Microsoft-Windows-DNSServer

167 events across 2 channels

EventTitleChannel
256QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; …Analytical
256QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; …Audit
257RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
257RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
258RESPONSE_FAILURE: TCP=.Analytical
258RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; …Audit
259IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; …Analytical
259IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; …Audit
260RECURSE_QUERY_OUT: TCP=.Analytical
260RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; …Audit
261RECURSE_RESPONSE_IN: TCP=.Analytical
261RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; …Audit
262RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; …Analytical
262RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; …Audit
263DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Analytical
263DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Audit
264DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
264DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
265IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Analytical
265IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Audit
266IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Analytical
266IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; …Audit
267IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
267IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
268IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
268IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
269AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Analytical
269AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Audit
270AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Analytical
270AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Audit
271AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
271AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
272AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
272AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
273XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Analytical
273XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Audit
274XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Analytical
274XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; …Audit
275XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; …Analytical
275XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=Audit
276XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; …Analytical
276XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; …Audit
277DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; …Analytical
277DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; …Audit
278DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; …Analytical
278DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; …Audit
279INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; …Analytical
279INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; …Audit
280INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; …Analytical
280INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; …Audit
281RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
281RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Audit
282RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
282RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Audit
283RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Analytical
283RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; …Audit
284RESPONSE_SUCCESS: TCP=.Analytical
284RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; …Audit
285RESPONSE_FAILURE: TCP=.Analytical
285RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; …Audit
286RECURSE_ALIAS_FAILURE: TCP=.Analytical
286RECURSE_ALIAS_FAILURE: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; …Audit
287QUERY_RECEIVED: TCP=.Analytical
287QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; …Audit
288DNSSEC_VALIDATION_FAILURE: QNAME=QNAME; RRTYPE=RRTYPE; QueryGUID=QueryGUID; …Analytical
288Event ID 288Audit
289RECURSE_QUERY_OUT: TCP=.Analytical
289RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; …Audit
290RECURSE_RESPONSE_IN: TCP=.Analytical
290RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; …Audit
291RECURSE_QUERY_TIMEOUT: TCP=.Analytical
291RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; …Audit
512The zone Name was created with settings: Type=Type; Lookup=Lookup; …Audit
513The zone Zone was deleted.Audit
514The zone Zone was updated.Audit
515A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created …Audit
516A resource record of type Type, name NAME and RDATA RDATA was deleted from scope …Audit
517All resource records of type Type, name NAME were deleted from scope ZoneScope …Audit
518All resource records at Node name NAME were deleted from scope ZoneScope of zone …Audit
519A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created …Audit
520A resource record of type Type, name NAME and RDATA RDATA was deleted from scope …Audit
521A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was scavenged …Audit
522The scope ZoneScope was created in zone Zone.Audit
523The scope ZoneScope was deleted in zone Zone.Audit
525The zone ZoneName was signed with following properties: …Audit
526The zone Zone was unsigned.Audit
527The zone ZoneName was re-signed with following properties: …Audit
528Rollover was started on the type Type with GUID GUID of zone Zone.Audit
529Rollover was completed on the type Type with GUID GUID of zone Zone.Audit
530The type Type with GUID GUID of zone Zone was marked for retiral.Audit
531Manual rollover was triggered on the type Type with GUID GUID of zone Zone.Audit
533The keys signing key with GUID GUID on zone Zone that was waiting for a …Audit
534DNSSEC setting metadata was exported WithWithout key signing key metadata from …Audit
535DNSSEC setting metadata was imported on zone Zone.Audit
536A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.Audit
537The forwarder list on scope Scope has been reset to Forwarders.Audit
540The root hints have been modified.Audit
541The setting Setting on scope Scope has been set to NewValue.Audit
542The scope RecursionScope of DNS server was created.Audit
543The scope RecursionScope of DNS server was deleted.Audit
544The DNSKEY with Key Protocol KeyProtocol, Base64 Data Base64Data and Crypto …Audit
545The DS with Key Tag: KeyTag, Digest Type: DigestType, Digest: Digest and Crypto …Audit
546The trust point at Name of type Type has been removed.Audit
547The trust anchor for the root zone has been added.Audit
548A request to restart the DNS server service has been received.Audit
549The debug logs have been cleared from FilePath on DNS server.Audit
550The in-memory contents of all the zones on DNS server have been flushed to their …Audit
551All the statistical data for the DNS server has been cleared.Audit
552A resource record scavenging cycle has been started on the DNS Server.Audit
553EventString.Audit
554The resource record scavenging cycle has been terminated on the DNS Server.Audit
555The DNS server has been prepared for demotion by removing references to it from …Audit
556The information about the root hints on the DNS server has been written back to …Audit
557The addresses on which DNS server will listen has been changed to …Audit
558An immediate RFC 5011 active refresh has been scheduled for all trust points.Audit
559The zone Zone is paused.Audit
560The zone Zone is resumed.Audit
561The data for zone Zone has been reloaded from FilePath.Audit
562The data for zone Zone has been refreshed from the master server MasterServer.Audit
563The secondary zone Zone has been expired and new data has been requested from …Audit
564The zone Zone has been reloaded from the Active Directory.Audit
565The content of the zone Zone has been written to the disk and the notification …Audit
566All DNS records at the node NodeName in the zone Zone will have their aging time …Audit
567The Active Directory-integrated zone Zone has been updated.Audit
568The key master role for zone Zone has been SeizedOrTransfered.Audit
569A KeyOrZone signing key (KskOrZsk) descriptor has been added on the zone Zone …Audit
570A KeyOrZone signing key (KskOrZsk) descriptor with GUID GUID has been updated on …Audit
571A KeyOrZone signing key (KskOrZsk) descriptor GUID has been removed from the …Audit
572The state of the KeyOrZone signing key (KskOrZsk) GUID has been modified on zone …Audit
573A delegation for ChildZone in the scope Scope of zone Zone with the name server …Audit
574The client subnet with name ClientSubnetRecord, and value ClientSubnetList has …Audit
575The client subnet with name ClientSubnetRecord has been deleted from the DNS …Audit
576The client subnet with name ClientSubnetRecord has been updated on the DNS …Audit
577A server level policy Policy for Type has been created on server ServerName with …Audit
578A zone level policy Policy for Type has been created on zone ZoneName on server …Audit
579A policy Policy to control recursion settings has been created on server …Audit
580The server level policy Policy has been deleted from server ServerName.Audit
581The zone level policy Policy has been deleted from zone Zone on server …Audit
582The policy Policy to control recursion settings has been deleted from server …Audit
583The server level policy Policy has been updated on server ServerName.Audit
584The zone level policy Policy has been updated on zone Zone of server ServerName.Audit
585The server level policy Policy for recursion has been updated on server …Audit
586The zone level policy Policy has been updated on zone Zone of server ServerName.Audit
587The zone level policy Policy has been updated on zone Zone of server ServerName.Audit
588The zone level policy Policy has been updated on zone Zone of server ServerName.Audit
589The server level policy Policy for recursion has been updated on server …Audit
590The Response Rate Limiting is configured on the DNS server ServerName.Audit
591A exceptionlist RRLExceptionlist against response rate limiting has been added …Audit
592A exceptionlist RRLExceptionlist against response rate limiting has been deleted …Audit
593A exceptionlist RRLExceptionlist against response rate limiting has been updated …Audit
594The virtualization instance VirtualizationID with friendly name FriendlyName was …Audit
595The virtualization instance VirtualizationID was removed.Audit
596The virtualization instance VirtualizationID was updated.Audit
597QUERY_RECEIVED: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; …Analytical
597Event ID 597Audit
598RESPONSE_SUCCESS: Channel=.Analytical
598Event ID 598Audit
599RESPONSE_FAILURE: Channel=.Analytical
599Event ID 599Audit
600IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; …Analytical
600Event ID 600Audit
601IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; …Analytical
601Event ID 601Audit
602DYN_UPDATE_RECV: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; …Analytical
602Event ID 602Audit
603DYN_UPDATE_RESPONSE: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; …Analytical
603Event ID 603Audit

Event ID 256: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = Virtualiz...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Collection Priority
Recommended (NSA)
Task
LOOK_UP

Description

QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = VirtualizationInstanceOptionValue: AdditionalInfo; GUID=GUID.

Message #

QUERY_RECEIVED: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; XID=%7; Port=%8; Flags=%9; PacketData=%11; AdditionalInfo = VirtualizationInstanceOptionValue: %12; GUID=%13

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 256,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": "0x0000000000000001",
    "time_created": "2026-06-02T05:16:25.362+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AdditionalInfo": ".",
    "BufferSize": 40,
    "Flags": 256,
    "GUID": "{00A28FC1-E523-4539-988F-65542019270F}",
    "InterfaceIP": "127.0.0.1",
    "PacketData": "0001010000010000000000000131013001300331323707696E2D61646472046172706100000C0001",
    "Port": 53005,
    "QNAME": "1.0.0.127.in-addr.arpa.",
    "QTYPE": 12,
    "RD": 1,
    "Source": "127.0.0.1",
    "TCP": 0,
    "XID": 1
  },
  "message": "LOOK_UP"
}

Event ID 256: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = VirtualizationInstanceOpti...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (NSA)
Task
LOOK_UP

Description

QUERY_RECEIVED: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString

Event ID 257: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scop...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Collection Priority
Recommended (NSA, others)
Task
LOOK_UP

Description

RESPONSE_SUCCESS: TCP=; InterfaceIP=; Destination=; AA=; AD=; QNAME=; QTYPE=; XID=; DNSSEC=; RCODE=; Port=; Flags=; Scope=; Zone=; PolicyName=; PacketData=; AdditionalInfo= ; ElapsedTime=; GUID=.

Message #

RESPONSE_SUCCESS: TCP=%1; InterfaceIP=%2; Destination=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; DNSSEC=%9; RCODE=%10; Port=%11; Flags=%12; Scope=%13; Zone=%14; PolicyName=%15; PacketData=%17; AdditionalInfo= %18; ElapsedTime=%19; GUID=%20 %21

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
StaleRecordsPresent UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 257,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": "0x0000000000000002",
    "time_created": "2026-06-02T05:16:25.362+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AA": 1,
    "AD": 0,
    "AdditionalInfo": "VirtualizationInstance:.",
    "BufferSize": 63,
    "DNSSEC": 0,
    "Destination": "127.0.0.1",
    "ElapsedTime": 1,
    "Flags": 34176,
    "GUID": "{00A28FC1-E523-4539-988F-65542019270F}",
    "InterfaceIP": "127.0.0.1",
    "PacketData": "0001858000010001000000000131013001300331323707696E2D61646472046172706100000C0001C00C000C000100000E10000B096C6F63616C686F737400",
    "PolicyName": "NULL",
    "Port": 53005,
    "QNAME": "1.0.0.127.in-addr.arpa.",
    "QTYPE": 12,
    "RCODE": 0,
    "Scope": "Default",
    "TCP": 0,
    "XID": 1,
    "Zone": "127.in-addr.arpa"
  },
  "message": "LOOK_UP"
}

Event ID 257: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Z...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (NSA, others)
Task
LOOK_UP

Description

RESPONSE_SUCCESS: TCP=; InterfaceIP=; Destination=; AA=; AD=; QNAME=; QTYPE=; XID=; DNSSEC=; RCODE=; Port=; Flags=; Scope=; Zone=; PolicyName=; PacketData=; AdditionalInfo= ; ElapsedTime=; GUID=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
StaleRecordsPresent UnicodeString

Event ID 258: RESPONSE_FAILURE: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Error
Collection Priority
Recommended (ASD)
Task
LOOK_UP

Description

RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: BufferSize; ElapsedTime=ElapsedTime; GUID=GUID

Message #

RESPONSE_FAILURE: TCP=%1; InterfaceIP=%2; Reason=%3; Destination=%4; QNAME=%5; QTYPE=%6; XID=%7; RCODE=%8; Port=%9; Flags=%10; Zone=%11; PolicyName=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance: %13; ElapsedTime=%16; GUID=%17

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 258,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": "0x0000000000000004",
    "time_created": "2026-06-02T05:16:26.645+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AdditionalInfo": ".",
    "BufferSize": 30,
    "Destination": "127.0.0.1",
    "ElapsedTime": 0,
    "Flags": 33154,
    "GUID": "{261CCD1C-B5E8-4C9F-AB81-26CF110C6CA2}",
    "InterfaceIP": "127.0.0.1",
    "PacketData": "9B18818200010000000000000C4A442D444330312D323032320000010001",
    "PolicyName": "NULL",
    "Port": 60070,
    "QNAME": "JD-DC01-2022.",
    "QTYPE": 1,
    "RCODE": 2,
    "Reason": "Single Label",
    "TCP": 0,
    "XID": 39704,
    "Zone": "..Cache"
  },
  "message": "LOOK_UP"
}

Event ID 258: RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName;...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
LOOK_UP

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString

Event ID 259: IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationIns...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
LOOK_UP

Description

IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationInstance: AdditionalInfo.

Message #

IGNORED_QUERY: TCP=%1; InterfaceIP=%2; Source=%3; Reason=%4; QNAME=%5; QTYPE=%6; XID=%7; Zone=%8; PolicyName=%9; AdditionalInfo = VirtualizationInstance: %10

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Zone UnicodeString
PolicyName UnicodeString
AdditionalInfo UnicodeString

Event ID 259: IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationInstance:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
LOOK_UP

Description

IGNORED_QUERY: TCP=; InterfaceIP=; Source=; Reason=; QNAME=; QTYPE=; XID=; Zone=; PolicyName=; AdditionalInfo = VirtualizationInstance.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Zone UnicodeString
PolicyName UnicodeString
AdditionalInfo UnicodeString

Event ID 260: RECURSE_QUERY_OUT: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Description

RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=CacheScope; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: AdditionalInfo; GUID=GUID

Message #

RECURSE_QUERY_OUT: TCP=%1; Destination=%2; InterfaceIP=%3; RD=%4; QNAME=%5; QTYPE=%6; QXID=%7; XID=%8; Port=%9; Flags=%10; RecursionScope=%11; CacheScope=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17

Fields #

NameDescription
TCP UInt8
Destination AnsiString
InterfaceIP AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 260,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": "0x0000000000000010",
    "time_created": "2026-06-02T05:16:25.363+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AdditionalInfo": ".",
    "BufferSize": 78,
    "CacheScope": "Default",
    "Destination": "10.2.10.254",
    "Flags": 256,
    "GUID": "{5D621ABD-6B0A-4B49-B2FB-76FFBA3CB9E4}",
    "InterfaceIP": "0.0.0.0",
    "PacketData": "7211010000010000000000011F746869732D6E616D652D646F65732D6E6F742D65786973742D65747767656E07696E76616C696404686F6D65046172706100000100010000290FA0000080000000",
    "PolicyName": "NULL",
    "Port": 0,
    "QNAME": "this-name-does-not-exist-etwgen.invalid.home.arpa.",
    "QTYPE": 1,
    "QXID": 4,
    "RD": 1,
    "RecursionScope": ".",
    "TCP": 0,
    "XID": 29201
  },
  "message": "RECURSE_QUERY"
}

Event ID 260: RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
Destination AnsiString
InterfaceIP AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString

Event ID 261: RECURSE_RESPONSE_IN: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Description

RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=CacheScope; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: AdditionalInfo; GUID=GUID; QueriesAttached=QueriesAttached

Message #

RECURSE_RESPONSE_IN: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; RemoteQueriesSent=%9; Port=%10; Flags=%11; RecursionScope=%12; CacheScope=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; QueriesAttached=%18

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RecursionDepth UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
QueriesAttached UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 261,
    "version": 0,
    "level": 4,
    "task": 2,
    "opcode": 0,
    "keywords": "0x0000000000000020",
    "time_created": "2026-06-02T05:16:25.364+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "AA": 0,
    "AD": 0,
    "AdditionalInfo": ".",
    "BufferSize": 155,
    "CacheScope": "Default",
    "Flags": 33155,
    "GUID": "{5D621ABD-6B0A-4B49-B2FB-76FFBA3CB9E4}",
    "InterfaceIP": "0.0.0.0",
    "PacketData": "7211818300010000000100011F746869732D6E616D652D646F65732D6E6F742D65786973742D65747767656E07696E76616C696404686F6D6504617270610000010001C0340006000100092F90004108707269736F6E65720469616E61036F7267000A686F73746D61737465720C726F6F742D73657276657273C05D0000000100093A800000003C00093A8000093A800000290FA0000080000000",
    "Port": 0,
    "QNAME": "this-name-does-not-exist-etwgen.invalid.home.arpa.",
    "QTYPE": 1,
    "QueriesAttached": 0,
    "RecursionDepth": 1,
    "RecursionScope": ".",
    "Source": "10.2.10.254",
    "TCP": 0,
    "XID": 29201
  },
  "message": "RECURSE_QUERY"
}

Event ID 261: RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=Recur...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RecursionDepth UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
QueriesAttached UInt32

Event ID 262: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheSco...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Description

RECURSE_QUERY_TIMEOUT: TCP=; InterfaceIP=; Destination=; QNAME=; QTYPE=; QXID=; XID=; Port=; Flags=; RecursionScope=; CacheScope=; AdditionalInfo = VirtualizationInstance: ; GUID=.

Message #

RECURSE_QUERY_TIMEOUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; QTYPE=%5; QXID=%6; XID=%7; Port=%8; Flags=%9; RecursionScope=%10; CacheScope=%11; AdditionalInfo = VirtualizationInstance: %12; GUID=%13

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
AdditionalInfo UnicodeString
GUID UnicodeString

Event ID 262: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=Cac...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
RECURSE_QUERY

Description

RECURSE_QUERY_TIMEOUT: TCP=; InterfaceIP=; Destination=; QNAME=; QTYPE=; QXID=; XID=; Port=; Flags=; RecursionScope=; CacheScope=; AdditionalInfo = VirtualizationInstance: ; GUID=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
AdditionalInfo UnicodeString
GUID UnicodeString

Event ID 263: DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.

Message #

DYN_UPDATE_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; Port=%6; Flags=%7; SECURE=%8; PacketData=%10

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
Port UInt32
Flags UInt32
Secure UInt8
BufferSize UInt32
PacketData Binary

Event ID 263: DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RECV: TCP=; InterfaceIP=; Source=; QNAME=; XID=; Port=; Flags=; SECURE=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
Port UInt32
Flags UInt32
Secure UInt8
BufferSize UInt32
PacketData Binary

Event ID 264: DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.

Message #

DYN_UPDATE_RESPONSE: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PolicyName=%9; PacketData=%11

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 264: DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PolicyName=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 265: IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

IXFR_REQ_OUT: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 265: IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

IXFR_REQ_OUT: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 266: IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

IXFR_REQ_RECV: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 266: IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

IXFR_REQ_RECV: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 267: IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

Message #

IXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 267: IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

IXFR_RESP_OUT: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 268: IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

Message #

IXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 268: IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

IXFR_RESP_RECV: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 269: AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

AXFR_REQ_OUT: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 269: AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

AXFR_REQ_OUT: TCP=; Source=; InterfaceIP=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 270: AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

AXFR_REQ_RECV: TCP=%1; Source=%2; InterfaceIP=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; PacketData=%9

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 270: AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

AXFR_REQ_RECV: TCP=; Source=; InterfaceIP=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 271: AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.

Message #

AXFR_RESP_OUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE

Event ID 271: AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

AXFR_RESP_OUT: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE

Event ID 272: AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.

Message #

AXFR_RESP_RECV: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE

Event ID 272: AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

AXFR_RESP_RECV: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE

Event ID 273: XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

XFR_NOTIFY_RECV: Source=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 273: XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

XFR_NOTIFY_RECV: Source=; InterfaceIP=; QNAME=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 274: XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.

Message #

XFR_NOTIFY_OUT: Destination=%1; InterfaceIP=%2; QNAME=%3; ZoneScope=%4; Zone=%5; PacketData=%7

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 274: XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

XFR_NOTIFY_OUT: Destination=; InterfaceIP=; QNAME=; ZoneScope=; Zone=; PacketData=.

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
QNAME AnsiString
ZoneScope UnicodeString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 275: XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=PacketData.

Message #

XFR_NOTIFY_ACK_IN: Source=%1; InterfaceIP=%2; PacketData=%4

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
BufferSize UInt32
PacketData Binary

Event ID 275: XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

XFR_NOTIFY_ACK_IN: Source=; InterfaceIP=; PacketData=.

Fields #

NameDescription
Source AnsiString
InterfaceIP AnsiString
BufferSize UInt32
PacketData Binary

Event ID 276: XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
ZONE_XFR

Description

XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; PacketData=PacketData.

Message #

XFR_NOTIFY_ACK_OUT: Destination=%1; InterfaceIP=%2; Zone=%3; PacketData=%5

Fields #

NameDescription
Destination AnsiString
InterfaceIP AnsiString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 276: XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_XFR

Description

XFR_NOTIFY_ACK_OUT: Destination=; InterfaceIP=; Zone=; PacketData=.

Fields #

NameDescription
Destination AnsiString
InterfaceIP AnsiString
Zone UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 277: DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

Message #

DYN_UPDATE_FORWARD: TCP=%1; ForwardInterfaceIP=%2; Destination=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields #

NameDescription
TCP UInt8
ForwardInterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 277: DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_FORWARD: TCP=; ForwardInterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.

Fields #

NameDescription
TCP UInt8
ForwardInterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 278: DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.

Message #

DYN_UPDATE_RESPONSE_IN: TCP=%1; InterfaceIP=%2; Source=%3; QNAME=%4; XID=%5; ZoneScope=%6; Zone=%7; RCODE=%8; PacketData=%10

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 278: DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Collection Priority
Recommended (ASD)
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE_IN: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
BufferSize UInt32
PacketData Binary

Event ID 279: INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Task
LOOK_UP

Description

INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.

Message #

INTERNAL_LOOKUP_CNAME: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11; GUID=%12

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
Port UInt32
Flags UInt32
XID UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 279,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": "0x0000000800000000",
    "time_created": "2026-06-02T05:16:25.401+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BufferSize": 34,
    "Flags": 33152,
    "GUID": "{C9931481-610A-41A6-B153-9252110E30F2}",
    "InterfaceIP": "127.0.0.1",
    "PacketData": "16948180000100010000000003777777086D7366746E63736903636F6D0000010001",
    "Port": 52997,
    "QNAME": "www.msftncsi.com.edgesuite.net.",
    "QTYPE": 1,
    "RD": 1,
    "Source": "127.0.0.1",
    "TCP": 0,
    "XID": 5780
  },
  "message": "LOOK_UP"
}

Event ID 279: INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Description

INTERNAL_LOOKUP_CNAME: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; Port=; Flags=; XID=; PacketData=; GUID=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
Port UInt32
Flags UInt32
XID UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString

Event ID 280: INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Also via
realtime ETW trace
Level
Informational
Task
LOOK_UP

Description

INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.

Message #

INTERNAL_LOOKUP_ADDITIONAL: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; Port=%7; Flags=%8; XID=%9; PacketData=%11; GUID=%12

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
Port UInt32
Flags UInt32
XID UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 280,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": "0x0000001000000000",
    "time_created": "2026-06-02T05:16:26.113+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "BufferSize": 31,
    "Flags": 33152,
    "GUID": "{04BCD1C4-007B-4318-BBB6-CDF9D152CBD3}",
    "InterfaceIP": "127.0.0.1",
    "PacketData": "000481800001000100000000096D6963726F736F667403636F6D00000F0001",
    "Port": 53018,
    "QNAME": "microsoft-com.mail.protection.outlook.com.",
    "QTYPE": 1,
    "RD": 1,
    "Source": "127.0.0.1",
    "TCP": 0,
    "XID": 4
  },
  "message": "LOOK_UP"
}

Event ID 280: INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Description

INTERNAL_LOOKUP_ADDITIONAL: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; Port=; Flags=; XID=; PacketData=; GUID=.

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
Port UInt32
Flags UInt32
XID UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString

Event ID 281: RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RRL

Description

RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

Message #

RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 281: RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL

Description

RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 282: RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RRL

Description

RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

Message #

RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 282: RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL

Description

RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 283: RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RRL

Description

RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.

Message #

RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=%1; Destination=%2; QNAME=%3; QTYPE=%4; XID=%5; RCODE=%6; Port=%7; PacketData=%9

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 283: RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL

Description

RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.

Fields #

NameDescription
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
BufferSize UInt32
PacketData Binary

Event ID 284: RESPONSE_SUCCESS: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo= AdditionalInfo; DataTag=DataTag; ElapsedTime=ElapsedTime; GUID=GUID; EDNSCorrelationTag=EDNSCorrelationTag

Message #

RESPONSE_SUCCESS: TCP=%1; InterfaceIP=%2; Destination=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; DNSSEC=%9; RCODE=%10; Port=%11; Flags=%12; Scope=%13; Zone=%14; PolicyName=%15; PacketData=%17; AdditionalInfo= %18; DataTag=%19; ElapsedTime=%20; GUID=%21; EDNSCorrelationTag=%22; EDNSScopeName=%23; %24

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
DataTag UInt64
ElapsedTime UInt32
GUID UnicodeString
EDNSCorrelationTag GUID
EDNSScopeName UnicodeString
StaleRecordsPresent UnicodeString

Event ID 284: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Z...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
DataTag UInt64
ElapsedTime UInt32
GUID UnicodeString
EDNSCorrelationTag GUID
EDNSScopeName UnicodeString
StaleRecordsPresent UnicodeString

Event ID 285: RESPONSE_FAILURE: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: BufferSize; ElapsedTime=ElapsedTime; GUID=GUID; EDNSCorrelationTag=EDNSCorrelationTag

Message #

RESPONSE_FAILURE: TCP=%1; InterfaceIP=%2; Reason=%3; Destination=%4; QNAME=%5; QTYPE=%6; XID=%7; RCODE=%8; Port=%9; Flags=%10; Zone=%11; PolicyName=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance: %13; ElapsedTime=%16; GUID=%17; EDNSCorrelationTag=%18; EDNSScopeName=%19

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
EDNSCorrelationTag GUID
EDNSScopeName UnicodeString

Event ID 285: RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName;...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
EDNSCorrelationTag GUID
EDNSScopeName UnicodeString

Event ID 286: RECURSE_ALIAS_FAILURE: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RECURSE_QUERY

Description

RECURSE_ALIAS_FAILURE: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; ServerScope=ServerScope; CacheScope=CacheScope; PacketData=PacketData; AdditionalInfo = VirtualizationInstance AdditionalInfo; AliasFailureReason=AliasFailureReason

Message #

RECURSE_ALIAS_FAILURE: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; Port=%9; Flags=%10; ServerScope=%11; CacheScope=%12; PacketData=%14; AdditionalInfo = VirtualizationInstance %15; AliasFailureReason=%16

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
ServerScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
AliasFailureReason UnicodeString

Event ID 286: RECURSE_ALIAS_FAILURE: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; ServerScope=ServerScope; CacheScope=CacheScope; Pack...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
ServerScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
AliasFailureReason UnicodeString

Event ID 287: QUERY_RECEIVED: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; GUID=GUID; EDNSExtendedRCodeBits=EDNSExtendedRCodeBits; EDNSFlags=EDNSFlags; EDNSUdpPayloadSize=EDNSUdpPayloadSize; EDNSScopeName=EDNSScopeName; EDNSVirtualizationInstance=EDNSVirtualizationInstance; EDNSDataTag=EDNSDataTag; EDNSCorrelationTag=EDNSCorrelationTag

Message #

QUERY_RECEIVED: TCP=%1; InterfaceIP=%2; Source=%3; RD=%4; QNAME=%5; QTYPE=%6; XID=%7; Port=%8; Flags=%9; PacketData=%11; GUID=%12; EDNSExtendedRCodeBits=%13; EDNSFlags=%14; EDNSUdpPayloadSize=%15; EDNSScopeName=%16; EDNSVirtualizationInstance=%17; EDNSDataTag=%18; EDNSCorrelationTag=%19

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString
EDNSExtendedRCodeBits UInt8
EDNSFlags UInt32
EDNSUdpPayloadSize UInt32
EDNSScopeName UnicodeString
EDNSVirtualizationInstance UnicodeString
EDNSDataTag UInt64
EDNSCorrelationTag GUID

Event ID 287: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; GUID=GUID; EDNSExtendedRCodeBits=EDNSExtend...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
GUID UnicodeString
EDNSExtendedRCodeBits UInt8
EDNSFlags UInt32
EDNSUdpPayloadSize UInt32
EDNSScopeName UnicodeString
EDNSVirtualizationInstance UnicodeString
EDNSDataTag UInt64
EDNSCorrelationTag GUID

Event ID 288: DNSSEC_VALIDATION_FAILURE: QNAME=QNAME; RRTYPE=RRTYPE; QueryGUID=QueryGUID; QXID=QXID; XID=XID; CacheNodeName=CacheNodeName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
DNSSEC_OP

Description

DNSSEC_VALIDATION_FAILURE: QNAME=QNAME; RRTYPE=RRTYPE; QueryGUID=QueryGUID; QXID=QXID; XID=XID; CacheNodeName=CacheNodeName.

Message #

DNSSEC_VALIDATION_FAILURE: QNAME=%1; RRTYPE=%2; QueryGUID=%3; QXID=%4; XID=%5; CacheNodeName=%6

Fields #

NameDescription
QNAME AnsiString
RRTYPE UInt32
QueryGUID UnicodeString
QXID UInt32
XID UInt32
CacheNodeName AnsiString

Event ID 288:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

DNSSEC_VALIDATION_FAILURE: QNAME=; RRTYPE=; QueryGUID=; QXID=; XID=; CacheNodeName=.

Fields #

NameDescription
QNAME AnsiString
RRTYPE UInt32
QueryGUID UnicodeString
QXID UInt32
XID UInt32
CacheNodeName AnsiString

Event ID 289: RECURSE_QUERY_OUT: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RECURSE_QUERY

Message #

RECURSE_QUERY_OUT: TCP=%1; Destination=%2; InterfaceIP=%3; RD=%4; QNAME=%5; QTYPE=%6; QXID=%7; XID=%8; Port=%9; Flags=%10; RecursionScope=%11; CacheScope=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; EDNSScopeName=%18; EDNSCorrelationTag=%19

Fields #

NameDescription
TCP UInt8
Destination AnsiString
InterfaceIP AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 289: RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
Destination AnsiString
InterfaceIP AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 290: RECURSE_RESPONSE_IN: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RECURSE_QUERY

Message #

RECURSE_RESPONSE_IN: TCP=%1; Source=%2; InterfaceIP=%3; AA=%4; AD=%5; QNAME=%6; QTYPE=%7; XID=%8; RemoteQueriesSent=%9; Port=%10; Flags=%11; RecursionScope=%12; CacheScope=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %16; GUID=%17; QueriesAttached=%18; EDNSScopeName=%19; EDNSCorrelationTag=%20

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RecursionDepth UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
QueriesAttached UInt32
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 290: RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=Recur...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
Source AnsiString
InterfaceIP AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RecursionDepth UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
QueriesAttached UInt32
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 291: RECURSE_QUERY_TIMEOUT: TCP=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
RECURSE_QUERY

Message #

RECURSE_QUERY_TIMEOUT: TCP=%1; InterfaceIP=%2; Destination=%3; QNAME=%4; QTYPE=%5; QXID=%6; XID=%7; Port=%8; Flags=%9; RecursionScope=%10; CacheScope=%11; AdditionalInfo = VirtualizationInstance: %12; GUID=%13; EDNSScopeName=%14; EDNSCorrelationTag=%15

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
AdditionalInfo UnicodeString
GUID UnicodeString
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 291: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=Cac...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RECURSE_QUERY

Fields #

NameDescription
TCP UInt8
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QXID UInt32
XID UInt32
Port UInt32
Flags UInt32
RecursionScope UnicodeString
CacheScope UnicodeString
AdditionalInfo UnicodeString
GUID UnicodeString
EDNSScopeName UnicodeString
EDNSCorrelationTag GUID

Event ID 512: The zone Name was created with settings: Type=Type; Lookup=Lookup; ReplicationScope=ReplicationScope; ZoneFile=ZoneFile; [virtualization instance VirtualizationID].

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
ZONE_OP

Description

The zone Name was created with settings: Type=Type; Lookup=Lookup; ReplicationScope=ReplicationScope; ZoneFile=ZoneFile; [virtualization instance VirtualizationID].

Message #

The zone %1 was created with settings: Type=%2; Lookup=%3; ReplicationScope=%4; ZoneFile=%5; [virtualization instance %6].

Fields #

NameDescription
Name UnicodeString
Type UnicodeString
Lookup UnicodeString
ReplicationScope UnicodeString
ZoneFile UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 512,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018427912192,
    "time_created": "2026-06-13T15:10:59.9754883+00:00",
    "event_record_id": 54,
    "correlation": {},
    "execution": {
      "process_id": 3516,
      "thread_id": 1884
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Name": "evtgen2.lab",
    "Type": "Primary",
    "Lookup": "Forward",
    "ReplicationScope": "None",
    "ZoneFile": "evtgen2.lab.dns",
    "VirtualizationID": "."
  },
  "message": "The zone evtgen2.lab was created with settings: Type=Primary; Lookup=Forward; ReplicationScope=None; ZoneFile=evtgen2.lab.dns; [virtualization instance .]."
}

Event ID 513: The zone Zone was deleted.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
ZONE_OP

Description

The zone Zone was deleted. [virtualization instance: VirtualizationID].

Message #

The zone %1 was deleted. [virtualization instance: %2].

Fields #

NameDescription
Zone UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 513,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018427912192,
    "time_created": "2026-03-13T20:16:16.023159+00:00",
    "event_record_id": 129,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Zone": "evtgen.test.local",
    "VirtualizationID": "."
  },
  "message": ""
}

Event ID 514: The zone Zone was updated.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
ZONE_OP

Description

The zone Zone was updated. The PropertyKey setting has been set to NewValue. [virtualization instance: VirtualizationID].

Message #

The zone %1 was updated. The %2 setting has been set to %3. [virtualization instance: %4].

Fields #

NameDescription
Zone UnicodeString
PropertyKey AnsiString
NewValue UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 514,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018427912192,
    "time_created": "2026-06-13T15:10:59.9671629+00:00",
    "event_record_id": 53,
    "correlation": {},
    "execution": {
      "process_id": 3516,
      "thread_id": 1884
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Zone": "evtgen2.lab",
    "PropertyKey": "SecondaryServers",
    "NewValue": "allow zone transfers to name servers and automatically notify name servers when the zone changes",
    "VirtualizationID": "."
  },
  "message": "The zone evtgen2.lab was updated. The SecondaryServers setting has been set to allow zone transfers to name servers and automatically notify name servers when the zone changes. [virtualization instance: .]."
}

Event ID 515: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Also via
realtime ETW trace
Level
Informational
Task
ZONE_OP

Description

A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].

Message #

A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6. [virtualization instance: %8].

Fields #

NameDescription
Type UInt32
NAME AnsiString
TTL UInt32
BufferSize UInt32
RDATA Binary
Zone UnicodeString
ZoneScope UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 515,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018428436480,
    "time_created": "2026-03-13T20:16:07.020870+00:00",
    "event_record_id": 95,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Type": 1,
    "NAME": "host1.evtgen.test.local",
    "TTL": 3600,
    "BufferSize": 4,
    "RDATA": "C0A8C801",
    "Zone": "evtgen.test.local",
    "ZoneScope": "Default",
    "VirtualizationID": "."
  },
  "message": ""
}

Event ID 516: A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
ZONE_OP

Description

A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone.

Message #

A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6.

Fields #

NameDescription
Type UInt32
NAME AnsiString
TTL UInt32
BufferSize UInt32
RDATA Binary
Zone UnicodeString
ZoneScope UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 516,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018428436480,
    "time_created": "2026-03-13T20:16:07.396548+00:00",
    "event_record_id": 103,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Type": 1,
    "NAME": "host2.evtgen.test.local",
    "TTL": 0,
    "BufferSize": 4,
    "RDATA": "C0A8C802",
    "Zone": "evtgen.test.local",
    "ZoneScope": "Default",
    "VirtualizationID": "."
  },
  "message": ""
}

Event ID 517: All resource records of type Type, name NAME were deleted from scope ZoneScope of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Also via
realtime ETW trace
Level
Informational
Task
ZONE_OP

Description

All resource records of type Type, name NAME were deleted from scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].

Message #

All resource records of type %1, name %2 were deleted from scope %4 of zone %3. [virtualization instance: %5].

Fields #

NameDescription
Type UInt32
NAME AnsiString
Zone UnicodeString
ZoneScope UnicodeString
VirtualizationID UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 517,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018428436480,
    "time_created": "2026-03-13T20:16:07.413855+00:00",
    "event_record_id": 105,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Type": 28,
    "NAME": "host3.evtgen.test.local",
    "Zone": "evtgen.test.local",
    "ZoneScope": "Default",
    "VirtualizationID": "."
  },
  "message": ""
}

Event ID 518: All resource records at Node name NAME were deleted from scope ZoneScope of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

All resource records at Node name NAME were deleted from scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].

Message #

All resource records at Node name %1 were deleted from scope %3 of zone %2. [virtualization instance: %4].

Fields #

NameDescription
NAME AnsiString
Zone UnicodeString
ZoneScope UnicodeString
VirtualizationID UnicodeString

Event ID 519: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone via dynamic update from IP Address Source.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
DYNAMIC_UPDATE

Description

A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone via dynamic update from IP Address Source.

Message #

A resource record of type %1, name %2, TTL %3 and RDATA %5 was created in scope %7 of zone %6 via dynamic update from IP Address %8.

Fields #

NameDescription
Type UInt32
NAME AnsiString
TTL UInt32
BufferSize UInt32
RDATA Binary
Zone UnicodeString
ZoneScope UnicodeString
Source AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 519,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 4611686018460942336,
    "time_created": "2026-05-30T00:33:20.5343772+00:00",
    "event_record_id": 64,
    "correlation": {},
    "execution": {
      "process_id": 3820,
      "thread_id": 5060
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Type": "1",
    "NAME": "telemetry-dc-a",
    "TTL": "1200",
    "BufferSize": "4",
    "RDATA": "0A01140B",
    "Zone": "cell-a.ludus.domain",
    "ZoneScope": "Default",
    "Source": "10.1.20.11"
  },
  "message": "A resource record of type 1, name telemetry-dc-a, TTL 1200 and RDATA 0x0A01140B was created in scope Default of zone cell-a.ludus.domain via dynamic update from IP Address 10.1.20.11."
}

Event ID 520: A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone via dynamic update from IP Address Source.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
DYNAMIC_UPDATE

Description

A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone via dynamic update from IP Address Source.

Message #

A resource record of type %1, name %2 and RDATA %5 was deleted from scope %7 of zone %6 via dynamic update from IP Address %8.

Fields #

NameDescription
Type UInt32
NAME AnsiString
TTL UInt32
BufferSize UInt32
RDATA Binary
Zone UnicodeString
ZoneScope UnicodeString
Source AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 520,
    "version": 0,
    "level": 4,
    "task": 3,
    "opcode": 0,
    "keywords": 4611686018460942336,
    "time_created": "2026-05-30T00:33:20.5343748+00:00",
    "event_record_id": 63,
    "correlation": {},
    "execution": {
      "process_id": 3820,
      "thread_id": 5060
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Type": "1",
    "NAME": "telemetry-dc-a",
    "TTL": "0",
    "BufferSize": "4",
    "RDATA": "0A01140B",
    "Zone": "cell-a.ludus.domain",
    "ZoneScope": "Default",
    "Source": "10.1.20.11"
  },
  "message": "A resource record of type 1, name telemetry-dc-a and RDATA 0x0A01140B was deleted from scope Default of zone cell-a.ludus.domain via dynamic update from IP Address 10.1.20.11."
}

Event ID 521: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was scavenged from scope ZoneScope of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
AGEING

Description

A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was scavenged from scope ZoneScope of zone Zone.

Message #

A resource record of type %1, name %2, TTL %3 and RDATA %5 was scavenged from scope %7 of zone %6.

Fields #

NameDescription
Type UInt32
NAME AnsiString
TTL UInt32
BufferSize UInt32
RDATA Binary
Zone UnicodeString
ZoneScope UnicodeString
VirtualizationID UnicodeString

Event ID 522: The scope ZoneScope was created in zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The scope ZoneScope was created in zone Zone. [virtualization instance: VirtualizationID].

Message #

The scope %1 was created in zone %2. [virtualization instance: %3].

Fields #

NameDescription
ZoneScope UnicodeString
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 523: The scope ZoneScope was deleted in zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The scope ZoneScope was deleted in zone Zone. [virtualization instance: VirtualizationID].

Message #

The scope %1 was deleted in zone %2. [virtualization instance: %3].

Fields #

NameDescription
ZoneScope UnicodeString
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 525: The zone ZoneName was signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAl...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
OnlineSigning

Description

The zone ZoneName was signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAlgorithm=DSRecordGenerationAlgorithm; DSRecordSetTtl=DSRecordSetTtl; EnableRfc5011KeyRollover=EnableRfc5011KeyRollover; IsKeyMasterServer=IsKeyMasterServer; KeyMasterServer=KeyMasterServer; NSec3HashAlgorithm=NSec3HashAlgorithm; NSec3Iterations=NSec3Iterations; NSec3OptOut=NSec3OptOut; NSec3RandomSaltLength=NSec3RandomSaltLength; NSec3UserSalt=NSec3UserSalt; ParentHasSecureDelegation=ParentHasSecureDelegation; PropagationTime=PropagationTime; SecureDelegationPollingPeriod=SecureDelegationPollingPeriod; SignatureInceptionOffset=SignatureInceptionOffset.

Message #

The zone %1 was signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.

Fields #

NameDescription
ZoneName UnicodeString
DenialOfExistence UnicodeString
DistributeTrustAnchor UnicodeString
DnsKeyRecordSetTtl UInt32
DSRecordGenerationAlgorithm UnicodeString
DSRecordSetTtl UInt32
EnableRfc5011KeyRollover UnicodeString
IsKeyMasterServer UnicodeString
KeyMasterServer AnsiString
NSec3HashAlgorithm UInt32
NSec3Iterations UInt32
NSec3OptOut UnicodeString
NSec3RandomSaltLength UInt32
NSec3UserSalt UnicodeString
ParentHasSecureDelegation UnicodeString
PropagationTime UInt32
SecureDelegationPollingPeriod UInt32
SignatureInceptionOffset UInt32

Event ID 526: The zone Zone was unsigned.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
OnlineSigning

Description

The zone Zone was unsigned.

Message #

The zone %1 was unsigned.

Fields #

NameDescription
Zone AnsiString

Event ID 527: The zone ZoneName was re-signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGeneratio...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
OnlineSigning

Description

The zone ZoneName was re-signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAlgorithm=DSRecordGenerationAlgorithm; DSRecordSetTtl=DSRecordSetTtl; EnableRfc5011KeyRollover=EnableRfc5011KeyRollover; IsKeyMasterServer=IsKeyMasterServer; KeyMasterServer=KeyMasterServer; NSec3HashAlgorithm=NSec3HashAlgorithm; NSec3Iterations=NSec3Iterations; NSec3OptOut=NSec3OptOut; NSec3RandomSaltLength=NSec3RandomSaltLength; NSec3UserSalt=NSec3UserSalt; ParentHasSecureDelegation=ParentHasSecureDelegation; PropagationTime=PropagationTime; SecureDelegationPollingPeriod=SecureDelegationPollingPeriod; SignatureInceptionOffset=SignatureInceptionOffset.

Message #

The zone %1 was re-signed with following properties: DenialOfExistence=%2; DistributeTrustAnchor=%3; DnsKeyRecordSetTtl=%4; DSRecordGenerationAlgorithm=%5; DSRecordSetTtl=%6; EnableRfc5011KeyRollover=%7; IsKeyMasterServer=%8; KeyMasterServer=%9; NSec3HashAlgorithm=%10; NSec3Iterations=%11; NSec3OptOut=%12; NSec3RandomSaltLength=%13; NSec3UserSalt=%14; ParentHasSecureDelegation=%15; PropagationTime=%16; SecureDelegationPollingPeriod=%17; SignatureInceptionOffset=%18.

Fields #

NameDescription
ZoneName UnicodeString
DenialOfExistence UnicodeString
DistributeTrustAnchor UnicodeString
DnsKeyRecordSetTtl UInt32
DSRecordGenerationAlgorithm UnicodeString
DSRecordSetTtl UInt32
EnableRfc5011KeyRollover UnicodeString
IsKeyMasterServer UnicodeString
KeyMasterServer AnsiString
NSec3HashAlgorithm UInt32
NSec3Iterations UInt32
NSec3OptOut UnicodeString
NSec3RandomSaltLength UInt32
NSec3UserSalt UnicodeString
ParentHasSecureDelegation UnicodeString
PropagationTime UInt32
SecureDelegationPollingPeriod UInt32
SignatureInceptionOffset UInt32

Event ID 528: Rollover was started on the type Type with GUID GUID of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

Rollover was started on the type Type with GUID GUID of zone Zone.

Message #

Rollover was started on the type %1 with GUID %2 of zone %3.

Fields #

NameDescription
Type UnicodeString
GUID UnicodeString
Zone UnicodeString

Event ID 529: Rollover was completed on the type Type with GUID GUID of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

Rollover was completed on the type Type with GUID GUID of zone Zone.

Message #

Rollover was completed on the type %1 with GUID %2 of zone %3.

Fields #

NameDescription
Type UnicodeString
GUID UnicodeString
Zone UnicodeString

Event ID 530: The type Type with GUID GUID of zone Zone was marked for retiral.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The type Type with GUID GUID of zone Zone was marked for retiral. The key will be removed after the rollover completion.

Message #

The type %1 with GUID %2 of zone %3 was marked for retiral. The key will be removed after the rollover completion.

Fields #

NameDescription
Type UnicodeString
GUID UnicodeString
Zone UnicodeString

Event ID 531: Manual rollover was triggered on the type Type with GUID GUID of zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

Manual rollover was triggered on the type Type with GUID GUID of zone Zone.

Message #

Manual rollover was triggered on the type %1 with GUID %2 of zone %3.

Fields #

NameDescription
Type UnicodeString
GUID UnicodeString
Zone UnicodeString

Event ID 533: The keys signing key with GUID GUID on zone Zone that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover ...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The keys signing key with GUID GUID on zone Zone that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion.

Message #

The keys signing key with GUID %1 on zone %2 that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover completion.

Fields #

NameDescription
GUID UnicodeString
Zone UnicodeString

Event ID 534: DNSSEC setting metadata was exported WithWithout key signing key metadata from zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

DNSSEC setting metadata was exported WithWithout key signing key metadata from zone Zone.

Message #

DNSSEC setting metadata was exported %1 key signing key metadata from zone %2.

Fields #

NameDescription
WithWithout UnicodeString
Zone UnicodeString

Event ID 535: DNSSEC setting metadata was imported on zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

DNSSEC setting metadata was imported on zone Zone.

Message #

DNSSEC setting metadata was imported on zone %1.

Fields #

NameDescription
Zone UnicodeString

Event ID 536: A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Also via
realtime ETW trace
Level
Informational
Task
CACHE_OP

Description

A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.

Message #

A record of type %1, QNAME %2 was purged from scope %3 in cache.

Fields #

NameDescription
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
QNAME AnsiString
Scope UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 536,
    "version": 0,
    "level": 4,
    "task": 9,
    "opcode": 0,
    "keywords": 4611686020574871552,
    "time_created": "2026-03-13T20:23:59.987128+00:00",
    "event_record_id": 173,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 6156
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "QTYPE": 255,
    "QNAME": "*",
    "Scope": "Default"
  },
  "message": ""
}

Event ID 537: The forwarder list on scope Scope has been reset to Forwarders.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
Configuration

Description

The forwarder list on scope Scope has been reset to Forwarders.

Message #

The forwarder list on scope %2 has been reset to %1.

Fields #

NameDescription
Forwarders AnsiString
Scope UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 537,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 4611686018444165120,
    "time_created": "2026-05-30T01:44:01.4462386+00:00",
    "event_record_id": 298,
    "correlation": {
      "ActivityID": "{855B5F38-AB0E-488F-A046-747AA920EAE1}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Forwarders": "10.2.10.254",
    "Scope": "."
  },
  "message": "The forwarder list on scope . has been reset to 10.2.10.254."
}

Event ID 540: The root hints have been modified.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
Configuration

Description

The root hints have been modified.

Message #

The root hints have been modified.

Event ID 541: The setting Setting on scope Scope has been set to NewValue.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
Configuration

Description

The setting Setting on scope Scope has been set to NewValue.

Message #

The setting %1 on scope %2 has been set to %3.

Fields #

NameDescription
Setting AnsiString
Scope UnicodeString
NewValue UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 541,
    "version": 0,
    "level": 4,
    "task": 10,
    "opcode": 0,
    "keywords": 4611686018561605632,
    "time_created": "2026-05-28T00:51:39.7295350+00:00",
    "event_record_id": 37,
    "correlation": {},
    "execution": {
      "process_id": 4716,
      "thread_id": 4208
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
    }
  },
  "event_data": {
    "Setting": "MaxCacheTtl",
    "Scope": ".",
    "NewValue": "2"
  },
  "message": "The setting MaxCacheTtl on scope . has been set to 2."
}

Event ID 542: The scope RecursionScope of DNS server was created.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
Configuration

Description

The scope RecursionScope of DNS server was created.

Message #

The scope %1 of DNS server was created.

Fields #

NameDescription
RecursionScope UnicodeString

Event ID 543: The scope RecursionScope of DNS server was deleted.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
Configuration

Description

The scope RecursionScope of DNS server was deleted.

Message #

The scope %1 of DNS server was deleted.

Fields #

NameDescription
RecursionScope UnicodeString

Event ID 544: The DNSKEY with Key Protocol KeyProtocol, Base64 Data Base64Data and Crypto Algorithm CryptoAlgorithm has been added at the trust point Name.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The DNSKEY with Key Protocol KeyProtocol, Base64 Data Base64Data and Crypto Algorithm CryptoAlgorithm has been added at the trust point Name.

Message #

The DNSKEY with Key Protocol %2, Base64 Data %4 and Crypto Algorithm %5 has been added at the trust point %1.

Fields #

NameDescription
Name AnsiString
KeyProtocol UnicodeString
BufferSize UInt32
Base64Data Binary
CryptoAlgorithm UnicodeString

Event ID 545: The DS with Key Tag: KeyTag, Digest Type: DigestType, Digest: Digest and Crypto Algorithm: CryptoAlgorithm has been added at the trust point Name.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The DS with Key Tag: KeyTag, Digest Type: DigestType, Digest: Digest and Crypto Algorithm: CryptoAlgorithm has been added at the trust point Name.

Message #

The DS with Key Tag: %2, Digest Type: %3, Digest: %5 and Crypto Algorithm: %6 has been added at the trust point %1.

Fields #

NameDescription
Name AnsiString
KeyTag UInt32
DigestType UnicodeString
BufferSize UInt32
Digest Binary
CryptoAlgorithm UnicodeString

Event ID 546: The trust point at Name of type Type has been removed.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The trust point at Name of type Type has been removed.

Message #

The trust point at %1 of type %2 has been removed.

Fields #

NameDescription
Name AnsiString
Type UnicodeString

Event ID 547: The trust anchor for the root zone has been added.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The trust anchor for the root zone has been added.

Message #

The trust anchor for the root zone has been added.

Event ID 548: A request to restart the DNS server service has been received.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

A request to restart the DNS server service has been received.

Message #

A request to restart the DNS server service has been received.

Event ID 549: The debug logs have been cleared from FilePath on DNS server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The debug logs have been cleared from FilePath on DNS server.

Message #

The debug logs have been cleared from %1 on DNS server.

Fields #

NameDescription
FilePath UnicodeString

Event ID 550: The in-memory contents of all the zones on DNS server have been flushed to their respective files.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The in-memory contents of all the zones on DNS server have been flushed to their respective files.

Message #

The in-memory contents of all the zones on DNS server have been flushed to their respective files.

Event ID 551: All the statistical data for the DNS server has been cleared.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

All the statistical data for the DNS server has been cleared.

Message #

All the statistical data for the DNS server has been cleared.

Event ID 552: A resource record scavenging cycle has been started on the DNS Server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
SERVER_OP

Description

A resource record scavenging cycle has been started on the DNS Server.

Message #

A resource record scavenging cycle has been started on the DNS Server.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 552,
    "version": 0,
    "level": 4,
    "task": 11,
    "opcode": 0,
    "keywords": 4611686155866341376,
    "time_created": "2026-03-13T20:16:07.476971+00:00",
    "event_record_id": 111,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 553: EventString.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

EventString

Message #

%1

Fields #

NameDescription
EventString UnicodeString

Event ID 554: The resource record scavenging cycle has been terminated on the DNS Server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The resource record scavenging cycle has been terminated on the DNS Server.

Message #

The resource record scavenging cycle has been terminated on the DNS Server.

Event ID 555: The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.

Message #

The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.

Event ID 556: The information about the root hints on the DNS server has been written back to the persistent storage.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The information about the root hints on the DNS server has been written back to the persistent storage.

Message #

The information about the root hints on the DNS server has been written back to the persistent storage.

Event ID 557: The addresses on which DNS server will listen has been changed to ListenAddresses.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
SERVER_OP

Description

The addresses on which DNS server will listen has been changed to ListenAddresses.

Message #

The addresses on which DNS server will listen has been changed to %1.

Fields #

NameDescription
ListenAddresses UnicodeString

Event ID 558: An immediate RFC 5011 active refresh has been scheduled for all trust points.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

An immediate RFC 5011 active refresh has been scheduled for all trust points.

Message #

An immediate RFC 5011 active refresh has been scheduled for all trust points.

Event ID 559: The zone Zone is paused.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The zone Zone is paused. [virtualization instance: VirtualizationID].

Message #

The zone %1 is paused. [virtualization instance: %2].

Fields #

NameDescription
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 560: The zone Zone is resumed.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The zone Zone is resumed. [virtualization instance: VirtualizationID].

Message #

The zone %1 is resumed. [virtualization instance: %2].

Fields #

NameDescription
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 561: The data for zone Zone has been reloaded from FilePath.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The data for zone Zone has been reloaded from FilePath. [virtualization instance: VirtualizationID].

Message #

The data for zone %1 has been reloaded from %2. [virtualization instance: %3].

Fields #

NameDescription
Zone UnicodeString
FilePath UnicodeString
VirtualizationID UnicodeString

Event ID 562: The data for zone Zone has been refreshed from the master server MasterServer.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The data for zone Zone has been refreshed from the master server MasterServer.

Message #

The data for zone %1 has been refreshed from the master server %2.

Fields #

NameDescription
Zone UnicodeString
MasterServer UnicodeString

Event ID 563: The secondary zone Zone has been expired and new data has been requested from the master server MasterServer.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The secondary zone Zone has been expired and new data has been requested from the master server MasterServer.

Message #

The secondary zone %1 has been expired and new data has been requested from the master server %2.

Fields #

NameDescription
Zone UnicodeString
MasterServer UnicodeString

Event ID 564: The zone Zone has been reloaded from the Active Directory.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The zone Zone has been reloaded from the Active Directory.

Message #

The zone %1 has been reloaded from the Active Directory.

Fields #

NameDescription
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 565: The content of the zone Zone has been written to the disk and the notification has been sent to all the notify servers.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

The content of the zone Zone has been written to the disk and the notification has been sent to all the notify servers. [virtualization instance: VirtualizationID].

Message #

The content of the zone %1 has been written to the disk and the notification has been sent to all the notify servers. [virtualization instance: %2].

Fields #

NameDescription
Zone UnicodeString
VirtualizationID UnicodeString

Event ID 566: All DNS records at the node NodeName in the zone Zone will have their aging time stamp set to the current time.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

All DNS records at the node NodeName in the zone Zone will have their aging time stamp set to the current time.SubTreeAging.

Message #

All DNS records at the node %1 in the zone %2 will have their aging time stamp set to the current time.%3

Fields #

NameDescription
NodeName AnsiString
Zone UnicodeString
SubTreeAging UnicodeString

Event ID 567: The Active Directory-integrated zone Zone has been updated.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
ZONE_OP

Description

The Active Directory-integrated zone Zone has been updated. Only ScavengeServers can run scavenging.

Message #

The Active Directory-integrated zone %1 has been updated. Only %2 can run scavenging.

Fields #

NameDescription
Zone UnicodeString
ScavengeServers UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "EB79061A-A566-4698-9119-3ED2807060E7",
    "event_source_name": "",
    "event_id": 567,
    "version": 0,
    "level": 4,
    "task": 5,
    "opcode": 0,
    "keywords": 4611686018427912192,
    "time_created": "2026-03-13T20:16:07.469361+00:00",
    "event_record_id": 110,
    "correlation": {},
    "execution": {
      "process_id": 3936,
      "thread_id": 7972
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Zone": "evtgen.test.local",
    "ScavengeServers": "NULL"
  },
  "message": ""
}

Event ID 568: The key master role for zone Zone has been SeizedOrTransfered.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The key master role for zone Zone has been SeizedOrTransfered.WithNewKeys.

Message #

The key master role for zone %1 has been %2.%3

Fields #

NameDescription
Zone UnicodeString
SeizedOrTransfered UnicodeString
WithNewKeys UnicodeString

Event ID 569: A KeyOrZone signing key (KskOrZsk) descriptor has been added on the zone Zone with following properties: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

A KeyOrZone signing key (KskOrZsk) descriptor has been added on the zone Zone with following properties: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider=KeyStorageProvider; StoreKeysInAD=StoreKeysInAD; CryptoAlgorithm=CryptoAlgorithm; KeyLength=KeyLength; DnsKeySignatureValidityPeriod=DnsKeySignatureValidityPeriod; DSSignatureValidityPeriod=DSSignatureValidityPeriod; ZoneSignatureValidityPeriod=ZoneSignatureValidityPeriod; InitialRolloverOffset=InitialRolloverOffset; RolloverPeriod=RolloverPeriod; RolloverType=RolloverType; NextRolloverAction=NextRolloverAction; LastRolloverTime=LastRolloverTime; NextRolloverTime=NextRolloverTime; CurrentRolloverStatus=CurrentRolloverStatus; ActiveKey=ActiveKey; StandbyKey=StandbyKey; NextKey=NextKey. The zone will be resigned with the KskOrZsk generated with these properties.

Message #

A %1 signing key (%2) descriptor has been added on the zone %3 with following properties: KeyId=%4; KeyType=%5; CurrentState=%6; KeyStorageProvider=%7; StoreKeysInAD=%8; CryptoAlgorithm=%9; KeyLength=%10; DnsKeySignatureValidityPeriod=%11; DSSignatureValidityPeriod=%12; ZoneSignatureValidityPeriod=%13; InitialRolloverOffset=%14; RolloverPeriod=%15; RolloverType=%16; NextRolloverAction=%17; LastRolloverTime=%18; NextRolloverTime=%19; CurrentRolloverStatus=%20; ActiveKey=%21; StandbyKey=%22; NextKey=%23. The zone will be resigned with the %2 generated with these properties.

Fields #

NameDescription
KeyOrZone UnicodeString
KskOrZsk UnicodeString
Zone UnicodeString
KeyId UnicodeString
KeyType UnicodeString
Known values
%%2499
Machine key
%%2500
User key
CurrentState UnicodeString
KeyStorageProvider UnicodeString
StoreKeysInAD Boolean
CryptoAlgorithm UnicodeString
KeyLength UInt32
DnsKeySignatureValidityPeriod UInt32
DSSignatureValidityPeriod UInt32
ZoneSignatureValidityPeriod UInt32
InitialRolloverOffset UInt32
RolloverPeriod UInt32
RolloverType UnicodeString
NextRolloverAction UnicodeString
LastRolloverTime FILETIME
NextRolloverTime FILETIME
CurrentRolloverStatus UnicodeString
ActiveKey UnicodeString
StandbyKey UnicodeString
NextKey UnicodeString

Event ID 570: A KeyOrZone signing key (KskOrZsk) descriptor with GUID GUID has been updated on the zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

A KeyOrZone signing key (KskOrZsk) descriptor with GUID GUID has been updated on the zone Zone. The properties of this KskOrZsk descriptor have been set to: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider=KeyStorageProvider; StoreKeysInAD=StoreKeysInAD; CryptoAlgorithm=CryptoAlgorithm; KeyLength=KeyLength; DnsKeySignatureValidityPeriod=DnsKeySignatureValidityPeriod; DSSignatureValidityPeriod=DSSignatureValidityPeriod; ZoneSignatureValidityPeriod=ZoneSignatureValidityPeriod; InitialRolloverOffset=InitialRolloverOffset; RolloverPeriod=RolloverPeriod; RolloverType=RolloverType; NextRolloverAction=NextRolloverAction; LastRolloverTime=LastRolloverTime; NextRolloverTime=NextRolloverTime; CurrentRolloverStatus=CurrentRolloverStatus; ActiveKey=ActiveKey; StandbyKey=StandbyKey; NextKey=NextKey. The zone will be resigned with the KskOrZsk generated with these properties.

Message #

A %1 signing key (%2) descriptor with GUID %3 has been updated on the zone %4. The properties of this %2 descriptor have been set to: KeyId=%5; KeyType=%6; CurrentState=%7; KeyStorageProvider=%8; StoreKeysInAD=%9; CryptoAlgorithm=%10; KeyLength=%11; DnsKeySignatureValidityPeriod=%12; DSSignatureValidityPeriod=%13; ZoneSignatureValidityPeriod=%14; InitialRolloverOffset=%15; RolloverPeriod=%16; RolloverType=%17; NextRolloverAction=%18; LastRolloverTime=%19; NextRolloverTime=%20; CurrentRolloverStatus=%21; ActiveKey=%22; StandbyKey=%23; NextKey=%24. The zone will be resigned with the %2 generated with these properties.

Fields #

NameDescription
KeyOrZone UnicodeString
KskOrZsk UnicodeString
GUID UnicodeString
Zone UnicodeString
KeyId UnicodeString
KeyType UnicodeString
Known values
%%2499
Machine key
%%2500
User key
CurrentState UnicodeString
KeyStorageProvider UnicodeString
StoreKeysInAD Boolean
CryptoAlgorithm UnicodeString
KeyLength UInt32
DnsKeySignatureValidityPeriod UInt32
DSSignatureValidityPeriod UInt32
ZoneSignatureValidityPeriod UInt32
InitialRolloverOffset UInt32
RolloverPeriod UInt32
RolloverType UnicodeString
NextRolloverAction UnicodeString
LastRolloverTime FILETIME
NextRolloverTime FILETIME
CurrentRolloverStatus UnicodeString
ActiveKey UnicodeString
StandbyKey UnicodeString
NextKey UnicodeString

Event ID 571: A KeyOrZone signing key (KskOrZsk) descriptor GUID has been removed from the zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

A KeyOrZone signing key (KskOrZsk) descriptor GUID has been removed from the zone Zone.

Message #

A %1 signing key (%2) descriptor %4 has been removed from the zone %3.

Fields #

NameDescription
KeyOrZone UnicodeString
KskOrZsk UnicodeString
Zone UnicodeString
GUID UnicodeString

Event ID 572: The state of the KeyOrZone signing key (KskOrZsk) GUID has been modified on zone Zone.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DNSSEC_OP

Description

The state of the KeyOrZone signing key (KskOrZsk) GUID has been modified on zone Zone. The new active key is ActiveKey, standby key is StandbyKey and next key is NextKey.

Message #

The state of the %1 signing key (%2) %3 has been modified on zone %4. The new active key is %5, standby key is %6 and next key is %7.

Fields #

NameDescription
KeyOrZone UnicodeString
KskOrZsk UnicodeString
GUID UnicodeString
Zone UnicodeString
ActiveKey UnicodeString
StandbyKey UnicodeString
NextKey UnicodeString

Event ID 573: A delegation for ChildZone in the scope Scope of zone Zone with the name server NameServer has been added.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
ZONE_OP

Description

A delegation for ChildZone in the scope Scope of zone Zone with the name server NameServer has been added. [virtualization instance: VirtualizationID].

Message #

A delegation for %1 in the scope %2 of zone %3 with the name server %4 has been added. [virtualization instance: %5].

Fields #

NameDescription
ChildZone AnsiString
Scope UnicodeString
Zone UnicodeString
NameServer AnsiString
VirtualizationID UnicodeString

Event ID 574: The client subnet with name ClientSubnetRecord, and value ClientSubnetList has been added to the DNS server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
POLICY_OP

Description

The client subnet with name ClientSubnetRecord, and value ClientSubnetList has been added to the DNS server.

Message #

The client subnet with name %1, and value %2 has been added to the DNS server.

Fields #

NameDescription
ClientSubnetRecord UnicodeString
ClientSubnetList AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 574,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611688217450643456,
    "time_created": "2026-05-30T01:44:01.5740414+00:00",
    "event_record_id": 302,
    "correlation": {
      "ActivityID": "{57540301-0F4B-4D0C-9193-97EFA7EA3929}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ClientSubnetRecord": "labsubnet",
    "ClientSubnetList": "203.0.113.0/24"
  },
  "message": "The client subnet with name labsubnet, and value 203.0.113.0/24 has been added to the DNS server."
}

Event ID 575: The client subnet with name ClientSubnetRecord has been deleted from the DNS server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
POLICY_OP

Description

The client subnet with name ClientSubnetRecord has been deleted from the DNS server.

Message #

The client subnet with name %1 has been deleted from the DNS server.

Fields #

NameDescription
ClientSubnetRecord UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 575,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611688217450643456,
    "time_created": "2026-05-30T01:44:01.6692404+00:00",
    "event_record_id": 306,
    "correlation": {
      "ActivityID": "{E81A7F0E-43A9-49DF-92EC-D2E454B3E8B2}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ClientSubnetRecord": "labsubnet"
  },
  "message": "The client subnet with name labsubnet has been deleted from the DNS server."
}

Event ID 576: The client subnet with name ClientSubnetRecord has been updated on the DNS server.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
POLICY_OP

Description

The client subnet with name ClientSubnetRecord has been updated on the DNS server. The new IP subnets that it refers to are ClientSubnetList.

Message #

The client subnet with name %1 has been updated on the DNS server. The new IP subnets that it refers to are %2.

Fields #

NameDescription
ClientSubnetRecord UnicodeString
ClientSubnetList AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 576,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611688217450643456,
    "time_created": "2026-05-30T01:44:01.5889889+00:00",
    "event_record_id": 303,
    "correlation": {
      "ActivityID": "{B03E37E2-F9A5-4710-94EB-65FBFF348D5C}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ClientSubnetRecord": "labsubnet",
    "ClientSubnetList": "198.51.100.0/24"
  },
  "message": "The client subnet with name labsubnet has been updated on the DNS server. The new IP subnets that it refers to are 198.51.100.0/24."
}

Event ID 577: A server level policy Policy for Type has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Condition:Condition;...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
POLICY_OP

Description

A server level policy Policy for Type has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Condition:Condition; IsEnabled:IsEnabled.

Message #

A server level policy %6 for %1  has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Condition:%7; IsEnabled:%8.

Fields #

NameDescription
Type UnicodeString
ServerName AnsiString
ProcessingOrder UInt32
Criteria UnicodeString
Action UnicodeString
Policy UnicodeString
Condition UnicodeString
IsEnabled UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 577,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611688217450643456,
    "time_created": "2026-05-30T01:44:01.6353516+00:00",
    "event_record_id": 304,
    "correlation": {
      "ActivityID": "{2566A2CE-4041-45DC-9238-F6B16BCA5CB7}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Type": "Query processing",
    "ServerName": "JD-DC01-2022.ludus.domain",
    "ProcessingOrder": "1",
    "Criteria": "ClientSubnet=EQ,labsubnet",
    "Action": "Deny",
    "Policy": "labpolicy",
    "Condition": "And",
    "IsEnabled": "True"
  },
  "message": "A server level policy labpolicy for Query processing  has been created on server JD-DC01-2022.ludus.domain with following properties: Processing order:1; Criteria:ClientSubnet=EQ,labsubnet; Action:Deny; Condition:And; IsEnabled:True."
}

Event ID 578: A zone level policy Policy for Type has been created on zone ZoneName on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scop...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

A zone level policy Policy for Type has been created on zone ZoneName on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scopes:Scopes; Condition:Condition; IsEnabled:IsEnabled.

Message #

A zone level policy %8 for %1  has been created on zone %6 on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Scopes:%7; Condition:%9; IsEnabled:%10.

Fields #

NameDescription
Type UnicodeString
ServerName AnsiString
ProcessingOrder UInt32
Criteria UnicodeString
Action UnicodeString
ZoneName UnicodeString
Scopes UnicodeString
Policy UnicodeString
Condition UnicodeString
IsEnabled UnicodeString

Event ID 579: A policy Policy to control recursion settings has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Sco...

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

A policy Policy to control recursion settings has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scope:RecursionScope; Condition:Condition; IsEnabled:IsEnabled.

Message #

A policy %6 to control recursion settings has been created on server %2 with following properties: Processing order:%3; Criteria:%4; Action:%5; Scope:%1; Condition:%7; IsEnabled:%8.

Fields #

NameDescription
RecursionScope UnicodeString
ServerName AnsiString
ProcessingOrder UInt32
Criteria UnicodeString
Action UnicodeString
Policy UnicodeString
Condition UnicodeString
IsEnabled UnicodeString

Event ID 580: The server level policy Policy has been deleted from server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
POLICY_OP

Description

The server level policy Policy has been deleted from server ServerName.

Message #

The server level policy %1 has been deleted from server %2.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 580,
    "version": 0,
    "level": 4,
    "task": 13,
    "opcode": 0,
    "keywords": 4611688217450643456,
    "time_created": "2026-05-30T01:44:01.6509631+00:00",
    "event_record_id": 305,
    "correlation": {
      "ActivityID": "{C796662E-87B9-4F44-BC71-B0F14B2C4488}"
    },
    "execution": {
      "process_id": 3196,
      "thread_id": 12400
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Policy": "labpolicy",
    "ServerName": "JD-DC01-2022.ludus.domain"
  },
  "message": "The server level policy labpolicy has been deleted from server JD-DC01-2022.ludus.domain."
}

Event ID 581: The zone level policy Policy has been deleted from zone Zone on server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The zone level policy Policy has been deleted from zone Zone on server ServerName.

Message #

The zone level policy %1 has been deleted from zone %3 on server %2.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
Zone UnicodeString

Event ID 582: The policy Policy to control recursion settings has been deleted from server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The policy Policy to control recursion settings has been deleted from server ServerName.

Message #

The policy %1 to control recursion settings has been deleted from server %2.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString

Event ID 583: The server level policy Policy has been updated on server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The server level policy Policy has been updated on server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.

Message #

The server level policy %1 has been updated on server %2. The properties %3 have been updated to %4.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
OldPropertyValues UnicodeString
NewPropertyValues UnicodeString

Event ID 584: The zone level policy Policy has been updated on zone Zone of server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The zone level policy Policy has been updated on zone Zone of server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.

Message #

The zone level policy %1 has been updated on zone %3 of server %2. The properties %4 have been updated to %5.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
Zone UnicodeString
OldPropertyValues UnicodeString
NewPropertyValues UnicodeString

Event ID 585: The server level policy Policy for recursion has been updated on server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The server level policy Policy for recursion has been updated on server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.

Message #

The server level policy %1 for recursion has been updated on server %2. The properties %3 have been updated to %4.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
OldPropertyValues UnicodeString
NewPropertyValues UnicodeString

Event ID 586: The zone level policy Policy has been updated on zone Zone of server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The zone level policy Policy has been updated on zone Zone of server ServerName. The policy does not use scope Scope for query resolution.

Message #

The zone level policy %1 has been updated on zone %4 of server %2. The policy does not use scope %3 for query resolution.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
Scope UnicodeString
Zone UnicodeString

Event ID 587: The zone level policy Policy has been updated on zone Zone of server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The zone level policy Policy has been updated on zone Zone of server ServerName. The policy will use scope Scope for query resolution with weight ScopeWeight.

Message #

The zone level policy %1 has been updated on zone %5 of server %2. The policy will use scope %3 for query resolution with weight %4.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
Scope UnicodeString
ScopeWeight UInt32
Zone UnicodeString

Event ID 588: The zone level policy Policy has been updated on zone Zone of server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The zone level policy Policy has been updated on zone Zone of server ServerName. The weight assigned to scope Scope has been updated from ScopeWeightOld to ScopeWeightNew.

Message #

The zone level policy %1 has been updated on zone %6 of server %2. The weight assigned to scope %3 has been updated from %5 to %4.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
Scope UnicodeString
ScopeWeightNew UInt32
ScopeWeightOld UInt32
Zone UnicodeString

Event ID 589: The server level policy Policy for recursion has been updated on server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
POLICY_OP

Description

The server level policy Policy for recursion has been updated on server ServerName. The policy will use recursion scope NewScope instead of OldScope for query resolution.

Message #

The server level policy %1 for recursion has been updated on server %2. The policy will use recursion scope %3 instead of %4 for query resolution.

Fields #

NameDescription
Policy UnicodeString
ServerName AnsiString
NewScope UnicodeString
OldScope UnicodeString

Event ID 590: The Response Rate Limiting is configured on the DNS server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Level
Informational
Task
RRL_OP

Description

The Response Rate Limiting is configured on the DNS server ServerName. The RRL settings are ResponsesPerSecond: ResponsePerSecond, ErrorsPerSecond: ErrorsPerSecond, LeakRate: LeakRate, TCRate: TCRate, Window: WindowSize, MaximumResponsesInWindow: TotalResponsesInWindow, IPv4PrefixLength: IPv4PrefixLength, IPv6PrefixLength: IPv6PrefixLength, Mode: Mode.

Message #

The Response Rate Limiting is configured on the DNS server  %1. The RRL settings are ResponsesPerSecond: %2, ErrorsPerSecond: %3, LeakRate: %4, TCRate: %5, Window: %6, MaximumResponsesInWindow: %7, IPv4PrefixLength: %8, IPv6PrefixLength: %9, Mode: %10.

Fields #

NameDescription
ServerName AnsiString
ResponsePerSecond UInt32
ErrorsPerSecond UInt32
LeakRate UInt32
TCRate UInt32
WindowSize UInt32
TotalResponsesInWindow UInt32
IPv4PrefixLength UInt32
IPv6PrefixLength UInt32
Mode AnsiString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNSServer",
    "guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
    "event_source_name": "",
    "event_id": 590,
    "version": 0,
    "level": 4,
    "task": 15,
    "opcode": 0,
    "keywords": 4611721202799476736,
    "time_created": "2026-05-30T01:44:06.7185486+00:00",
    "event_record_id": 308,
    "correlation": {},
    "execution": {
      "process_id": 12412,
      "thread_id": 11636
    },
    "channel": "Microsoft-Windows-DNSServer/Audit",
    "computer": "JD-DC01-2022.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ServerName": "JD-DC01-2022.ludus.domain",
    "ResponsePerSecond": "5",
    "ErrorsPerSecond": "5",
    "LeakRate": "3",
    "TCRate": "2",
    "WindowSize": "5",
    "TotalResponsesInWindow": "1024",
    "IPv4PrefixLength": "24",
    "IPv6PrefixLength": "56",
    "Mode": "LogOnly"
  },
  "message": "The Response Rate Limiting is configured on the DNS server  JD-DC01-2022.ludus.domain. The RRL settings are ResponsesPerSecond: 5, ErrorsPerSecond: 5, LeakRate: 3, TCRate: 2, Window: 5, MaximumResponsesInWindow: 1024, IPv4PrefixLength: 24, IPv6PrefixLength: 56, Mode: LogOnly."
}

Event ID 591: A exceptionlist RRLExceptionlist against response rate limiting has been added on the DNS server ServerName with following settings: Criteria; Condition:Condition.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL_OP

Description

A exceptionlist RRLExceptionlist against response rate limiting has been added on the DNS server ServerName with following settings: Criteria; Condition:Condition. The queries that fall under this exceptionlist shall be exempt from response rate limiting.

Message #

A exceptionlist %1 against response rate limiting has been added on the DNS server %2 with following settings: %3; Condition:%4. The queries that fall under this exceptionlist shall be exempt from response rate limiting.

Fields #

NameDescription
RRLExceptionlist UnicodeString
ServerName AnsiString
Criteria UnicodeString
Condition UnicodeString

Event ID 592: A exceptionlist RRLExceptionlist against response rate limiting has been deleted from server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL_OP

Description

A exceptionlist RRLExceptionlist against response rate limiting has been deleted from server ServerName.

Message #

A exceptionlist %1 against response rate limiting has been deleted from server %2.

Fields #

NameDescription
RRLExceptionlist UnicodeString
ServerName AnsiString

Event ID 593: A exceptionlist RRLExceptionlist against response rate limiting has been updated on server ServerName.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
RRL_OP

Description

A exceptionlist RRLExceptionlist against response rate limiting has been updated on server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.

Message #

A exceptionlist %1 against response rate limiting has been updated on server %2. The properties %3 have been updated to %4.

Fields #

NameDescription
RRLExceptionlist UnicodeString
ServerName AnsiString
OldPropertyValues UnicodeString
NewPropertyValues UnicodeString

Event ID 594: The virtualization instance VirtualizationID with friendly name FriendlyName was created.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
VIRTUALIZATION_OP

Description

The virtualization instance VirtualizationID with friendly name FriendlyName was created.

Message #

The virtualization instance %1 with friendly name %2 was created.

Fields #

NameDescription
VirtualizationID UnicodeString
FriendlyName UnicodeString

Event ID 595: The virtualization instance VirtualizationID was removed.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
VIRTUALIZATION_OP

Description

The virtualization instance VirtualizationID was removed. The zones hosted in this virtualization instance were automatically removed as a part of this.

Message #

The virtualization instance %1 was removed. The zones hosted in this virtualization instance were automatically removed as a part of this.

Fields #

NameDescription
VirtualizationID UnicodeString

Event ID 596: The virtualization instance VirtualizationID was updated.

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
VIRTUALIZATION_OP

Description

The virtualization instance VirtualizationID was updated. The OldFriendlyName setting has been set to NewFriendlyName.

Message #

The virtualization instance %1 was updated. The %2 setting has been set to %3.

Fields #

NameDescription
VirtualizationID UnicodeString
OldFriendlyName UnicodeString
NewFriendlyName UnicodeString

Event ID 597: QUERY_RECEIVED: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = ...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

QUERY_RECEIVED: Channel=; ; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.

Message #

QUERY_RECEIVED: Channel=%1; %2; InterfaceIP=%3; Source=%4; RD=%5; QNAME=%6; QTYPE=%7; XID=%8; Port=%9; Flags=%10; PacketData=%12; AdditionalInfo = VirtualizationInstanceOptionValue: %13; GUID=%14; %15

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
EdnsInfo UnicodeString

Event ID 597:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Description

QUERY_RECEIVED: Channel=; ; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
RD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
Port UInt32
Flags UInt32
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
GUID UnicodeString
EdnsInfo UnicodeString

Event ID 598: RESPONSE_SUCCESS: Channel=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Message #

RESPONSE_SUCCESS: Channel=%1; %2; InterfaceIP=%3; Destination=%4; AA=%5; AD=%6; QNAME=%7; QTYPE=%8; XID=%9; DNSSEC=%10; RCODE=%11; Port=%12; Flags=%13; Scope=%14; Zone=%15; PolicyName=%16; PacketData=%18; AdditionalInfo= %19; DataTag=%20; ElapsedTime=%21; GUID=%22; %23; %24;

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
DataTag UInt64
ElapsedTime UInt32
GUID UnicodeString
EdnsInfo UnicodeString
StaleRecordsPresent UnicodeString

Event ID 598:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Destination AnsiString
AA UInt8
AD UInt8
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
DNSSEC UInt8
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Scope UnicodeString
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
DataTag UInt64
ElapsedTime UInt32
GUID UnicodeString
EdnsInfo UnicodeString
StaleRecordsPresent UnicodeString

Event ID 599: RESPONSE_FAILURE: Channel=.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Message #

RESPONSE_FAILURE: Channel=%1; %2; InterfaceIP=%3; Reason=%4; Destination=%5; QNAME=%6; QTYPE=%7; XID=%8; RCODE=%9; Port=%10; Flags=%11; Zone=%12; PolicyName=%13; PacketData=%15; AdditionalInfo = VirtualizationInstance: %14; ElapsedTime=%17; GUID=%18; %19

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
EdnsInfo UnicodeString

Event ID 599:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Reason UnicodeString
Destination AnsiString
QNAME AnsiString
QTYPE UInt32
Known values
1
A
2
NS
5
CNAME
6
SOA
12
PTR
15
MX
16
TXT
24
SIG
25
KEY
28
AAAA
33
SRV
35
NAPTR
39
DNAME
41
OPT
43
DS
46
RRSIG
47
NSEC
48
DNSKEY
50
NSEC3
51
NSEC3PARAM
52
TLSA
65
HTTPS
252
AXFR
255
ANY
257
CAA
XID UInt32
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
Port UInt32
Flags UInt32
Zone UnicodeString
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary
AdditionalInfo UnicodeString
ElapsedTime UInt32
GUID UnicodeString
EdnsInfo UnicodeString

Event ID 600: IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.

Message #

IGNORED_QUERY: Channel=%1; %2; InterfaceIP=%3; Source=%4; Reason=%5

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString

Event ID 600:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Description

IGNORED_QUERY: Channel=; ; InterfaceIP=; Source=; Reason=.

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString

Event ID 601: IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
LOOK_UP

Description

IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.

Message #

IGNORED_QUERY: Channel=%1; %2; InterfaceIP=%3; Source=%4; Reason=%5

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString

Event ID 601:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
LOOK_UP

Description

IGNORED_QUERY: Channel=; ; InterfaceIP=; Source=; Reason=.

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
Reason UnicodeString

Event ID 602: DYN_UPDATE_RECV: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RECV: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.

Message #

DYN_UPDATE_RECV: Channel=%1; %2; InterfaceIP=%3; Source=%4; QNAME=%5; XID=%6; Port=%7; Flags=%8; SECURE=%9; PacketData=%11

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
Port UInt32
Flags UInt32
Secure UInt8
BufferSize UInt32
PacketData Binary

Event ID 602:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RECV: Channel=; ; InterfaceIP=; Source=; QNAME=; XID=; Port=; Flags=; SECURE=; PacketData=.

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Source AnsiString
QNAME AnsiString
XID UInt32
Port UInt32
Flags UInt32
Secure UInt8
BufferSize UInt32
PacketData Binary

Event ID 603: DYN_UPDATE_RESPONSE: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; Packet...

#
Provider
Microsoft-Windows-DNSServer
Channel
Analytical
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.

Message #

DYN_UPDATE_RESPONSE: Channel=%1; %2; InterfaceIP=%3; Destination=%4; QNAME=%5; XID=%6; ZoneScope=%7; Zone=%8; RCODE=%9; PolicyName=%10; PacketData=%12

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary

Event ID 603:

#
Provider
Microsoft-Windows-DNSServer
Channel
Audit
Task
DYNAMIC_UPDATE

Description

DYN_UPDATE_RESPONSE: Channel=; ; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PolicyName=; PacketData=.

Fields #

NameDescription
Channel UnicodeString
ChannelInfo UnicodeString
InterfaceIP AnsiString
Destination AnsiString
QNAME AnsiString
XID UInt32
ZoneScope UnicodeString
Zone UnicodeString
RCODE UInt32
Known values
0
NoError
1
FormErr
2
ServFail
3
NXDomain
4
NotImp
5
Refused
6
YXDomain
7
YXRRSet
8
NXRRSet
9
NotAuth
10
NotZone
11
DSOTYPENI
16
BADSIG_or_BADVERS
17
BADKEY
18
BADTIME
19
BADMODE
20
BADNAME
21
BADALG
22
BADTRUNC
23
BADCOOKIE
PolicyName UnicodeString
BufferSize UInt32
PacketData Binary

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {EB79061A-A566-4698-9119-3ED2807060E7}

Defined in dns.exe, which carries the event manifest.

Observed on:

  • WS2022-20348.4893 · sample captured from a live trace · binary version 10.0.20348.2849 · captured 2026-06-02
  • WS2022-20348.4893 · schema read from the registered manifest · binary version 10.0.20348.2849 · captured 2026-06-02

Downloads

Credits

  • Microsoft - authored the ETW manifests and PDBs the schema comes from
  • jdu2600 - the event-schema TSV format this catalog adopted
  • nasbench - the tool that dumps registered providers and manifests