Microsoft-Windows-DNS-Client

107 events across 2 channels

Event	Title	Channel	Sample
1000	There are currently no IPv4 DNS servers configured for any interface on this …	Operational	N
1001	Interface: Interface Total DNS Server Count: TotalServerCount Index: Index …	Operational	Y
1002	The DNS server being queried for interface Interface has changed to Address.	Operational	Y
1003	The following DNS server(s) were successfully validated as active servers that …	Operational	Y
1004	The following DNS server(s) were successfully validated as active servers that …	System	N
1005	The client was unable to validate the following as active DNS server(s) that can …	Operational	N
1006	The client was unable to validate the following as active DNS server(s) that can …	System	N
1007	The primary DNS suffix for this machine is missing.	Operational	N
1008	The primary DNS suffix for this machine is missing.	System	N
1009	The primary DNS suffix for this machine (DnsSuffix) does not match the Active …	Operational	N
1010	The primary DNS suffix for this machine (DnsSuffix) does not match the Active …	System	N
1011	There was an error while attempting to read the local hosts file.	Operational	N
1012	There was an error while attempting to read the local hosts file.	System	N
1013	Name resolution for the name QueryName timed out after none of the configured …	Operational	Y
1014	Name resolution for the name QueryName timed out after none of the configured …	System	Y
1015	Name resolution for the name QueryName timed out after the DNS server Address …	Operational	Y
1016	A name not found error was returned for the name QueryName.	Operational	Y
1017	The DNS server's response to a query for name QueryName indicates that no …	Operational	Y
1018	The response for the query QueryName was a Link Local IP address Address.	Operational	N
1019	There are currently no IPv6 DNS servers configured for any interface on this …	Operational	N
1020	Read DNS Name Resolution Policy Table: Key Name KeyName: DNSSEC Settings: …	Operational	N
1021	Matched Effective policy for query name QueryName: Key Name KeyName: …	Operational	N
1022	Name resolution for the name, QueryName, will not fall back to LLMNR or NetBIOS.	Operational	Y
1023	Name resolution policy table has been corrupted.	System	N
1024	Transaction ID of the response for query QueryName from server Address did not …	Operational	Y
1025	The DNS server IP Address of the response for query QueryName is not configured …	Operational	N
1026	The question (ResponseQuestion) in the response from server Address does not …	Operational	N
1027	DNS Name resolution for the name, QueryName, failed because the client was …	Operational	N
1028	Matched effective policy for query name QueryName: Key Name KeyName: …	Operational	N
3000	DNS Query is initiated for the name QueryName and for the type QueryType with …	Operational	N
3001	DNS Query operation is completed with result Status.	Operational	N
3002	DNS Cache lookup is initiated for the name QueryName and for the type QueryType …	Operational	N
3003	DNS Cache lookup operation for the name QueryName and for the type QueryType is …	Operational	N
3004	DNS FQDN Query is initiated for the name QueryName and for the type QueryType …	Operational	N
3005	DNS FQDN Query operation for the name QueryName and for the type QueryType is …	Operational	N
3006	DNS query is called for the name QueryName, type QueryType, query options …	Operational	Y
3007	DnsQueryEx for the name QueryName is pending.	Operational	Y
3008	DNS query is completed for the name QueryName, type QueryType, query options …	Operational	Y
3009	Network query initiated for the name QueryName (is parallel query …	Operational	Y
3010	DNS Query sent to DNS Server DnsServerIpAddress for name QueryName and type …	Operational	Y
3011	Received response from DNS Server DnsServerIpAddress for name QueryName and type …	Operational	Y
3012	NETBIOS query is initiated for name QueryName on network index NetworkIndex with …	Operational	Y
3013	NETBIOS query is completed for name QueryName with status Status and results …	Operational	Y
3014	NETBIOS query for the name QueryName is pending.	Operational	Y
3015	DnsQueryEx is canceled for the name QueryName.	Operational	N
3016	Cache lookup called for name QueryName, type QueryType, options QueryOptions and …	Operational	Y
3018	Cache lookup for name QueryName, type QueryType and option QueryOptions returned …	Operational	Y
3019	Query wire called for name QueryName, type QueryType, interface index …	Operational	Y
3020	Query response for name QueryName, type QueryType, interface index NetworkIndex …	Operational	Y
3023	Initiating resolver operation OperationName, name Name, flag Flag, client PID …	Operational	N
3024	Server ActualServer failed to validate DDR certificate for original address …	System	N
8001	Unable to start DNS Client service.	System	N
8002	Unable to start DNS Client service because the system failed to allocate memory …	System	N
8003	The system failed to register network adapter with settings.	System	N
8004	The system failed to register network adapter with settings.	System	N
8005	The system failed to register network adapter with settings.	System	N
8006	The system failed to register network adapter with settings.	System	N
8007	The system failed to register network adapter with settings.	System	N
8008	The system failed to register network adapter with settings.	System	N
8009	The system failed to register pointer (PTR) resource records (RRs) for network …	System	N
8010	The system failed to register pointer (PTR) resource records (RRs) for network …	System	Y
8011	The system failed to register pointer (PTR) resource records (RRs) for network …	System	N
8012	The system failed to register pointer (PTR) resource records (RRs) for network …	System	N
8013	The system failed to register pointer (PTR) resource records (RRs) for network …	System	N
8014	The system failed to register pointer (PTR) resource records (RRs) for network …	System	N
8015	The system failed to register host (A or AAAA) resource records (RRs) for …	System	Y
8016	The system failed to register host (A or AAAA) resource records (RRs) for …	System	Y
8017	The system failed to register host (A or AAAA) resource records for network …	System	N
8018	The system failed to register host (A or AAAA) resource records (RRs) for …	System	N
8019	The system failed to register host (A or AAAA) resource records (RRs) for …	System	N
8020	The system failed to register host (A or AAAA) resource records (RRs) for …	System	N
8021	The system failed to update and remove registration for the network adapter with …	System	N
8022	The system failed to update and remove registration for the network adapter with …	System	N
8023	The system failed to update and remove registration for the network adapter with …	System	N
8024	The system failed to update and remove registration for the network adapter with …	System	N
8025	The system failed to update and remove registration for the network adapter with …	System	N
8026	The system failed to update and remove the DNS registration for the network …	System	N
8027	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8028	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8029	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8030	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8031	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8032	The system failed to update and remove pointer (PTR) resource records (RRs) for …	System	N
8033	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8034	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8035	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8036	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8037	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8038	The system failed to update and remove host (A or AAAA) resource records (RRs) …	System	N
8040	A DNS interception provider has been loaded.	System	N
8042	A DNS interception provider performed an illegal operation.	System	N
8043	DNS-over-HTTPS query initiated to server Server for the name NameQuery, on …	Operational	N
8044	DNS-over-TLS query initiated to server Server for the name NameQuery, on …	Operational	N
8045	DNS-over-HTTPS request to server Server with template TemplateName returned HTTP …	Operational	N
8046	DNS-over-HTTPS request to server Server with template TemplateName failed with …	Operational	N
8047	DNS-over-TLS request to server Server with hostname Hostname failed with error …	Operational	N
8048	DNS-over-HTTPS request failed to obtain valid SSL certificate from server …	System	N
8049	DNS-over-TLS request failed to obtain valid SSL certificate from server Server, …	System	N
8050	Windows DNS Client process mitigations: SystemCall: SystemCallDisable, …	Operational	N
60004	Error: Error Location: Location Context: Context.	Operational	N
60005	Warning: Warning Location: Location Context: Context.	Operational	N
60006	Transitioned to State: NextState Context: Context.	Operational	N
60007	Updated Context: Updated_Context Update Reason: Update_Reason.	Operational	N
60008	Name resolution policy table has been corrupted.	Operational	N
60101	SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: …	Operational	N
60102	SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: …	Operational	N
60103	Interface Guid: Interface_Guid IfIndex: IfIndex Interface Luid: Interface_Luid …	Operational	N

Event ID 1000: There are currently no IPv4 DNS servers configured for any interface on this host.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsNoServerConfigV4

Description

There are currently no IPv4 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Message #

There are currently no IPv4 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Fields #

Name	Description
`Location` UInt32
`Context` UInt32

Event ID 1001: Interface: Interface Total DNS Server Count: TotalServerCount Index: Index Address: Address (DynamicAddress).

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: DnsServerForInterface

Description

Interface: Interface Total DNS Server Count: TotalServerCount Index: Index Address: Address (DynamicAddress).

Message #

Interface: %1 Total DNS Server Count: %2 Index: %3 Address: %6 (%4)

Fields #

Name	Description
`Interface` UnicodeString
`TotalServerCount` UInt32
`Index` UInt32
`DynamicAddress` UInt8
`AddressLength` UInt32
`Address` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1001,
    "version": 0,
    "level": 4,
    "task": 1001,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:40.334238+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Interface": "Ethernet",
    "TotalServerCount": 1,
    "Index": 1,
    "DynamicAddress": 0,
    "AddressLength": 16,
    "Address": "020000000A020A0B0000000000000000"
  },
  "message": ""
}

Event ID 1002: The DNS server being queried for interface Interface has changed to Address.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsServerQueryChange

Description

The DNS server being queried for interface Interface has changed to Address.

Message #

The DNS server being queried for interface %1 has changed to %3

Fields #

Name	Description
`Interface` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
    "event_source_name": "",
    "event_id": 1002,
    "version": 0,
    "level": 4,
    "task": 1002,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:54.7684109+00:00",
    "event_record_id": 34506,
    "correlation": {},
    "execution": {
      "process_id": 1652,
      "thread_id": 1788
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Interface": "Ethernet",
    "AddressLength": "16",
    "Address": "020000000A01140B0000000000000000"
  },
  "message": "The DNS server being queried for interface Ethernet has changed to 10.1.20.11"
}

Event ID 1003: The following DNS server(s) were successfully validated as active servers that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsServerValidationSuccess

Description

The following DNS server(s) were successfully validated as active servers that can service this client. Address.

Message #

The following DNS server(s) were successfully validated as active servers that can service this client. %2

Fields #

Name	Description
`AddressLength` UInt32
`Address` Binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
    "event_source_name": "",
    "event_id": 1003,
    "version": 0,
    "level": 4,
    "task": 1003,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T15:13:09.8879100+00:00",
    "event_record_id": 75219,
    "correlation": {
      "ActivityID": "{02B0AEC4-5806-4DEC-A7E0-FA7B685EC3DF}"
    },
    "execution": {
      "process_id": 5324,
      "thread_id": 992
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "telemetry-DC-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "AddressLength": "16",
    "Address": "020000000A01320B0000000000000000"
  },
  "message": "The following DNS server(s) were successfully validated as active servers that can service this client. 10.1.50.11"
}

Event ID 1004: The following DNS server(s) were successfully validated as active servers that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Description

The following DNS server(s) were successfully validated as active servers that can service this client. {Address}.

Message #

The following DNS server(s) were successfully validated as active servers that can service this client. {Address}

Fields #

Name	Description
`Address`

Event ID 1005: The client was unable to validate the following as active DNS server(s) that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsServerValidationFailure

Description

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable, or may be incorrectly configured. Address.

Message #

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable, or may be incorrectly configured. %2

Fields #

Name	Description
`AddressLength` UInt32
`Address` Binary

Event ID 1006: The client was unable to validate the following as active DNS server(s) that can service this client.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Description

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable; or may be incorrectly configured. {Address}.

Message #

The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable; or may be incorrectly configured. {Address}

Fields #

Name	Description
`Address`

Event ID 1007: The primary DNS suffix for this machine is missing.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsMissingPrimarySuffix

Description

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS.

Message #

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS

Fields #

Name	Description
`ErrorCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 1008: The primary DNS suffix for this machine is missing.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsMissingPrimarySuffixSystem

Description

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS.

Message #

The primary DNS suffix for this machine is missing. In the absence of a primary DNS suffix, short unqualified names may not resolve through DNS

Fields #

Name	Description
`ErrorCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 1009: The primary DNS suffix for this machine (DnsSuffix) does not match the Active Directory domain (AdSuffix) that it is currently joined to.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsNonMatchingSuffix

Description

The primary DNS suffix for this machine (DnsSuffix) does not match the Active Directory domain (AdSuffix) that it is currently joined to.

Message #

The primary DNS suffix for this machine (%1) does not match the Active Directory domain (%2) that it is currently joined to.

Fields #

Name	Description
`DnsSuffix` UnicodeString
`AdSuffix` UnicodeString

Event ID 1010: The primary DNS suffix for this machine (DnsSuffix) does not match the Active Directory domain (AdSuffix) that it is currently joined to.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsNonMatchingSuffixSystem

Description

The primary DNS suffix for this machine (DnsSuffix) does not match the Active Directory domain (AdSuffix) that it is currently joined to.

Message #

The primary DNS suffix for this machine (%1) does not match the Active Directory domain (%2) that it is currently joined to.

Fields #

Name	Description
`DnsSuffix` UnicodeString
`AdSuffix` UnicodeString

Event ID 1011: There was an error while attempting to read the local hosts file.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsHostFileError

Description

There was an error while attempting to read the local hosts file.

Message #

There was an error while attempting to read the local hosts file.

Fields #

Name	Description
`ErrorCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 1012: There was an error while attempting to read the local hosts file.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsHostFileErrorSystem

Description

There was an error while attempting to read the local hosts file.

Message #

There was an error while attempting to read the local hosts file.

Fields #

Name	Description
`ErrorCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 1013: Name resolution for the name QueryName timed out after none of the configured DNS servers responded.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Error
Task: DnsAllServersTimeout

Description

Name resolution for the name QueryName timed out after none of the configured DNS servers responded.

Message #

Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1013,
    "version": 0,
    "level": 2,
    "task": 1013,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T21:48:42.710774+00:00",
    "event_record_id": 11625,
    "correlation": {},
    "execution": {
      "process_id": 1860,
      "thread_id": 7980
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "dns.msftncsi.com",
    "AddressLength": 16,
    "Address": "020000350A020A0B0000000000000000"
  },
  "message": ""
}

Event ID 1014: Name resolution for the name QueryName timed out after none of the configured DNS servers responded.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Level: Warning
Task: DnsAllServersTimeoutSystem

Description

Name resolution for the name QueryName timed out after none of the configured DNS servers responded.

Message #

Name resolution for the name %1 timed out after none of the configured DNS servers responded.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
    "event_source_name": "",
    "event_id": 1014,
    "version": 0,
    "level": 3,
    "task": 1014,
    "opcode": 0,
    "keywords": 4611686018695823360,
    "time_created": "2026-05-29T16:32:57.4896392+00:00",
    "event_record_id": 6756,
    "correlation": {},
    "execution": {
      "process_id": 1652,
      "thread_id": 1788
    },
    "channel": "System",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "_ldap._tcp.dc._msdcs.cell-a.ludus.domain.",
    "AddressLength": "128",
    "Address": "020000007F000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
  },
  "message": "Name resolution for the name _ldap._tcp.dc._msdcs.cell-a.ludus.domain. timed out after none of the configured DNS servers responded."
}

Event ID 1015: Name resolution for the name QueryName timed out after the DNS server Address did not respond.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsServerTimeout

Description

Name resolution for the name QueryName timed out after the DNS server Address did not respond.

Message #

Name resolution for the name %1 timed out after the DNS server %3 did not respond.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1015,
    "version": 1,
    "level": 4,
    "task": 1015,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.061199+00:00",
    "event_record_id": 11,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "AddressLength": 16,
    "Address": "020000350A020A0B0000000000000000",
    "ClientPID": 3384
  },
  "message": ""
}

Event ID 1016: A name not found error was returned for the name QueryName.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Task: DnsNameError

Description

A name not found error was returned for the name QueryName. Check to ensure that the name is correct. The response was sent by the server at Address.

Message #

A name not found error was returned for the name %1. Check to ensure that the name is correct. The response was sent by the server at %3.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1016,
    "version": 2,
    "level": 4,
    "task": 1016,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:58.824946+00:00",
    "event_record_id": 24,
    "correlation": {
      "ActivityID": "EF3E8619-3C1A-466E-87D4-27258CCCF136"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "85.65.42.20.in-addr.arpa",
    "AddressLength": 16,
    "Address": "020000350A020A0B0000000000000000",
    "ClientPID": 3516,
    "SendBlob": "0x1b11ff2c150",
    "SendBlobContext": "0x7ffa2a356170"
  },
  "message": ""
}

Event ID 1017: The DNS server's response to a query for name QueryName indicates that no records of the type queried are available, but could indicate that other records...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsAuthoritativeResponse

Description

The DNS server's response to a query for name QueryName indicates that no records of the type queried are available, but could indicate that other records for the same name are present.

Message #

The DNS server's response to a query for name %1 indicates that no records of the type queried are available, but could indicate that other records for the same name are present.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1017,
    "version": 0,
    "level": 4,
    "task": 1017,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:23:56.825954+00:00",
    "event_record_id": 4296,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 9008
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "QueryName": "_kerberos._tcp.dc._msdcs.ludus.domain",
    "AddressLength": 16,
    "Address": "020000357F0000010000000000000000"
  },
  "message": ""
}

Event ID 1018: The response for the query QueryName was a Link Local IP address Address.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsLinkLocal

Description

The response for the query QueryName was a Link Local IP address Address. The response was sent by the server at DnsAddress.

Message #

The response for the query %1 was a Link Local IP address %3. The response was sent by the server at %5.

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`DnsAddressLength` UInt32
`DnsAddress` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Event ID 1019: There are currently no IPv6 DNS servers configured for any interface on this host.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsNoServerConfigV6

Description

There are currently no IPv6 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Message #

There are currently no IPv6 DNS servers configured for any interface on this host. Please configure DNS server settings, or renew your dynamic IP settings.

Fields #

Name	Description
`Location` UInt32
`Context` UInt32

Event ID 1020: Read DNS Name Resolution Policy Table: Key Name KeyName: DNSSEC Settings: DnsSecValidationRequired DnsSecValidationRequired, DnsQueryOverIPSec DnsQueryOverIPSec, DnsEncryption DnsEncryption Direct ...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsReadPolicyTable

Description

Read DNS Name Resolution Policy Table: Key Name KeyName: DNSSEC Settings: DnsSecValidationRequired DnsSecValidationRequired, DnsQueryOverIPSec DnsQueryOverIPSec, DnsEncryption DnsEncryption Direct Access Settings: DirectAccessServerList DirectAccessServerList, EnableRemoteIPSEC RemoteIPSEC RemoteEncryption RemoteEncryption ProxyType ProxyType ProxyName ProxyName

Message #

Read DNS Name Resolution Policy Table: Key Name %1: DNSSEC Settings: DnsSecValidationRequired %2, DnsQueryOverIPSec %3, DnsEncryption %4 Direct Access Settings: DirectAccessServerList %5, EnableRemoteIPSEC %6  RemoteEncryption %7 ProxyType %8 ProxyName %9

Fields #

Name	Description
`KeyName` UnicodeString
`DnsSecValidationRequired` UInt32
`DnsQueryOverIPSec` UInt32
`DnsEncryption` UInt32
`DirectAccessServerList` UnicodeString
`RemoteIPSEC` UInt32
`RemoteEncryption` UInt32
`ProxyType` UInt32
`ProxyName` UnicodeString

Event ID 1021: Matched Effective policy for query name QueryName: Key Name KeyName: DnsSecValidationRequired DnsSecValidationRequired, DnsQueryOverIPSec DnsQueryOverIPSec, DnsEncryption DnsEncryption DirectAccess...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsMatchPolicyInfo

Description

Matched Effective policy for query name QueryName: Key Name KeyName: DnsSecValidationRequired DnsSecValidationRequired, DnsQueryOverIPSec DnsQueryOverIPSec, DnsEncryption DnsEncryption DirectAccessServerList DirectAccessServerList, ProxyType ProxyType ProxyName ProxyName.

Message #

Matched Effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList %6, ProxyType %7 ProxyName %8

Fields #

Name	Description
`QueryName` UnicodeString
`KeyName` UnicodeString
`DnsSecValidationRequired` UInt32
`DnsQueryOverIPSec` UInt32
`DnsEncryption` UInt32
`DirectAccessServerList` UnicodeString
`ProxyType` UInt32
`ProxyName` UnicodeString

Event ID 1022: Name resolution for the name, QueryName, will not fall back to LLMNR or NetBIOS.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsSecureNoFallback

Description

Name resolution for the name, QueryName, will not fall back to LLMNR or NetBIOS.

Message #

Name resolution for the name, %1, will not fall back to LLMNR or NetBIOS

Fields #

Name	Description
`QueryName` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1022,
    "version": 0,
    "level": 4,
    "task": 1022,
    "opcode": 0,
    "keywords": 9223372037391646720,
    "time_created": "2026-03-13T21:48:42.710909+00:00",
    "event_record_id": 11629,
    "correlation": {},
    "execution": {
      "process_id": 1860,
      "thread_id": 7980
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "dns.msftncsi.com"
  },
  "message": ""
}

Event ID 1023: Name resolution policy table has been corrupted.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsPolicySystemReadError

Description

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule failed with error.

Message #

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule %1 failed with error %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 1024: Transaction ID of the response for query QueryName from server Address did not match.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Task: DnsQueryBadXid

Description

Transaction ID of the response for query QueryName from server Address did not match.

Message #

Transaction ID of the response for query %1 from server %3 did not match

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 1024,
    "version": 0,
    "level": 4,
    "task": 1024,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T21:48:46.782764+00:00",
    "event_record_id": 11899,
    "correlation": {},
    "execution": {
      "process_id": 1860,
      "thread_id": 8032
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "ludus.domain",
    "AddressLength": 16,
    "Address": "020000350A020A0B0000000000000000"
  },
  "message": ""
}

Event ID 1025: The DNS server IP Address of the response for query QueryName is not configured on the client.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsQueryInvalidServerIp

Description

The DNS server IP Address of the response for query QueryName is not configured on the client.

Message #

The DNS server IP %3 of the response for query %1 is not configured on the client

Fields #

Name	Description
`QueryName` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Event ID 1026: The question (ResponseQuestion) in the response from server Address does not match the original question QueryName.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsQueryInvalidQuestion

Description

The question (ResponseQuestion) in the response from server Address does not match the original question QueryName.

Message #

The question (%2) in the response from server %4 does not match the original question %1

Fields #

Name	Description
`QueryName` UnicodeString
`ResponseQuestion` UnicodeString
`AddressLength` UInt32
`Address` Binary
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Event ID 1027: DNS Name resolution for the name, QueryName, failed because the client was unable to contact DNS servers.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS Name resolution for the name, QueryName, failed because the client was unable to contact DNS servers. At least one of the interfaces is not in a private network and name resolution will not fall back to LLMNR or NetBIOS. Client PID ClientPID. Query Blob QueryBlob

Message #

DNS Name resolution for the name, %1, failed because the client was unable to contact DNS servers. At least one of the interfaces is not in a private network and name resolution will not fall back to LLMNR or NetBIOS

Fields #

Name	Description
`QueryName` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Event ID 1028: Matched effective policy for query name QueryName: Key Name KeyName: DnsSecValidationRequired DnsSecValidationRequired, DnsQueryOverIPSec DnsQueryOverIPSec, DnsEncryption DnsEncryption DirectAccess...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsMatchPolicyInfo

Description

Matched effective policy for query name : Key Name : DnsSecValidationRequired , DnsQueryOverIPSec , DnsEncryption DirectAccessServerList , ProxyType ProxyName GenericServerList IdnConfig.

Message #

Matched effective policy for query name %1: Key Name %2: DnsSecValidationRequired %3, DnsQueryOverIPSec %4, DnsEncryption %5 DirectAccessServerList %6, ProxyType %7 ProxyName %8 GenericServerList %9 IdnConfig %10

Fields #

Name	Description
`QueryName` UnicodeString
`KeyName` UnicodeString
`DnsSecValidationRequired` UInt32
`DnsQueryOverIPSec` UInt32
`DnsEncryption` UInt32
`DirectAccessServerList` UnicodeString
`ProxyType` UInt32
`ProxyName` UnicodeString
`GenericServerList` UnicodeString
`IdnConfig` UInt32
`ClientPID` UInt32
`QueryBlob` Pointer

Event ID 3000: DNS Query is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS Query is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Message #

DNS Query is initiated for the name %1 and for the type %2 with query options %3

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)

Event ID 3001: DNS Query operation is completed with result Status.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS Query operation is completed with result Status.

Message #

DNS Query operation is completed with result %1

Fields #

Name	Description
`Status` UInt32	NTSTATUS reference

Event ID 3002: DNS Cache lookup is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS Cache lookup is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Message #

DNS Cache lookup is initiated for the name %1 and for the type %2 with query options %3

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)

Event ID 3003: DNS Cache lookup operation for the name QueryName and for the type QueryType is completed with result Status.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS Cache lookup operation for the name QueryName and for the type QueryType is completed with result Status.

Message #

DNS Cache lookup operation for the name %1 and for the type %2 is completed with result %3

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`Status` UInt32	NTSTATUS reference

Event ID 3004: DNS FQDN Query is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS FQDN Query is initiated for the name QueryName and for the type QueryType with query options QueryOptions.

Message #

DNS FQDN Query is initiated for the name %1 and for the type %2 with query options %3

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)

Event ID 3005: DNS FQDN Query operation for the name QueryName and for the type QueryType is completed with result Status.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DNS FQDN Query operation for the name QueryName and for the type QueryType is completed with result Status.

Message #

DNS FQDN Query operation for the name %1 and for the type %2 is completed with result %3

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`Status` UInt32	NTSTATUS reference

Event ID 3006: DNS query is called for the name QueryName, type QueryType, query options QueryOptions, Server List ServerList, isNetwork query IsNetworkQuery, network index NetworkQueryIndex, interface index Inte...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

DNS query is called for the name QueryName, type QueryType, query options QueryOptions, Server List ServerList, isNetwork query IsNetworkQuery, network index NetworkQueryIndex, interface index InterfaceIndex, is asynchronous query IsAsyncQuery.

Message #

DNS query is called for the name %1, type %2, query options %3, Server List %4, isNetwork query %5, network index %6, interface index %7, is asynchronous query %8

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)
`ServerList` UnicodeString
`IsNetworkQuery` UInt32
`NetworkQueryIndex` UInt32
`InterfaceIndex` UInt32
`IsAsyncQuery` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3006,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033511+00:00",
    "event_record_id": 2,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 3204
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 28,
    "QueryOptions": 720575941453176832,
    "ServerList": "",
    "IsNetworkQuery": 0,
    "NetworkQueryIndex": 0,
    "InterfaceIndex": 0,
    "IsAsyncQuery": 0
  },
  "message": ""
}

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3007: DnsQueryEx for the name QueryName is pending.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Opcode: Info

Description

DnsQueryEx for the name QueryName is pending.

Message #

DnsQueryEx for the name %1 is pending

Fields #

Name	Description
`QueryName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3007,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T21:48:42.710899+00:00",
    "event_record_id": 11627,
    "correlation": {},
    "execution": {
      "process_id": 1860,
      "thread_id": 7980
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "dns.msftncsi.com"
  },
  "message": ""
}

Event ID 3008: DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (Microsoft-WEF, others)
Opcode: Info

Description

DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults.

Message #

DNS query is completed for the name %1, type %2, query options %3 with status %4 Results %5

Fields #

Name	Description	Rules
`QueryName` UnicodeString		53 detection rules
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)
`QueryStatus` UInt32
`QueryResults` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3008,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.033539+00:00",
    "event_record_id": 4,
    "correlation": {
      "ActivityID": "30000002-0002-FE00-D015-D40C380D840C"
    },
    "execution": {
      "process_id": 3384,
      "thread_id": 7344
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "QueryOptions": 720575941453045760,
    "QueryStatus": 87,
    "QueryResults": ""
  },
  "message": ""
}

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`QueryName`	contains	`.anonfiles.com`	1 rule	sigma
`QueryName`	contains	`.stage.123456.`	1 rule	sigma
`QueryName`	contains	`ufile.io`	1 rule	sigma
`QueryName`	contains	`userstorage.mega.co.nz`	1 rule	sigma
`QueryName`	ends_with	`.hiddenservice.net`	1 rule	sigma
`QueryName`	ends_with	`.onion`	1 rule	sigma
`QueryName`	ends_with	`.onion.ca`	1 rule	sigma
`QueryName`	ends_with	`.onion.cab`	1 rule	sigma
`QueryName`	ends_with	`.onion.casa`	1 rule	sigma
`QueryName`	ends_with	`.onion.city`	1 rule	sigma
`QueryName`	ends_with	`.onion.direct`	1 rule	sigma
`QueryName`	ends_with	`.onion.dog`	1 rule	sigma
`QueryName`	ends_with	`.onion.glass`	1 rule	sigma
`QueryName`	ends_with	`.onion.gq`	1 rule	sigma
`QueryName`	ends_with	`.onion.ink`	1 rule	sigma

Detection Rules #

View all rules referencing this event →

Sigma # view in coverage

DNS Query for Anonfiles.com Domain - DNS Client source high: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client source critical: Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client source medium: Detects DNS queries for subdomains related to MEGA sharing website

Show 3 more (6 total)

DNS Query To Put.io - DNS Client source medium: Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client source high: Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client source low: Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3009: Network query initiated for the name QueryName (is parallel query IsParallelNetworkQuery) on network index NetworkIndex with interface count InterfaceCount with first interface name AdapterName, lo...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

Network query initiated for the name QueryName (is parallel query IsParallelNetworkQuery) on network index NetworkIndex with interface count InterfaceCount with first interface name AdapterName, local addresses LocalAddress and Dns Servers DNSServerAddress.

Message #

Network query initiated for the name %1 (is parallel query %2) on network index %3 with interface count %4 with first interface name %5, local addresses %6 and Dns Servers %7

Fields #

Name	Description
`QueryName` UnicodeString
`IsParallelNetworkQuery` UInt32
`NetworkIndex` UInt32
`InterfaceCount` UInt32
`AdapterName` UnicodeString
`LocalAddress` UnicodeString
`DNSServerAddress` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer
`ParentBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3009,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.037113+00:00",
    "event_record_id": 6,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "IsParallelNetworkQuery": 1,
    "NetworkIndex": 0,
    "InterfaceCount": 1,
    "AdapterName": "Ethernet",
    "LocalAddress": "10.2.10.21",
    "DNSServerAddress": "10.2.10.11",
    "ClientPID": 3384,
    "QueryBlob": "0x1b11f66d1a0",
    "ParentBlob": "0x0"
  },
  "message": ""
}

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3010: DNS Query sent to DNS Server DnsServerIpAddress for name QueryName and type QueryType.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

DNS Query sent to DNS Server DnsServerIpAddress for name QueryName and type QueryType.

Message #

DNS Query sent to DNS Server %3 for name %1 and type %2

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`DnsServerIpAddress` UnicodeString
`ClientPID` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3010,
    "version": 1,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.037163+00:00",
    "event_record_id": 10,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "DnsServerIpAddress": "10.2.10.11",
    "ClientPID": 3384
  },
  "message": ""
}

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3011: Received response from DNS Server DnsServerIpAddress for name QueryName and type QueryType with response status ResponseStatus.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

Received response from DNS Server DnsServerIpAddress for name QueryName and type QueryType with response status ResponseStatus.

Message #

Received response from DNS Server %3 for name %1 and type %2 with response status %4

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`DnsServerIpAddress` UnicodeString
`ResponseStatus` UInt32
`ClientPID` UInt32
`SendBlob` Pointer
`SendBlobContext` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3011,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.072575+00:00",
    "event_record_id": 13,
    "correlation": {
      "ActivityID": "7D9A141D-3061-4B6F-A6EE-D4CEE18DB90D"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "DnsServerIpAddress": "10.2.10.11",
    "ResponseStatus": 0,
    "ClientPID": 3384,
    "SendBlob": "0x1b11ff2c630",
    "SendBlobContext": "0x7ffa2a356170"
  },
  "message": ""
}

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3012: NETBIOS query is initiated for name QueryName on network index NetworkIndex with inteface count InterfaceCount with first interface name AdapterName and local addresses LocalAddress.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Opcode: Info

Description

NETBIOS query is initiated for name QueryName on network index NetworkIndex with inteface count InterfaceCount with first interface name AdapterName and local addresses LocalAddress.

Message #

NETBIOS query is initiated for name %1 on network index %2 with inteface count %3 with first interface name %4 and local addresses %5

Fields #

Name	Description
`QueryName` UnicodeString
`NetworkIndex` UInt32
`InterfaceCount` UInt32
`AdapterName` UnicodeString
`LocalAddress` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3012,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:59.235084+00:00",
    "event_record_id": 27,
    "correlation": {
      "ActivityID": "EF3E8619-3C1A-466E-87D4-27258CCCF136"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "85.65.42.20.in-addr.arpa.",
    "NetworkIndex": 0,
    "InterfaceCount": 1,
    "AdapterName": "Ethernet",
    "LocalAddress": "10.2.10.21",
    "ClientPID": 3516,
    "QueryBlob": "0x1b11f6395c0"
  },
  "message": ""
}

Event ID 3013: NETBIOS query is completed for name QueryName with status Status and results QueryResults.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Opcode: Info

Description

NETBIOS query is completed for name QueryName with status Status and results QueryResults.

Message #

NETBIOS query is completed for name %1 with status %2 and results %3

Fields #

Name	Description
`QueryName` UnicodeString
`Status` UInt32	NTSTATUS reference
`QueryResults` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3013,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:59.235292+00:00",
    "event_record_id": 29,
    "correlation": {
      "ActivityID": "EF3E8619-3C1A-466E-87D4-27258CCCF136"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 7952
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "85.65.42.20.in-addr.arpa.",
    "Status": 121,
    "QueryResults": "",
    "ClientPID": 3516,
    "QueryBlob": "0x1b11f6395c0"
  },
  "message": ""
}

References #

MS Learn DnsQuery / DNS_QUERY_* flags (windns.h) https://learn.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsquery_w

Event ID 3014: NETBIOS query for the name QueryName is pending.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Level: Informational
Opcode: Info

Description

NETBIOS query for the name QueryName is pending.

Message #

NETBIOS query for the name %1 is pending

Fields #

Name	Description
`QueryName` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3014,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:59.235275+00:00",
    "event_record_id": 28,
    "correlation": {
      "ActivityID": "EF3E8619-3C1A-466E-87D4-27258CCCF136"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "85.65.42.20.in-addr.arpa.",
    "ClientPID": 3516,
    "QueryBlob": "0x1b11f6395c0"
  },
  "message": ""
}

Event ID 3015: DnsQueryEx is canceled for the name QueryName.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

DnsQueryEx is canceled for the name QueryName.

Message #

DnsQueryEx is canceled for the name %1

Fields #

Name	Description
`QueryName` UnicodeString

Event ID 3016: Cache lookup called for name QueryName, type QueryType, options QueryOptions and interface index InterfaceIndex.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

Cache lookup called for name QueryName, type QueryType, options QueryOptions and interface index InterfaceIndex.

Message #

Cache lookup called for name %1, type %2, options %3 and interface index %4

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)
`InterfaceIndex` UInt32
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3016,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.037130+00:00",
    "event_record_id": 7,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "QueryOptions": 722827741266862080,
    "InterfaceIndex": 0,
    "ClientPID": 3384,
    "QueryBlob": "0x1b11f66d1a0"
  },
  "message": ""
}

Event ID 3018: Cache lookup for name QueryName, type QueryType and option QueryOptions returned Status with results QueryResults.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

Cache lookup for name QueryName, type QueryType and option QueryOptions returned Status with results QueryResults.

Message #

Cache lookup for name %1, type %2 and option %3 returned %4 with results %5

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`QueryOptions` UInt64	ETW-emitted UInt64 DNS query option flags. The low 26 bits map to the public DNS_QUERY_* enum in windns.h (see bitmask below; DNS_QUERY_DNSSEC_OK and DNS_QUERY_DNSSEC_CHECKING_DISABLED occupy bits 24 and 25). Real events frequently also set bits 30 (0x40000000), 57, and 59 (0x0A00_0000_0000_0000) which are Windows-internal resolver flags not documented in the public API; absence of those bits in the bitmask is intentional rather than an omission. Bitmask flags `0x00000001` DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE `0x00000002` DNS_QUERY_USE_TCP_ONLY `0x00000004` DNS_QUERY_NO_RECURSION `0x00000008` DNS_QUERY_BYPASS_CACHE `0x00000010` DNS_QUERY_NO_WIRE_QUERY `0x00000020` DNS_QUERY_NO_LOCAL_NAME `0x00000040` DNS_QUERY_NO_HOSTS_FILE `0x00000080` DNS_QUERY_NO_NETBT `0x00000100` DNS_QUERY_WIRE_ONLY `0x00000200` DNS_QUERY_RETURN_MESSAGE `0x00000400` DNS_QUERY_MULTICAST_ONLY `0x00000800` DNS_QUERY_NO_MULTICAST `0x00001000` DNS_QUERY_TREAT_AS_FQDN `0x00002000` DNS_QUERY_ADDRCONFIG `0x00004000` DNS_QUERY_DUAL_ADDR `0x00020000` DNS_QUERY_MULTICAST_WAIT `0x00040000` DNS_QUERY_MULTICAST_VERIFY `0x00100000` DNS_QUERY_DONT_RESET_TTL_VALUES `0x00200000` DNS_QUERY_DISABLE_IDN_ENCODING `0x00800000` DNS_QUERY_APPEND_MULTILABEL `0x01000000` DNS_QUERY_DNSSEC_OK (windns.h; client signaled DNSSEC OK) `0x02000000` DNS_QUERY_DNSSEC_CHECKING_DISABLED (windns.h; client signaled DNSSEC validation disabled)
`Status` UInt32	NTSTATUS reference
`QueryResults` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3018,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.037138+00:00",
    "event_record_id": 8,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "QueryOptions": 722827741266862080,
    "Status": 9701,
    "QueryResults": "",
    "ClientPID": 3384,
    "QueryBlob": "0x1b11f66d1a0"
  },
  "message": ""
}

Event ID 3019: Query wire called for name QueryName, type QueryType, interface index InterfaceIndex and network index NetworkIndex.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Opcode: Info

Description

Query wire called for name QueryName, type QueryType, interface index InterfaceIndex and network index NetworkIndex.

Message #

Query wire called for name %1, type %2, interface index %3 and network index %4

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`InterfaceIndex` UInt32
`NetworkIndex` UInt32
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3019,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.037151+00:00",
    "event_record_id": 9,
    "correlation": {
      "ActivityID": "98BC0724-3B37-4F5C-B2FF-8A9EF612845C"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "InterfaceIndex": 0,
    "NetworkIndex": 0,
    "ClientPID": 3384,
    "QueryBlob": "0x1b11f66d1a0"
  },
  "message": ""
}

Event ID 3020: Query response for name QueryName, type QueryType, interface index NetworkIndex and network index InterfaceIndex returned Status with results QueryResults.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Also via: realtime ETW trace
Level: Informational
Collection Priority: Recommended (NSA)
Opcode: Info

Description

Query response for name QueryName, type QueryType, interface index NetworkIndex and network index InterfaceIndex returned Status with results QueryResults.

Message #

Query response for name %1, type %2, interface index %3 and network index %4 returned %5 with results %6

Fields #

Name	Description
`QueryName` UnicodeString
`QueryType` UInt32	Known values `1` A `2` NS `5` CNAME `6` SOA `12` PTR `15` MX `16` TXT `24` SIG `25` KEY `28` AAAA `33` SRV `35` NAPTR `39` DNAME `41` OPT `43` DS `46` RRSIG `47` NSEC `48` DNSKEY `50` NSEC3 `51` NSEC3PARAM `52` TLSA `65` HTTPS `252` AXFR `255` ANY `257` CAA
`NetworkIndex` UInt32
`InterfaceIndex` UInt32
`Status` UInt32	NTSTATUS reference
`QueryResults` UnicodeString
`ClientPID` UInt32
`QueryBlob` Pointer

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 3020,
    "version": 2,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T19:59:57.072612+00:00",
    "event_record_id": 14,
    "correlation": {
      "ActivityID": "7D9A141D-3061-4B6F-A6EE-D4CEE18DB90D"
    },
    "execution": {
      "process_id": 1732,
      "thread_id": 8072
    },
    "channel": "Microsoft-Windows-DNS-Client/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "QueryName": "us-v20.events.endpoint.security.microsoft.com",
    "QueryType": 1,
    "NetworkIndex": 0,
    "InterfaceIndex": 0,
    "Status": 0,
    "QueryResults": "type: 5 us-v20.events.data.trafficmanager.net;type: 5 onedscolprdeus05.eastus.cloudapp.azure.com;20.42.65.85;",
    "ClientPID": 3384,
    "QueryBlob": "0x1b11f66d1a0"
  },
  "message": ""
}

Event ID 3023: Initiating resolver operation OperationName, name Name, flag Flag, client PID ClientPID.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Opcode: Info

Description

Initiating resolver operation OperationName, name Name, flag Flag, client PID ClientPID.

Message #

Initiating resolver operation %1, name %2, flag %3, client PID %4

Fields #

Name	Description
`OperationName` UnicodeString
`Name` UnicodeString
`Flag` UInt32
`ClientPID` UInt32

Event ID 3024: Server ActualServer failed to validate DDR certificate for original address OriginalServer with status Status.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Opcode: Info

Description

Server ActualServer failed to validate DDR certificate for original address OriginalServer with status Status.

Message #

Server %1 failed to validate DDR certificate for original address %2 with status %3

Fields #

Name	Description
`ActualServer` UnicodeString
`OriginalServer` UnicodeString
`Status` UInt32	NTSTATUS reference

Event ID 8001: Unable to start DNS Client service.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsGenericError

Description

Unable to start DNS Client service. Could not start the Remote Procedure Call (RPC) interface for this service. To correct the problem, you may restart the RPC and DNS Client services. To do so, use the following commands at a command prompt: (1) type 'net start rpc' to start the RPC service, and (2) type 'net start dnscache' to start the DNS Client service. See event details for specific error code information.

Message #

Unable to start DNS Client service. Could not start the Remote Procedure Call (RPC) interface for this service. To correct the problem, you may restart the RPC and DNS Client services. To do so, use the following commands at a command prompt: (1) type 'net start rpc' to start the RPC service, and (2) type 'net start dnscache' to start the DNS Client service. See event details for specific error code information.

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 8002: Unable to start DNS Client service because the system failed to allocate memory and may be out of available memory.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsGenericError

Description

Unable to start DNS Client service because the system failed to allocate memory and may be out of available memory. Try closing any applications not in use or reboot the computer. See event details for specific error code information.

Message #

Unable to start DNS Client service because the system failed to allocate memory and may be out of available memory. Try closing any applications not in use or reboot the computer. See event details for specific error code information.

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 8003: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS Server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The cause of this DNS registration failure was because the DNS update request timed out after being sent to the specified DNS Server. This is probably because the authoritative DNS server for the name being updated is not running.

You can manually retry registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still  persist, contact your network systems administrator to verify network conditions.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8004: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The cause of this DNS registration failure was because of DNS server failure. This may be due to a zone transfer that has locked the DNS server for the applicable zone that your computer needs to register itself with.

(The applicable zone should typically correspond to the Adapter-specific Domain Suffix that was indicated above.) You can manually retry registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your network systems administrator to verify network conditions.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8005: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason it could not register was because either: (a) the DNS server does not support the DNS dynamic update protocol, or (b) the primary zone authoritative for the registering names does not currently accept dynamic updates.

To add or register a DNS host (A or AAAA) resource record using the specific DNS name for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8006: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason it could not register was because the DNS server refused the dynamic update request. This could happen for the following reasons: (a) current DNS update policies do not allow this computer to update the DNS domain name configured for this adapter, or (b) the authoritative DNS server for this DNS domain name does not support the DNS dynamic update protocol.

To register a DNS host (A or AAAA) resource record using the specific DNS domain name for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8007: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not register the DNS update request because of a security related problem. This could happen for the following reasons: (a) the DNS domain name that your computer is trying to register could not be updated because your computer does not have the right permissions, or (b) there might have been a problem negotiating valid credentials with the DNS server to update.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8008: The system failed to register network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register network adapter with settings.

Message #

The system failed to register network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the DNS update request could not be completed was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8009: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because the update request that was sent to the specified DNS server timed out. This is probably because the authoritative DNS server for the name being registered is not running.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8010: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Level: Informational
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The cause was DNS server failure. This may be because the reverse lookup zone is busy or missing on the DNS server that your computer needs to update. In most cases, this is a minor problem because it does not affect normal (forward) name resolution.

If reverse (address-to-name) resolution is required for your computer, you can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "1C95126E-7EEA-49A9-A3FE-A378B03DDB4D",
    "event_source_name": "",
    "event_id": 8010,
    "version": 0,
    "level": 4,
    "task": 1028,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-03-09T00:28:59.406443+00:00",
    "event_record_id": 1968,
    "correlation": {},
    "execution": {
      "process_id": 1928,
      "thread_id": 6096
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "AdapterName": "{8A1760B6-DC99-4B90-9C4A-029698E5AE27}",
    "HostName": "LAB-WIN11",
    "AdapterSuffixName": "ludus.domain",
    "DnsServerList": "\t10.2.10.11",
    "Sent UpdateServer": "<?>",
    "Ipaddress": "10.2.10.21",
    "ErrorCode": 9002
  },
  "message": ""
}

Event ID 8011: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because (a) either the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone where these records are to be registered does not allow dynamic updates.

To register DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8012: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because the DNS server refused the update request. The cause of this could be (a) your computer is not allowed to update the adapter-specified DNS domain name, or (b) because the DNS server authoritative for the specified name does not support the DNS dynamic update protocol.

To register the DNS pointer (PTR) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8013: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason that the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8014: The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to register pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8015: The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Level: Warning
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "{1c95126e-7eea-49a9-a3fe-a378b03ddb4d}",
    "event_source_name": "",
    "event_id": 8015,
    "version": 0,
    "level": 3,
    "task": 1028,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-08 02:51:20.509027+00:00",
    "event_record_id": 1170,
    "correlation": {
      "ActivityID": "",
      "RelatedActivityID": ""
    },
    "execution": {
      "process_id": 1904,
      "thread_id": 4156
    },
    "channel": "System",
    "computer": "tel2-WIN11-25H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "AdapterName": "{D0EA6B1D-0BD7-4DA1-8997-C2D9A28A982A}",
    "HostName": "tel2-WIN11-25H2-1",
    "AdapterSuffixName": "ludus.domain",
    "DnsServerList": "\t10.4.10.11",
    "Sent UpdateServer": "<?>",
    "Ipaddress": "10.4.10.21",
    "ErrorCode": "1460"
  },
  "message": "The system failed to register host (A or AAAA) resource records (RRs) for network adapter\r\nwith settings:\r\n\r\n           Adapter Name : {D0EA6B1D-0BD7-4DA1-8997-C2D9A28A982A}\r\n           Host Name : tel2-WIN11-25H2-1\r\n           Primary Domain Suffix : ludus.domain\r\n           DNS server list :\r\n             \t10.4.10.11\r\n           Sent update to server : <?>\r\n           IP Address(es) :\r\n             10.4.10.21\r\n\r\nThe reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running at this time.\r\n\r\nYou can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
}

Event ID 8016: The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Level: Warning
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`Sent UpdateServer`
`Ipaddress` UnicodeString
`ErrorCode` UInt32
`SentUpdateServer` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-DNS-Client",
    "guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
    "event_source_name": "",
    "event_id": 8016,
    "version": 0,
    "level": 3,
    "task": 1028,
    "opcode": 0,
    "keywords": 4611686018427387904,
    "time_created": "2026-05-29T01:41:01.0197955+00:00",
    "event_record_id": 1723,
    "correlation": {},
    "execution": {
      "process_id": 1692,
      "thread_id": 3688
    },
    "channel": "System",
    "computer": "telemetry-W11-d.cell-d.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "AdapterName": "{D0EA6B1D-0BD7-4DA1-8997-C2D9A28A982A}",
    "HostName": "telemetry-W11-d",
    "AdapterSuffixName": "cell-d.ludus.domain",
    "DnsServerList": "\t10.1.50.11",
    "Sent UpdateServer": "10.1.50.11:53",
    "Ipaddress": "10.1.50.21",
    "ErrorCode": "9002"
  },
  "message": "The system failed to register host (A or AAAA) resource records (RRs) for network adapter\r\nwith settings:\r\n\r\n           Adapter Name : {D0EA6B1D-0BD7-4DA1-8997-C2D9A28A982A}\r\n           Host Name : telemetry-W11-d\r\n           Primary Domain Suffix : cell-d.ludus.domain\r\n           DNS server list :\r\n             \t10.1.50.11\r\n           Sent update to server : 10.1.50.11:53\r\n           IP Address(es) :\r\n             10.1.50.21\r\n\r\nThe reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.\r\n\r\nYou can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator."
}

Event ID 8017: The system failed to register host (A or AAAA) resource records for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records for network adapter.

Message #

The system failed to register host (A or AAAA) resource records for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

Either the DNS server does not support the DNS dynamic update protocol or the authoritative zone for the specified DNS domain name does not accept dynamic updates.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8018: The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because the DNS server contacted refused the update request. The reasons for this might be (a) you are not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for this name does not support the DNS dynamic update protocol.

To register the DNS host (A or AAAA) resource records using the specific DNS domain name and IP addresses for this adapter, contact your DNS server or network systems administrator.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8019: The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8020: The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to register host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to register host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not register these RRs during the update request was because of a system problem. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8021: The system failed to update and remove registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove registration for the network adapter with settings.

Message #

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server it sent the update request to timed out. The most likely cause of this failure is that the DNS server authoritative for the zone where the registration was originally made is either not running or unreachable through the network at this time.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8022: The system failed to update and remove registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove registration for the network adapter with settings.

Message #

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server it sent the update to failed the update request. A possible cause of this failure is that the DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8023: The system failed to update and remove registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove registration for the network adapter with settings.

Message #

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not currently accept DNS dynamic updates.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8024: The system failed to update and remove registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove registration for the network adapter with settings.

Message #

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not perform the update request was the DNS server contacted refused update request. The cause of this is (a) this computer is not allowed to update the specified DNS domain name, or (b) because the DNS server authoritative for the zone that requires updating does not support the DNS dynamic update protocol.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8025: The system failed to update and remove registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove registration for the network adapter with settings.

Message #

The system failed to update and remove registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the system could not perform the update request was because of a security related problem. The cause of this could be (a) your computer does not have permissions to register and update the specific DNS domain name set for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request.

See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8026: The system failed to update and remove the DNS registration for the network adapter with settings.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove the DNS registration for the network adapter with settings.

Message #

The system failed to update and remove the DNS registration for the network adapter with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not update to remove this DNS registration because of a system problem. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8027: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone that requires update is not running.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8028: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address : %6

The system could not remove these PTR RRs because the DNS server failed the update request. A possible cause is that a zone transfer is in progress, causing a lock for the zone at the DNS server authorized to perform the updates for these RRs.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8029: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because either the DNS server does not support the DNS dynamic update protocol or the authoritative zone that contains these RRs does not accept dynamic updates.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8030: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because the DNS server refused the update request. The cause of this might be (a) this computer is not allowed to update the specified DNS domain name specified by these settings, or (b) because the DNS server authorized to perform updates for the zone that contains these RRs does not support the DNS dynamic update protocol.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8031: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because of a security related problem. The cause of this could be that (a) your computer does not have permissions to remove and update the specific DNS domain name or IP addresses configured for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8032: The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter.

Message #

The system failed to update and remove pointer (PTR) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Adapter-specific Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address :
             %6

The system could not remove these PTR RRs because because of a system problem. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8033: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

         The system could not remove these host (A or AAAA) RRs because the update request timed out while awaiting a response from the DNS server. This is probably because the DNS server authoritative for the zone where these RRs need to be updated is either not currently running or reachable on the network.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8034: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The system could not remove these host (A or AAAA) RRs because the DNS server failed the update request. A possible cause is that a zone transfer is in progress, causing a lock for the zone at the DNS server authorized to perform the updates for these RRs.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8035: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these host (A or AAAA) RRs does not currently accept DNS dynamic updates.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8036: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The request to remove these records failed because the DNS server refused the update request. The cause of this might be that either (a) this computer is not allowed to update the DNS domain name specified by these settings, or (b) because the DNS server authorized to perform updates for the zone that contains these RRs does not support the DNS dynamic update protocol.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8037: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason for this failure was because of a security related problem. The cause of this could be that (a) your computer does not have permissions to remove and update the specific DNS domain name or IP addresses configured for this adapter, or (b) there might have been a problem negotiating valid credentials with the DNS server during the processing of the update request. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8038: The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsRegistration

Description

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter.

Message #

The system failed to update and remove host (A or AAAA) resource records (RRs) for network adapter
with settings:

           Adapter Name : %1
           Host Name : %2
           Primary Domain Suffix : %3
           DNS server list :
             %4
           Sent update to server : %5
           IP Address(es) :
             %6

The reason the update request failed was because of a system problem. See event details for specific error code information.

Fields #

Name	Description
`AdapterName` UnicodeString
`HostName` UnicodeString
`AdapterSuffixName` UnicodeString
`DnsServerList` UnicodeString
`SentUpdateServer` UnicodeString
`Ipaddress` UnicodeString
`ErrorCode` UInt32

Event ID 8040: A DNS interception provider has been loaded.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsInterception

Description

A DNS interception provider has been loaded. This provider can overwrite any DNS resolution result. If this is unexpected, please contact the machine/domain admin.

Message #

A DNS interception provider has been loaded. This provider can overwrite any DNS resolution result. If this is unexpected, please contact the machine/domain admin.

           Interception Dll: %1

Fields #

Name	Description
`DllName` UnicodeString

Event ID 8042: A DNS interception provider performed an illegal operation.

Provider: Microsoft-Windows-DNS-Client
Channel: System
Task: DnsInterception

Description

A DNS interception provider performed an illegal operation.

Message #

A DNS interception provider performed an illegal operation. 

           Interception Dll: %1

Fields #

Name	Description
`DllName` UnicodeString

Event ID 8043: DNS-over-HTTPS query initiated to server Server for the name NameQuery, on interface InterfaceName, using template Template, client PID ClientPID.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

DNS-over-HTTPS query initiated to server Server for the name NameQuery, on interface InterfaceName, using template Template, client PID ClientPID.

Message #

DNS-over-HTTPS query initiated to server %1 for the name %2, on interface %3, using template %4, client PID %5

Fields #

Name	Description
`Server` UnicodeString
`NameQuery` UnicodeString
`InterfaceName` UnicodeString
`Template` UnicodeString
`ClientPID` UInt32

Event ID 8044: DNS-over-TLS query initiated to server Server for the name NameQuery, on interface InterfaceName, with hostname Hostname, client PID ClientPID.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

DNS-over-TLS query initiated to server Server for the name NameQuery, on interface InterfaceName, with hostname Hostname, client PID ClientPID.

Message #

DNS-over-TLS query initiated to server %1 for the name %2, on interface %3, with hostname %4, client PID %5

Fields #

Name	Description
`Server` UnicodeString
`NameQuery` UnicodeString
`InterfaceName` UnicodeString
`Hostname` UnicodeString
`ClientPID` UInt32

Event ID 8045: DNS-over-HTTPS request to server Server with template TemplateName returned HTTP status $3.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

DNS-over-HTTPS request to server Server with template TemplateName returned HTTP status $3.

Message #

DNS-over-HTTPS request to server %1 with template %2 returned HTTP status $3

Fields #

Name	Description
`Server` UnicodeString
`TemplateName` UnicodeString
`StatusCode` UInt32	NTSTATUS reference

Event ID 8046: DNS-over-HTTPS request to server Server with template TemplateName failed with error ErrorCode.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

DNS-over-HTTPS request to server Server with template TemplateName failed with error ErrorCode.

Message #

DNS-over-HTTPS request to server %1 with template %2 failed with error %3

Fields #

Name	Description
`Server` UnicodeString
`TemplateName` UnicodeString
`ErrorCode` UInt32

Event ID 8047: DNS-over-TLS request to server Server with hostname Hostname failed with error ErrorCode.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

DNS-over-TLS request to server Server with hostname Hostname failed with error ErrorCode.

Message #

DNS-over-TLS request to server %1 with hostname %2 failed with error %3

Fields #

Name	Description
`Server` UnicodeString
`Hostname` UnicodeString
`ErrorCode` UInt32

Event ID 8048: DNS-over-HTTPS request failed to obtain valid SSL certificate from server Server, with template Template, due to: Error.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Description

DNS-over-HTTPS request failed to obtain valid SSL certificate from server Server, with template Template, due to: Error. WinHTTP flags: ErrorBits.

Message #

DNS-over-HTTPS request failed to obtain valid SSL certificate from server %1, with template %2, due to: %3. WinHTTP flags: %4

Fields #

Name	Description
`Server` UnicodeString
`Template` UnicodeString
`Error` UnicodeString
`ErrorBits` UInt64

Event ID 8049: DNS-over-TLS request failed to obtain valid SSL certificate from server Server, with hostname Hostname, due to: Error.

Provider: Microsoft-Windows-DNS-Client
Channel: System

Description

DNS-over-TLS request failed to obtain valid SSL certificate from server Server, with hostname Hostname, due to: Error. WinHTTP flags: ErrorBits.

Message #

DNS-over-TLS request failed to obtain valid SSL certificate from server %1, with hostname %2, due to: %3. WinHTTP flags: %4

Fields #

Name	Description
`Server` UnicodeString
`Hostname` UnicodeString
`Error` UnicodeString
`ErrorBits` UInt64

Event ID 8050: Windows DNS Client process mitigations: SystemCall: SystemCallDisable, ExtensionPoint: ExtensionPointDisable, DynamicCode: DynamicCode, CFG: ControlFlowGuard, BinarySignature: BinarySignature, Font...

Provider: Microsoft-Windows-DNS-Client
Channel: Operational

Description

Windows DNS Client process mitigations: SystemCall: , ExtensionPoint: , DynamicCode: , CFG: , BinarySignature: , FontDisable: , ImageLoad: , ChildProcess: . Enforce mitigations.

Message #

Windows DNS Client process mitigations: SystemCall: %1, ExtensionPoint: %2, DynamicCode: %3, CFG: %4, BinarySignature: %5, FontDisable: %6, ImageLoad: %7, ChildProcess: %8. Enforce mitigations: %9

Fields #

Name	Description
`SystemCallDisable` UInt32
`ExtensionPointDisable` UInt32
`DynamicCode` UInt32
`ControlFlowGuard` UInt32
`BinarySignature` UInt32
`FontDisable` UInt32
`ImageFlow` UInt32
`ChildProcess` UInt32
`EnforcementKey` UInt32

Event ID 60004: Error: Error Location: Location Context: Context.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsNetError

Description

Error: Error Location: Location Context: Context.

Message #

Error: %1 Location: %2 Context: %3

Fields #

Name	Description
`ErrorCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 60005: Warning: Warning Location: Location Context: Context.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsNetWarning

Description

Warning: Warning Location: Location Context: Context.

Message #

Warning: %1 Location: %2 Context: %3

Fields #

Name	Description
`WarningCode` UInt32
`Location` UInt32
`Context` UInt32

Event ID 60006: Transitioned to State: NextState Context: Context.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsStateTransition

Description

Transitioned to State: NextState Context: Context.

Message #

Transitioned to State: %1 Context: %2

Fields #

Name	Description
`NextState` UInt8
`Context` UInt32

Event ID 60007: Updated Context: Updated_Context Update Reason: Update_Reason.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsContextUpdate

Description

Updated Context: Updated_Context Update Reason: Update_Reason.

Message #

Updated Context: %1 Update Reason: %2

Fields #

Name	Description
`Context` UInt32
`UpdateReasonCode` UInt32

Event ID 60008: Name resolution policy table has been corrupted.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsPolicyReadError

Description

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule failed with error.

Message #

Name resolution policy table has been corrupted. DNS resolution will fail until it is fixed. Contact your network administrator. For more information: read policy table for rule %1 failed with error %2

Fields #

Name	Description
`RuleName` UnicodeString
`ErrorCode` UInt32

Event ID 60101: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsV4Tuple

Description

SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.

Message #

SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6

Fields #

Name	Description
`SourceAddress` UInt32
`SourcePort` UInt32
`DestinationAddress` UInt32
`DestinationPort` UInt32
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`ReferenceContext` UInt32

Event ID 60102: SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsV6Tuple

Description

SourceAddress: SourceAddress SourcePort: SourcePort DestinationAddress: DestinationAddress DestinationPort: DestinationPort Protocol: Protocol ReferenceContext: ReferenceContext.

Message #

SourceAddress: %1 SourcePort: %2 DestinationAddress: %3 DestinationPort: %4 Protocol: %5 ReferenceContext: %6

Fields #

Name	Description
`SourceAddress` Binary
`SourcePort` UInt32
`DestinationAddress` Binary
`DestinationPort` UInt32
`Protocol` UInt32	Known values `0` HOPOPT `1` ICMP `2` IGMP `6` TCP `17` UDP `41` IPv6 `43` IPv6-Route `44` IPv6-Frag `47` GRE `50` ESP `51` AH `58` ICMPv6 `89` OSPF `103` PIM `132` SCTP
`ReferenceContext` UInt32

Event ID 60103: Interface Guid: Interface_Guid IfIndex: IfIndex Interface Luid: Interface_Luid ReferenceContext: ReferenceContext.

Provider: Microsoft-Windows-DNS-Client
Channel: Operational
Task: DnsInterfaceInfo

Description

Interface Guid: Interface_Guid IfIndex: IfIndex Interface Luid: Interface_Luid ReferenceContext: ReferenceContext.

Message #

Interface Guid: %1 IfIndex: %2 Interface Luid: %3 ReferenceContext: %4

Fields #

Name	Description
`IfGuid` GUID
`IfIndex` UInt32
`IfLuid` UInt64
`ReferenceContext` UInt32

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}

Defined in dnsapi.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.1, captured 2026-06-02
WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1591, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)