detection.wiki

DNS Server Trace Provider

4 events across 1 channel

EventTitleChannelSample
9MSDNSSRV_v4QueryEventBasicETW TraceN
10MSDNSSRV_v6QueryEventBasicETW TraceN
11DNS ServerETW TraceY
12MSDNSSRV_v6QueryEventFullETW TraceN

Event ID 9: MSDNSSRV_v4QueryEventBasic

#
Provider
DNS Server Trace Provider
Channel
ETW Trace
Source
Trace

Fields #

NameDescription
PacketDirection mof:String
QueryTime mof:UInt32
QueuingTime mof:UInt32
ExpiryTime mof:UInt32
TransportProtocol mof:String
RemotePort mof:UInt16
RemoteAddress mof:Object
pad1 mof:UInt32
pad2 mof:UInt32
pad3 mof:UInt32
Xid mof:UInt16
QueryOpCode mof:SInt8
ResponseOpCode mof:SInt8
Flags mof:String
NumQuestions mof:UInt16
NumAnswerRRs mof:UInt16
NumAuthRRs mof:UInt16
NumAdditionalRRs mof:UInt16
QueryType mof:UInt16
QueryClass mof:UInt16
Question mof:String

Event ID 10: MSDNSSRV_v6QueryEventBasic

#
Provider
DNS Server Trace Provider
Channel
ETW Trace
Source
Trace

Fields #

NameDescription
PacketDirection mof:String
QueryTime mof:UInt32
QueuingTime mof:UInt32
ExpiryTime mof:UInt32
TransportProtocol mof:String
RemotePort mof:UInt16
RemoteAddress mof:Object
Xid mof:UInt16
QueryOpCode mof:SInt8
ResponseOpCode mof:SInt8
Flags mof:String
NumQuestions mof:UInt16
NumAnswerRRs mof:UInt16
NumAuthRRs mof:UInt16
NumAdditionalRRs mof:UInt16
QueryType mof:UInt16
QueryClass mof:UInt16
Question mof:String

Event ID 11: DNS Server

#
Provider
DNS Server Trace Provider
Channel
ETW Trace
Also via
realtime ETW trace
Task
DNS Server
Source
Trace

Fields #

NameDescription
PacketDirection mof:String
QueryTime mof:UInt32
QueuingTime mof:UInt32
ExpiryTime mof:UInt32
TransportProtocol mof:String
RemotePort mof:UInt16
RemoteAddress mof:Object
pad1 mof:UInt32
pad2 mof:UInt32
pad3 mof:UInt32
Xid mof:UInt16
QueryOpCode mof:SInt8
ResponseOpCode mof:SInt8
Flags mof:String
NumQuestions mof:UInt16
NumAnswerRRs mof:UInt16
NumAuthRRs mof:UInt16
NumAdditionalRRs mof:UInt16
PacketContents mof:String

Example Event #

{
  "system": {
    "provider": "DNS Server Trace Provider",
    "guid": "{57840C25-FA99-4F0D-928D-D81D1851E3DD}",
    "event_source_name": "",
    "event_id": 11,
    "version": 0,
    "level": 0,
    "task": 0,
    "opcode": 11,
    "keywords": "",
    "time_created": "2026-06-02T05:05:05.673+00:00",
    "event_record_id": 0,
    "correlation": {},
    "execution": {
      "process_id": 4504,
      "thread_id": 10580
    },
    "channel": "ETW Trace",
    "computer": "JD-DC01-2022",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "ExpiryTime": 0,
    "Flags": "Q -- -- Rd --",
    "NumAdditionalRRs": 0,
    "NumAnswerRRs": 0,
    "NumAuthRRs": 0,
    "NumQuestions": 1,
    "PacketContents": "UDP question info at 000001CEF6F000F0\r\n  Socket = 880\r\n  Remote addr 127.0.0.1, port 50435\r\n  Time Query=34149, Queued=0, Expire=0\r\n  Buf length = 0x0fa0 (4000)\r\n  Msg length = 0x0039 (57)\r\n  Message:\r\n    XID       0xc27c\r\n    Flags     0x0100\r\n      QR        0 (QUESTION)\r\n      OPCODE    0 (QUERY)\r\n      AA        0\r\n      TC        0\r\n      RD        1\r\n      RA        0\r\n      Z         0\r\n      CD        0\r\n      AD        0\r\n      RCODE     0 (NOERROR)\r\n    QCOUNT    1\r\n    ACOUNT    0\r\n    NSCOUNT   0\r\n    ARCOUNT   0\r\n    QUESTION SECTION:\r\n    Offset = 0x000c, RR count = 0\r\n    Name = (31)this-name-does-not-exist-etwgen(7)invalid(0)\r\n      QTYPE   A (1)\r\n      QCLASS  1\r\n    ANSWER SECTION:\r\n      empty\r\n    AUTHORITY SECTION:\r\n      empty\r\n    ADDITIONAL SECTION:\r\n      empty\r\n\r\n",
    "PacketDirection": "In ",
    "QueryOpCode": 0,
    "QueryTime": 34149,
    "QueuingTime": 0,
    "RemoteAddress": 16777343,
    "RemotePort": 50435,
    "ResponseOpCode": 0,
    "TransportProtocol": "UDPv4",
    "Xid": 49788,
    "pad1": 0,
    "pad2": 0,
    "pad3": 0
  },
  "message": "DNS Server"
}

Event ID 12: MSDNSSRV_v6QueryEventFull

#
Provider
DNS Server Trace Provider
Channel
ETW Trace
Source
Trace

Fields #

NameDescription
PacketDirection mof:String
QueryTime mof:UInt32
QueuingTime mof:UInt32
ExpiryTime mof:UInt32
TransportProtocol mof:String
RemotePort mof:UInt16
RemoteAddress mof:Object
Xid mof:UInt16
QueryOpCode mof:SInt8
ResponseOpCode mof:SInt8
Flags mof:String
NumQuestions mof:UInt16
NumAnswerRRs mof:UInt16
NumAuthRRs mof:UInt16
NumAdditionalRRs mof:UInt16
PacketContents mof:String

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {57840C25-FA99-4F0D-928D-D81D1851E3DD}

Observed on:

  • WS2025-26100.0, schema read from the WMI MOF class, captured 2026-02-26

    Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.

  • WS2022-20348.4893, sample captured from a live trace, captured 2026-06-02
  • WS2022-20348.4893, schema read from the WMI MOF class, captured 2026-06-02

    MOF class: MSDNSSRV_Trace