirtualizationID`	—

Event ID 566 — All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.%3

Fields

Name	Description
`NodeName`	—
`Zone`	—
`SubTreeAging`	—

Event ID 567 — The Active Directory-integrated zone %1 has been updated.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The Active Directory-integrated zone %1 has been updated. Only %2 can run scavenging.

Fields

Name	Description
`Zone`	—
`ScavengeServers`	—

Event ID 568 — The key master role for zone %1 has been %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The key master role for zone %1 has been %2.%3

Fields

Name	Description
`Zone`	—
`SeizedOrTransfered`	—
`WithNewKeys`	—

Event ID 569 — A %1 signing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A %1 signing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider=%7; StoreKeysInAD=%8; CryptoAlgorithm=%9; KeyLength=%10; DnsKeySignatureValidityPeriod=%11; DSSignatureValidityPeriod=%12; ZoneSignatureValidityPeriod=%13; InitialRolloverOffset=%14; RolloverPeriod=%15; RolloverType=%16; NextRolloverAction=%17; LastRolloverTime=%18; NextRolloverTime=%19; CurrentRolloverStatus=%20; ActiveKey=%21; StandbyKey=%22; NextKey=%23. The zone will be resigned with the %2 generated with these properties.

Fields

Name	Description
`KeyOrZone`	—
`KskOrZsk`	—
`Zone`	—
`KeyId`	—
`KeyType`	—
`CurrentState`	—
`KeyStorageProvider`	—
`StoreKeysInAD`	—
`CryptoAlgorithm`	—
`KeyLength`	—
`DnsKeySignatureValidityPeriod`	—
`DSSignatureValidityPeriod`	—
`ZoneSignatureValidityPeriod`	—
`InitialRolloverOffset`	—
`RolloverPeriod`	—
`RolloverType`	—
`NextRolloverAction`	—
`LastRolloverTime`	—
`NextRolloverTime`	—
`CurrentRolloverStatus`	—
`ActiveKey`	—
`StandbyKey`	—
`NextKey`	—

Event ID 570 — A %1 signing key (%2) descriptor with GUID %3 has been updated on the zone %4.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A %1 signing key (%2) descriptor with GUID %3 has been updated on the zone %4. The properties of this %2 descriptor have been set to: KeyId=%5; KeyType=%6; CurrentState=%7; KeyStorageProvider=%8; StoreKeysInAD=%9; CryptoAlgorithm=%10; KeyLength=%11; DnsKeySignatureValidityPeriod=%12; DSSignatureValidityPeriod=%13; ZoneSignatureValidityPeriod=%14; InitialRolloverOffset=%15; RolloverPeriod=%16; RolloverType=%17; NextRolloverAction=%18; LastRolloverTime=%19; NextRolloverTime=%20; CurrentRolloverStatus=%21; ActiveKey=%22; StandbyKey=%23; NextKey=%24. The zone will be resigned with the %2 generated with these properties.

Fields

Name	Description
`KeyOrZone`	—
`KskOrZsk`	—
`GUID`	—
`Zone`	—
`KeyId`	—
`KeyType`	—
`CurrentState`	—
`KeyStorageProvider`	—
`StoreKeysInAD`	—
`CryptoAlgorithm`	—
`KeyLength`	—
`DnsKeySignatureValidityPeriod`	—
`DSSignatureValidityPeriod`	—
`ZoneSignatureValidityPeriod`	—
`InitialRolloverOffset`	—
`RolloverPeriod`	—
`RolloverType`	—
`NextRolloverAction`	—
`LastRolloverTime`	—
`NextRolloverTime`	—
`CurrentRolloverStatus`	—
`ActiveKey`	—
`StandbyKey`	—
`NextKey`	—

Event ID 571 — A %1 signing key (%2) descriptor %4 has been removed from the zone %3.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A %1 signing key (%2) descriptor %4 has been removed from the zone %3.

Fields

Name	Description
`KeyOrZone`	—
`KskOrZsk`	—
`Zone`	—
`GUID`	—

Event ID 572 — The state of the %1 signing key (%2) %3 has been modified on zone %4.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The state of the %1 signing key (%2) %3 has been modified on zone %4. The new active key is %5, standby key is %6 and next key is %7.

Fields

Name	Description
`KeyOrZone`	—
`KskOrZsk`	—
`GUID`	—
`Zone`	—
`ActiveKey`	—
`StandbyKey`	—
`NextKey`	—

Event ID 573 — A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added. [virtualization instance: %5].

Fields

Name	Description
`ChildZone`	—
`Scope`	—
`Zone`	—
`NameServer`	—
`VirtualizationID`	—

Event ID 574 — The client subnet with name %1, and value %2 has been added to the DNS server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The client subnet with name %1, and value %2 has been added to the DNS server.

Fields

Name	Description
`ClientSubnetRecord`	—
`ClientSubnetList`	—

Event ID 575 — The client subnet with name %1 has been deleted from the DNS server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The client subnet with name %1 has been deleted from the DNS server.

Fields

Name	Description
`ClientSubnetRecord`	—

Event ID 576 — The client subnet with name %1 has been updated on the DNS server.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The client subnet with name %1 has been updated on the DNS server. The new IP subnets that it refers to are %2.

Fields

Name	Description
`ClientSubnetRecord`	—
`ClientSubnetList`	—

Event ID 577 — A server level policy %6 for %1 has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Condition:%7;...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A server level policy %6 for %1  has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Condition:%7; IsEnabled:%8.

Fields

Name	Description
`Type`	—
`ServerName`	—
`ProcessingOrder`	—
`Criteria`	—
`Action`	—
`Policy`	—
`Condition`	—
`IsEnabled`	—

Event ID 578 — A zone level policy %8 for %1 has been created on zone %6 on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Scop...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A zone level policy %8 for %1  has been created on zone %6 on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Scopes:%7; Condition:%9; IsEnabled:%10.

Fields

Name	Description
`Type`	—
`ServerName`	—
`ProcessingOrder`	—
`Criteria`	—
`Action`	—
`ZoneName`	—
`Scopes`	—
`Policy`	—
`Condition`	—
`IsEnabled`	—

Event ID 579 — A policy %6 to control recursion settings has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Sco...

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A policy %6 to control recursion settings has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Scope:%1; Condition:%7; IsEnabled:%8.

Fields

Name	Description
`RecursionScope`	—
`ServerName`	—
`ProcessingOrder`	—
`Criteria`	—
`Action`	—
`Policy`	—
`Condition`	—
`IsEnabled`	—

Event ID 580 — The server level policy %1 has been deleted from server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The server level policy %1 has been deleted from server %2.

Fields

Name	Description
`Policy`	—
`ServerName`	—

Event ID 581 — The zone level policy %1 has been deleted from zone %3 on server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone level policy %1 has been deleted from zone %3 on server %2.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`Zone`	—

Event ID 582 — The policy %1 to control recursion settings has been deleted from server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The policy %1 to control recursion settings has been deleted from server %2.

Fields

Name	Description
`Policy`	—
`ServerName`	—

Event ID 583 — The server level policy %1 has been updated on server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The server level policy %1 has been updated on server %2. The properties %3 have been updated to %4.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`OldPropertyValues`	—
`NewPropertyValues`	—

Event ID 584 — The zone level policy %1 has been updated on zone %3 of server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone level policy %1 has been updated on zone %3 of server %2. The properties %4 have been updated to %5.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`Zone`	—
`OldPropertyValues`	—
`NewPropertyValues`	—

Event ID 585 — The server level policy %1 for recursion has been updated on server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The server level policy %1 for recursion has been updated on server %2. The properties %3 have been updated to %4.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`OldPropertyValues`	—
`NewPropertyValues`	—

Event ID 586 — The zone level policy %1 has been updated on zone %4 of server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone level policy %1 has been updated on zone %4 of server %2. The policy does not use scope %3 for query resolution.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`Scope`	—
`Zone`	—

Event ID 587 — The zone level policy %1 has been updated on zone %5 of server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone level policy %1 has been updated on zone %5 of server %2. The policy will use scope %3 for query resolution with weight %4.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`Scope`	—
`ScopeWeight`	—
`Zone`	—

Event ID 588 — The zone level policy %1 has been updated on zone %6 of server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The zone level policy %1 has been updated on zone %6 of server %2. The weight assigned to scope %3 has been updated from %5 to %4.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`Scope`	—
`ScopeWeightNew`	—
`ScopeWeightOld`	—
`Zone`	—

Event ID 589 — The server level policy %1 for recursion has been updated on server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The server level policy %1 for recursion has been updated on server %2. The policy will use recursion scope %3 instead of %4 for query resolution.

Fields

Name	Description
`Policy`	—
`ServerName`	—
`NewScope`	—
`OldScope`	—

Event ID 590 — The Response Rate Limiting is configured on the DNS server %1.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The Response Rate Limiting is configured on the DNS server  %1. The RRL settings are ResponsesPerSecond: %2, ErrorsPerSecond: %3, LeakRate: %4, TCRate: %5, Window: %6, MaximumResponsesInWindow: %7, IPv4PrefixLength: %8, IPv6PrefixLength: %9, Mode: %10.

Fields

Name	Description
`ServerName`	—
`ResponsePerSecond`	—
`ErrorsPerSecond`	—
`LeakRate`	—
`TCRate`	—
`WindowSize`	—
`TotalResponsesInWindow`	—
`IPv4PrefixLength`	—
`IPv6PrefixLength`	—
`Mode`	—

Event ID 591 — A exceptionlist %1 against response rate limiting has been added on the DNS server %2 with following settings: %3; Condition:%4.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A exceptionlist %1 against response rate limiting has been added on the DNS server %2 with following settings: %3; Condition:%4. The queries that fall under this exceptionlist shall be exempt from response rate limiting.

Fields

Name	Description
`RRLExceptionlist`	—
`ServerName`	—
`Criteria`	—
`Condition`	—

Event ID 592 — A exceptionlist %1 against response rate limiting has been deleted from server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A exceptionlist %1 against response rate limiting has been deleted from server %2.

Fields

Name	Description
`RRLExceptionlist`	—
`ServerName`	—

Event ID 593 — A exceptionlist %1 against response rate limiting has been updated on server %2.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

A exceptionlist %1 against response rate limiting has been updated on server %2. The properties %3 have been updated to %4.

Fields

Name	Description
`RRLExceptionlist`	—
`ServerName`	—
`OldPropertyValues`	—
`NewPropertyValues`	—

Event ID 594 — The virtualization instance %1 with friendly name %2 was created.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The virtualization instance %1 with friendly name %2 was created.

Fields

Name	Description
`VirtualizationID`	—
`FriendlyName`	—

Event ID 595 — The virtualization instance %1 was removed.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The virtualization instance %1 was removed. The zones hosted in this virtualization instance were automatically removed as a part of this.

Fields

Name	Description
`VirtualizationID`	—

Event ID 596 — The virtualization instance %1 was updated.

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Message

The virtualization instance %1 was updated. The %2 setting has been set to %3.

Fields

Name	Description
`VirtualizationID`	—
`OldFriendlyName`	—
`NewFriendlyName`	—

Event ID 597 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`EdnsInfo`	—

Event ID 597 — QUERY_RECEIVED: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

QUERY_RECEIVED: Channel=%1; %2; InterfaceIP=%3; Source=%4; RD=%5; QNAME=%6; QTYPE=%7; XID=%8; Port=%9; Flags=%10; PacketData=%12; AdditionalInfo = VirtualizationInstanceOptionValue: %13; GUID=%14; %15

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`RD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`Port`	—
`Flags`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`GUID`	—
`EdnsInfo`	—

Event ID 598 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`DataTag`	—
`ElapsedTime`	—
`GUID`	—
`EdnsInfo`	—
`StaleRecordsPresent`	—

Event ID 598 — RESPONSE_SUCCESS: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_SUCCESS: Channel=%1; %2; InterfaceIP=%3; Destination=%4; AA=%5; AD=%6; QNAME=%7; QTYPE=%8; XID=%9; DNSSEC=%10; RCODE=%11; Port=%12; Flags=%13; Scope=%14; Zone=%15; PolicyName=%16; PacketData=%18; AdditionalInfo= %19; DataTag=%20; ElapsedTime=%21; GUID=%22; %23; %24;

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Destination`	—
`AA`	—
`AD`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`DNSSEC`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Scope`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`DataTag`	—
`ElapsedTime`	—
`GUID`	—
`EdnsInfo`	—
`StaleRecordsPresent`	—

Event ID 599 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`EdnsInfo`	—

Event ID 599 — RESPONSE_FAILURE: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

RESPONSE_FAILURE: Channel=%1; %2; InterfaceIP=%3; Reason=%4; Destination=%5; QNAME=%6; QTYPE=%7; XID=%8; RCODE=%9; Port=%10; Flags=%11; Zone=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %14; ElapsedTime=%17; GUID=%18; %19

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Reason`	—
`Destination`	—
`QNAME`	—
`QTYPE`	—
`XID`	—
`RCODE`	—
`Port`	—
`Flags`	—
`Zone`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—
`AdditionalInfo`	—
`ElapsedTime`	—
`GUID`	—
`EdnsInfo`	—

Event ID 600 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—

Event ID 600 — IGNORED_QUERY: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IGNORED_QUERY: Channel=%1; %2; InterfaceIP=%3; Source=%4; Reason=%5

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—

Event ID 601 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—

Event ID 601 — IGNORED_QUERY: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

IGNORED_QUERY: Channel=%1; %2; InterfaceIP=%3; Source=%4; Reason=%5

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`Reason`	—

Event ID 602 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`Port`	—
`Flags`	—
`Secure`	—
`BufferSize`	—
`PacketData`	—

Event ID 602 — DYN_UPDATE_RECV: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_RECV: Channel=%1; %2; InterfaceIP=%3; Source=%4; QNAME=%5; XID=%6; Port=%7; Flags=%8; SECURE=%9; PacketData=%11

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Source`	—
`QNAME`	—
`XID`	—
`Port`	—
`Flags`	—
`Secure`	—
`BufferSize`	—
`PacketData`	—

Event ID 603 —

Provider: Microsoft-Windows-DNSServer
Channel: Audit

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—

Event ID 603 — DYN_UPDATE_RESPONSE: Channel=.

Provider: Microsoft-Windows-DNSServer
Channel: Analytical

Message

DYN_UPDATE_RESPONSE: Channel=%1; %2; InterfaceIP=%3; Destination=%4; QNAME=%5; XID=%6; ZoneScope=%7; Zone=%8; RCODE=%9; PolicyName=%10; PacketData=%12

Fields

Name	Description
`Channel`	—
`ChannelInfo`	—
`InterfaceIP`	—
`Destination`	—
`QNAME`	—
`XID`	—
`ZoneScope`	—
`Zone`	—
`RCODE`	—
`PolicyName`	—
`BufferSize`	—
`PacketData`	—