Microsoft-Windows-DNSServer
167 events across 2 channels
Event ID 256: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = Virtualiz...
#Description
QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = VirtualizationInstanceOptionValue: AdditionalInfo; GUID=GUID.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 256,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": "0x0000000000000001",
"time_created": "2026-06-02T05:16:25.362+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AdditionalInfo": ".",
"BufferSize": 40,
"Flags": 256,
"GUID": "{00A28FC1-E523-4539-988F-65542019270F}",
"InterfaceIP": "127.0.0.1",
"PacketData": "0001010000010000000000000131013001300331323707696E2D61646472046172706100000C0001",
"Port": 53005,
"QNAME": "1.0.0.127.in-addr.arpa.",
"QTYPE": 12,
"RD": 1,
"Source": "127.0.0.1",
"TCP": 0,
"XID": 1
},
"message": "LOOK_UP"
}
Event ID 256: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = VirtualizationInstanceOpti...
#Description
QUERY_RECEIVED: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Event ID 257: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scop...
#Description
RESPONSE_SUCCESS: TCP=; InterfaceIP=; Destination=; AA=; AD=; QNAME=; QTYPE=; XID=; DNSSEC=; RCODE=; Port=; Flags=; Scope=; Zone=; PolicyName=; PacketData=; AdditionalInfo= ; ElapsedTime=; GUID=.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
StaleRecordsPresent UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 257,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": "0x0000000000000002",
"time_created": "2026-06-02T05:16:25.362+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AA": 1,
"AD": 0,
"AdditionalInfo": "VirtualizationInstance:.",
"BufferSize": 63,
"DNSSEC": 0,
"Destination": "127.0.0.1",
"ElapsedTime": 1,
"Flags": 34176,
"GUID": "{00A28FC1-E523-4539-988F-65542019270F}",
"InterfaceIP": "127.0.0.1",
"PacketData": "0001858000010001000000000131013001300331323707696E2D61646472046172706100000C0001C00C000C000100000E10000B096C6F63616C686F737400",
"PolicyName": "NULL",
"Port": 53005,
"QNAME": "1.0.0.127.in-addr.arpa.",
"QTYPE": 12,
"RCODE": 0,
"Scope": "Default",
"TCP": 0,
"XID": 1,
"Zone": "127.in-addr.arpa"
},
"message": "LOOK_UP"
}
Event ID 257: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Z...
#Description
RESPONSE_SUCCESS: TCP=; InterfaceIP=; Destination=; AA=; AD=; QNAME=; QTYPE=; XID=; DNSSEC=; RCODE=; Port=; Flags=; Scope=; Zone=; PolicyName=; PacketData=; AdditionalInfo= ; ElapsedTime=; GUID=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
StaleRecordsPresent UnicodeString |
Event ID 258: RESPONSE_FAILURE: TCP=.
#Description
RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: BufferSize; ElapsedTime=ElapsedTime; GUID=GUID
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": "0x0000000000000004",
"time_created": "2026-06-02T05:16:26.645+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AdditionalInfo": ".",
"BufferSize": 30,
"Destination": "127.0.0.1",
"ElapsedTime": 0,
"Flags": 33154,
"GUID": "{261CCD1C-B5E8-4C9F-AB81-26CF110C6CA2}",
"InterfaceIP": "127.0.0.1",
"PacketData": "9B18818200010000000000000C4A442D444330312D323032320000010001",
"PolicyName": "NULL",
"Port": 60070,
"QNAME": "JD-DC01-2022.",
"QTYPE": 1,
"RCODE": 2,
"Reason": "Single Label",
"TCP": 0,
"XID": 39704,
"Zone": "..Cache"
},
"message": "LOOK_UP"
}
Event ID 258: RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName;...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString |
Event ID 259: IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationIns...
#Description
IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationInstance: AdditionalInfo.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
Reason UnicodeString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
AdditionalInfo UnicodeString |
Event ID 259: IGNORED_QUERY: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Zone=Zone; PolicyName=PolicyName; AdditionalInfo = VirtualizationInstance:
#Description
IGNORED_QUERY: TCP=; InterfaceIP=; Source=; Reason=; QNAME=; QTYPE=; XID=; Zone=; PolicyName=; AdditionalInfo = VirtualizationInstance.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
Reason UnicodeString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
AdditionalInfo UnicodeString |
Event ID 260: RECURSE_QUERY_OUT: TCP=.
#Description
RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=CacheScope; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: AdditionalInfo; GUID=GUID
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Destination AnsiString | |
InterfaceIP AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 260,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x0000000000000010",
"time_created": "2026-06-02T05:16:25.363+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AdditionalInfo": ".",
"BufferSize": 78,
"CacheScope": "Default",
"Destination": "10.2.10.254",
"Flags": 256,
"GUID": "{5D621ABD-6B0A-4B49-B2FB-76FFBA3CB9E4}",
"InterfaceIP": "0.0.0.0",
"PacketData": "7211010000010000000000011F746869732D6E616D652D646F65732D6E6F742D65786973742D65747767656E07696E76616C696404686F6D65046172706100000100010000290FA0000080000000",
"PolicyName": "NULL",
"Port": 0,
"QNAME": "this-name-does-not-exist-etwgen.invalid.home.arpa.",
"QTYPE": 1,
"QXID": 4,
"RD": 1,
"RecursionScope": ".",
"TCP": 0,
"XID": 29201
},
"message": "RECURSE_QUERY"
}
Event ID 260: RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Destination AnsiString | |
InterfaceIP AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Event ID 261: RECURSE_RESPONSE_IN: TCP=.
#Description
RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=CacheScope; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: AdditionalInfo; GUID=GUID; QueriesAttached=QueriesAttached
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RecursionDepth UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
QueriesAttached UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 261,
"version": 0,
"level": 4,
"task": 2,
"opcode": 0,
"keywords": "0x0000000000000020",
"time_created": "2026-06-02T05:16:25.364+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"AA": 0,
"AD": 0,
"AdditionalInfo": ".",
"BufferSize": 155,
"CacheScope": "Default",
"Flags": 33155,
"GUID": "{5D621ABD-6B0A-4B49-B2FB-76FFBA3CB9E4}",
"InterfaceIP": "0.0.0.0",
"PacketData": "7211818300010000000100011F746869732D6E616D652D646F65732D6E6F742D65786973742D65747767656E07696E76616C696404686F6D6504617270610000010001C0340006000100092F90004108707269736F6E65720469616E61036F7267000A686F73746D61737465720C726F6F742D73657276657273C05D0000000100093A800000003C00093A8000093A800000290FA0000080000000",
"Port": 0,
"QNAME": "this-name-does-not-exist-etwgen.invalid.home.arpa.",
"QTYPE": 1,
"QueriesAttached": 0,
"RecursionDepth": 1,
"RecursionScope": ".",
"Source": "10.2.10.254",
"TCP": 0,
"XID": 29201
},
"message": "RECURSE_QUERY"
}
Event ID 261: RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=Recur...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RecursionDepth UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
QueriesAttached UInt32 |
Event ID 262: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheSco...
#Description
RECURSE_QUERY_TIMEOUT: TCP=; InterfaceIP=; Destination=; QNAME=; QTYPE=; QXID=; XID=; Port=; Flags=; RecursionScope=; CacheScope=; AdditionalInfo = VirtualizationInstance: ; GUID=.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Event ID 262: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=Cac...
#Description
RECURSE_QUERY_TIMEOUT: TCP=; InterfaceIP=; Destination=; QNAME=; QTYPE=; QXID=; XID=; Port=; Flags=; RecursionScope=; CacheScope=; AdditionalInfo = VirtualizationInstance: ; GUID=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
AdditionalInfo UnicodeString | |
GUID UnicodeString |
Event ID 263: DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.
#Description
DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
Secure UInt8 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 263: DYN_UPDATE_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=
#Description
DYN_UPDATE_RECV: TCP=; InterfaceIP=; Source=; QNAME=; XID=; Port=; Flags=; SECURE=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
Secure UInt8 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 264: DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.
#Description
DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 264: DYN_UPDATE_RESPONSE: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=
#Description
DYN_UPDATE_RESPONSE: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PolicyName=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 265: IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Description
IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 265: IXFR_REQ_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
IXFR_REQ_OUT: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 266: IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Description
IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 266: IXFR_REQ_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
IXFR_REQ_RECV: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 267: IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
#Description
IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 267: IXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=
#Description
IXFR_RESP_OUT: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 268: IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
#Description
IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 268: IXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=
#Description
IXFR_RESP_RECV: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 269: AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Description
AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 269: AXFR_REQ_OUT: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
AXFR_REQ_OUT: TCP=; Source=; InterfaceIP=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 270: AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Description
AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 270: AXFR_REQ_RECV: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
AXFR_REQ_RECV: TCP=; Source=; InterfaceIP=; QNAME=; XID=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 271: AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.
#Description
AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
Event ID 271: AXFR_RESP_OUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=
#Description
AXFR_RESP_OUT: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
Event ID 272: AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.
#Description
AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
Event ID 272: AXFR_RESP_RECV: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=
#Description
AXFR_RESP_RECV: TCP=; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
Event ID 273: XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Event ID 273: XFR_NOTIFY_RECV: Source=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
XFR_NOTIFY_RECV: Source=; InterfaceIP=; QNAME=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 274: XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
#Description
XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 274: XFR_NOTIFY_OUT: Destination=Source; InterfaceIP=InterfaceIP; QNAME=QNAME; ZoneScope=ZoneScope; Zone=Zone; PacketData=
#Description
XFR_NOTIFY_OUT: Destination=; InterfaceIP=; QNAME=; ZoneScope=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
Source AnsiString | |
InterfaceIP AnsiString | |
QNAME AnsiString | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 275: XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=PacketData.
#Event ID 275: XFR_NOTIFY_ACK_IN: Source=Source; InterfaceIP=InterfaceIP; PacketData=
#Description
XFR_NOTIFY_ACK_IN: Source=; InterfaceIP=; PacketData=.
Fields #
| Name | Description |
|---|---|
Source AnsiString | |
InterfaceIP AnsiString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 276: XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; PacketData=PacketData.
#Event ID 276: XFR_NOTIFY_ACK_OUT: Destination=Destination; InterfaceIP=InterfaceIP; Zone=Zone; PacketData=
#Description
XFR_NOTIFY_ACK_OUT: Destination=; InterfaceIP=; Zone=; PacketData=.
Fields #
| Name | Description |
|---|---|
Destination AnsiString | |
InterfaceIP AnsiString | |
Zone UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 277: DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
#Description
DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
ForwardInterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 277: DYN_UPDATE_FORWARD: TCP=TCP; ForwardInterfaceIP=ForwardInterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=
#Description
DYN_UPDATE_FORWARD: TCP=; ForwardInterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
ForwardInterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 278: DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
#Description
DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 278: DYN_UPDATE_RESPONSE_IN: TCP=TCP; InterfaceIP=InterfaceIP; Source=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PacketData=
#Description
DYN_UPDATE_RESPONSE_IN: TCP=; InterfaceIP=; Source=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PacketData=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
BufferSize UInt32 | |
PacketData Binary |
Event ID 279: INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.
#Description
INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
XID UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 279,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": "0x0000000800000000",
"time_created": "2026-06-02T05:16:25.401+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BufferSize": 34,
"Flags": 33152,
"GUID": "{C9931481-610A-41A6-B153-9252110E30F2}",
"InterfaceIP": "127.0.0.1",
"PacketData": "16948180000100010000000003777777086D7366746E63736903636F6D0000010001",
"Port": 52997,
"QNAME": "www.msftncsi.com.edgesuite.net.",
"QTYPE": 1,
"RD": 1,
"Source": "127.0.0.1",
"TCP": 0,
"XID": 5780
},
"message": "LOOK_UP"
}
Event ID 279: INTERNAL_LOOKUP_CNAME: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=
#Description
INTERNAL_LOOKUP_CNAME: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; Port=; Flags=; XID=; PacketData=; GUID=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
XID UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString |
Event ID 280: INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.
#Description
INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=GUID.
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
XID UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 280,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": "0x0000001000000000",
"time_created": "2026-06-02T05:16:26.113+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 4504,
"thread_id": 10580
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"BufferSize": 31,
"Flags": 33152,
"GUID": "{04BCD1C4-007B-4318-BBB6-CDF9D152CBD3}",
"InterfaceIP": "127.0.0.1",
"PacketData": "000481800001000100000000096D6963726F736F667403636F6D00000F0001",
"Port": 53018,
"QNAME": "microsoft-com.mail.protection.outlook.com.",
"QTYPE": 1,
"RD": 1,
"Source": "127.0.0.1",
"TCP": 0,
"XID": 4
},
"message": "LOOK_UP"
}
Event ID 280: INTERNAL_LOOKUP_ADDITIONAL: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; Port=Port; Flags=Flags; XID=XID; PacketData=PacketData; GUID=
#Description
INTERNAL_LOOKUP_ADDITIONAL: TCP=; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; Port=; Flags=; XID=; PacketData=; GUID=.
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
XID UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString |
Event ID 281: RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
#Description
RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 281: RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=
#Description
RRL_TO_BE_DROPPED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 282: RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
#Description
RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 282: RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=
#Description
RRL_TO_BE_TRUNCATED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 283: RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
#Description
RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 283: RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; PacketData=
#Description
RRL_TO_BE_LEAKED_RESPONSE: InterfaceIP=; Destination=; QNAME=; QTYPE=; XID=; RCODE=; Port=; PacketData=.
Fields #
| Name | Description |
|---|---|
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 284: RESPONSE_SUCCESS: TCP=.
#Description
RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo= AdditionalInfo; DataTag=DataTag; ElapsedTime=ElapsedTime; GUID=GUID; EDNSCorrelationTag=EDNSCorrelationTag
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
DataTag UInt64 | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EDNSCorrelationTag GUID | |
EDNSScopeName UnicodeString | |
StaleRecordsPresent UnicodeString |
Event ID 284: RESPONSE_SUCCESS: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; DNSSEC=DNSSEC; RCODE=RCODE; Port=Port; Flags=Flags; Scope=Scope; Zone=Z...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
DataTag UInt64 | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EDNSCorrelationTag GUID | |
EDNSScopeName UnicodeString | |
StaleRecordsPresent UnicodeString |
Event ID 285: RESPONSE_FAILURE: TCP=.
#Description
RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName; PacketData=PacketData; AdditionalInfo = VirtualizationInstance: BufferSize; ElapsedTime=ElapsedTime; GUID=GUID; EDNSCorrelationTag=EDNSCorrelationTag
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EDNSCorrelationTag GUID | |
EDNSScopeName UnicodeString |
Event ID 285: RESPONSE_FAILURE: TCP=TCP; InterfaceIP=InterfaceIP; Reason=Reason; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RCODE=RCODE; Port=Port; Flags=Flags; Zone=Zone; PolicyName=PolicyName;...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EDNSCorrelationTag GUID | |
EDNSScopeName UnicodeString |
Event ID 286: RECURSE_ALIAS_FAILURE: TCP=.
#Description
RECURSE_ALIAS_FAILURE: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; ServerScope=ServerScope; CacheScope=CacheScope; PacketData=PacketData; AdditionalInfo = VirtualizationInstance AdditionalInfo; AliasFailureReason=AliasFailureReason
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
ServerScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
AliasFailureReason UnicodeString |
Event ID 286: RECURSE_ALIAS_FAILURE: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; ServerScope=ServerScope; CacheScope=CacheScope; Pack...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
ServerScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
AliasFailureReason UnicodeString |
Event ID 287: QUERY_RECEIVED: TCP=.
#Description
QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; GUID=GUID; EDNSExtendedRCodeBits=EDNSExtendedRCodeBits; EDNSFlags=EDNSFlags; EDNSUdpPayloadSize=EDNSUdpPayloadSize; EDNSScopeName=EDNSScopeName; EDNSVirtualizationInstance=EDNSVirtualizationInstance; EDNSDataTag=EDNSDataTag; EDNSCorrelationTag=EDNSCorrelationTag
Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString | |
EDNSExtendedRCodeBits UInt8 | |
EDNSFlags UInt32 | |
EDNSUdpPayloadSize UInt32 | |
EDNSScopeName UnicodeString | |
EDNSVirtualizationInstance UnicodeString | |
EDNSDataTag UInt64 | |
EDNSCorrelationTag GUID |
Event ID 287: QUERY_RECEIVED: TCP=TCP; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; GUID=GUID; EDNSExtendedRCodeBits=EDNSExtend...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
GUID UnicodeString | |
EDNSExtendedRCodeBits UInt8 | |
EDNSFlags UInt32 | |
EDNSUdpPayloadSize UInt32 | |
EDNSScopeName UnicodeString | |
EDNSVirtualizationInstance UnicodeString | |
EDNSDataTag UInt64 | |
EDNSCorrelationTag GUID |
Event ID 288: DNSSEC_VALIDATION_FAILURE: QNAME=QNAME; RRTYPE=RRTYPE; QueryGUID=QueryGUID; QXID=QXID; XID=XID; CacheNodeName=CacheNodeName.
#Event ID 288
#Description
DNSSEC_VALIDATION_FAILURE: QNAME=; RRTYPE=; QueryGUID=; QXID=; XID=; CacheNodeName=.
Fields #
| Name | Description |
|---|---|
QNAME AnsiString | |
RRTYPE UInt32 | |
QueryGUID UnicodeString | |
QXID UInt32 | |
XID UInt32 | |
CacheNodeName AnsiString |
Event ID 289: RECURSE_QUERY_OUT: TCP=.
#Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Destination AnsiString | |
InterfaceIP AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 289: RECURSE_QUERY_OUT: TCP=TCP; Destination=Destination; InterfaceIP=InterfaceIP; RD=RD; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Destination AnsiString | |
InterfaceIP AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 290: RECURSE_RESPONSE_IN: TCP=.
#Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RecursionDepth UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
QueriesAttached UInt32 | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 290: RECURSE_RESPONSE_IN: TCP=TCP; Source=Source; InterfaceIP=InterfaceIP; AA=AA; AD=AD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; RemoteQueriesSent=RecursionDepth; Port=Port; Flags=Flags; RecursionScope=Recur...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
Source AnsiString | |
InterfaceIP AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RecursionDepth UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
QueriesAttached UInt32 | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 291: RECURSE_QUERY_TIMEOUT: TCP=.
#Message #
Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 291: RECURSE_QUERY_TIMEOUT: TCP=TCP; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; QTYPE=QTYPE; QXID=QXID; XID=XID; Port=Port; Flags=Flags; RecursionScope=RecursionScope; CacheScope=Cac...
#Fields #
| Name | Description |
|---|---|
TCP UInt8 | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
QXID UInt32 | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
RecursionScope UnicodeString | |
CacheScope UnicodeString | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EDNSScopeName UnicodeString | |
EDNSCorrelationTag GUID |
Event ID 512: The zone Name was created with settings: Type=Type; Lookup=Lookup; ReplicationScope=ReplicationScope; ZoneFile=ZoneFile; [virtualization instance VirtualizationID].
#Description
The zone Name was created with settings: Type=Type; Lookup=Lookup; ReplicationScope=ReplicationScope; ZoneFile=ZoneFile; [virtualization instance VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Type UnicodeString | |
Lookup UnicodeString | |
ReplicationScope UnicodeString | |
ZoneFile UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 512,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018427912192,
"time_created": "2026-06-13T15:10:59.9754883+00:00",
"event_record_id": 54,
"correlation": {},
"execution": {
"process_id": 3516,
"thread_id": 1884
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "evtgen2.lab",
"Type": "Primary",
"Lookup": "Forward",
"ReplicationScope": "None",
"ZoneFile": "evtgen2.lab.dns",
"VirtualizationID": "."
},
"message": "The zone evtgen2.lab was created with settings: Type=Primary; Lookup=Forward; ReplicationScope=None; ZoneFile=evtgen2.lab.dns; [virtualization instance .]."
}
Event ID 513: The zone Zone was deleted.
#Description
The zone Zone was deleted. [virtualization instance: VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
Zone UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 513,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018427912192,
"time_created": "2026-03-13T20:16:16.023159+00:00",
"event_record_id": 129,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Zone": "evtgen.test.local",
"VirtualizationID": "."
},
"message": ""
}
Event ID 514: The zone Zone was updated.
#Description
The zone Zone was updated. The PropertyKey setting has been set to NewValue. [virtualization instance: VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
Zone UnicodeString | |
PropertyKey AnsiString | |
NewValue UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 514,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018427912192,
"time_created": "2026-06-13T15:10:59.9671629+00:00",
"event_record_id": 53,
"correlation": {},
"execution": {
"process_id": 3516,
"thread_id": 1884
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Zone": "evtgen2.lab",
"PropertyKey": "SecondaryServers",
"NewValue": "allow zone transfers to name servers and automatically notify name servers when the zone changes",
"VirtualizationID": "."
},
"message": "The zone evtgen2.lab was updated. The SecondaryServers setting has been set to allow zone transfers to name servers and automatically notify name servers when the zone changes. [virtualization instance: .]."
}
Event ID 515: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone.
#Description
A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
Type UInt32 | |
NAME AnsiString | |
TTL UInt32 | |
BufferSize UInt32 | |
RDATA Binary | |
Zone UnicodeString | |
ZoneScope UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 515,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018428436480,
"time_created": "2026-03-13T20:16:07.020870+00:00",
"event_record_id": 95,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Type": 1,
"NAME": "host1.evtgen.test.local",
"TTL": 3600,
"BufferSize": 4,
"RDATA": "C0A8C801",
"Zone": "evtgen.test.local",
"ZoneScope": "Default",
"VirtualizationID": "."
},
"message": ""
}
Event ID 516: A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone.
#Description
A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone.
Message #
Fields #
| Name | Description |
|---|---|
Type UInt32 | |
NAME AnsiString | |
TTL UInt32 | |
BufferSize UInt32 | |
RDATA Binary | |
Zone UnicodeString | |
ZoneScope UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 516,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018428436480,
"time_created": "2026-03-13T20:16:07.396548+00:00",
"event_record_id": 103,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Type": 1,
"NAME": "host2.evtgen.test.local",
"TTL": 0,
"BufferSize": 4,
"RDATA": "C0A8C802",
"Zone": "evtgen.test.local",
"ZoneScope": "Default",
"VirtualizationID": "."
},
"message": ""
}
Event ID 517: All resource records of type Type, name NAME were deleted from scope ZoneScope of zone Zone.
#Description
All resource records of type Type, name NAME were deleted from scope ZoneScope of zone Zone. [virtualization instance: VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
Type UInt32 | |
NAME AnsiString | |
Zone UnicodeString | |
ZoneScope UnicodeString | |
VirtualizationID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 517,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018428436480,
"time_created": "2026-03-13T20:16:07.413855+00:00",
"event_record_id": 105,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Type": 28,
"NAME": "host3.evtgen.test.local",
"Zone": "evtgen.test.local",
"ZoneScope": "Default",
"VirtualizationID": "."
},
"message": ""
}
Event ID 518: All resource records at Node name NAME were deleted from scope ZoneScope of zone Zone.
#Event ID 519: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone via dynamic update from IP Address Source.
#Description
A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was created in scope ZoneScope of zone Zone via dynamic update from IP Address Source.
Message #
Fields #
| Name | Description |
|---|---|
Type UInt32 | |
NAME AnsiString | |
TTL UInt32 | |
BufferSize UInt32 | |
RDATA Binary | |
Zone UnicodeString | |
ZoneScope UnicodeString | |
Source AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 519,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 4611686018460942336,
"time_created": "2026-05-30T00:33:20.5343772+00:00",
"event_record_id": 64,
"correlation": {},
"execution": {
"process_id": 3820,
"thread_id": 5060
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Type": "1",
"NAME": "telemetry-dc-a",
"TTL": "1200",
"BufferSize": "4",
"RDATA": "0A01140B",
"Zone": "cell-a.ludus.domain",
"ZoneScope": "Default",
"Source": "10.1.20.11"
},
"message": "A resource record of type 1, name telemetry-dc-a, TTL 1200 and RDATA 0x0A01140B was created in scope Default of zone cell-a.ludus.domain via dynamic update from IP Address 10.1.20.11."
}
Event ID 520: A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone via dynamic update from IP Address Source.
#Description
A resource record of type Type, name NAME and RDATA RDATA was deleted from scope ZoneScope of zone Zone via dynamic update from IP Address Source.
Message #
Fields #
| Name | Description |
|---|---|
Type UInt32 | |
NAME AnsiString | |
TTL UInt32 | |
BufferSize UInt32 | |
RDATA Binary | |
Zone UnicodeString | |
ZoneScope UnicodeString | |
Source AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 520,
"version": 0,
"level": 4,
"task": 3,
"opcode": 0,
"keywords": 4611686018460942336,
"time_created": "2026-05-30T00:33:20.5343748+00:00",
"event_record_id": 63,
"correlation": {},
"execution": {
"process_id": 3820,
"thread_id": 5060
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Type": "1",
"NAME": "telemetry-dc-a",
"TTL": "0",
"BufferSize": "4",
"RDATA": "0A01140B",
"Zone": "cell-a.ludus.domain",
"ZoneScope": "Default",
"Source": "10.1.20.11"
},
"message": "A resource record of type 1, name telemetry-dc-a and RDATA 0x0A01140B was deleted from scope Default of zone cell-a.ludus.domain via dynamic update from IP Address 10.1.20.11."
}
Event ID 521: A resource record of type Type, name NAME, TTL TTL and RDATA RDATA was scavenged from scope ZoneScope of zone Zone.
#Event ID 522: The scope ZoneScope was created in zone Zone.
#Event ID 523: The scope ZoneScope was deleted in zone Zone.
#Event ID 525: The zone ZoneName was signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAl...
#Description
The zone ZoneName was signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAlgorithm=DSRecordGenerationAlgorithm; DSRecordSetTtl=DSRecordSetTtl; EnableRfc5011KeyRollover=EnableRfc5011KeyRollover; IsKeyMasterServer=IsKeyMasterServer; KeyMasterServer=KeyMasterServer; NSec3HashAlgorithm=NSec3HashAlgorithm; NSec3Iterations=NSec3Iterations; NSec3OptOut=NSec3OptOut; NSec3RandomSaltLength=NSec3RandomSaltLength; NSec3UserSalt=NSec3UserSalt; ParentHasSecureDelegation=ParentHasSecureDelegation; PropagationTime=PropagationTime; SecureDelegationPollingPeriod=SecureDelegationPollingPeriod; SignatureInceptionOffset=SignatureInceptionOffset.
Message #
Fields #
| Name | Description |
|---|---|
ZoneName UnicodeString | |
DenialOfExistence UnicodeString | |
DistributeTrustAnchor UnicodeString | |
DnsKeyRecordSetTtl UInt32 | |
DSRecordGenerationAlgorithm UnicodeString | |
DSRecordSetTtl UInt32 | |
EnableRfc5011KeyRollover UnicodeString | |
IsKeyMasterServer UnicodeString | |
KeyMasterServer AnsiString | |
NSec3HashAlgorithm UInt32 | |
NSec3Iterations UInt32 | |
NSec3OptOut UnicodeString | |
NSec3RandomSaltLength UInt32 | |
NSec3UserSalt UnicodeString | |
ParentHasSecureDelegation UnicodeString | |
PropagationTime UInt32 | |
SecureDelegationPollingPeriod UInt32 | |
SignatureInceptionOffset UInt32 |
Event ID 526: The zone Zone was unsigned.
#Event ID 527: The zone ZoneName was re-signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGeneratio...
#Description
The zone ZoneName was re-signed with following properties: DenialOfExistence=DenialOfExistence; DistributeTrustAnchor=DistributeTrustAnchor; DnsKeyRecordSetTtl=DnsKeyRecordSetTtl; DSRecordGenerationAlgorithm=DSRecordGenerationAlgorithm; DSRecordSetTtl=DSRecordSetTtl; EnableRfc5011KeyRollover=EnableRfc5011KeyRollover; IsKeyMasterServer=IsKeyMasterServer; KeyMasterServer=KeyMasterServer; NSec3HashAlgorithm=NSec3HashAlgorithm; NSec3Iterations=NSec3Iterations; NSec3OptOut=NSec3OptOut; NSec3RandomSaltLength=NSec3RandomSaltLength; NSec3UserSalt=NSec3UserSalt; ParentHasSecureDelegation=ParentHasSecureDelegation; PropagationTime=PropagationTime; SecureDelegationPollingPeriod=SecureDelegationPollingPeriod; SignatureInceptionOffset=SignatureInceptionOffset.
Message #
Fields #
| Name | Description |
|---|---|
ZoneName UnicodeString | |
DenialOfExistence UnicodeString | |
DistributeTrustAnchor UnicodeString | |
DnsKeyRecordSetTtl UInt32 | |
DSRecordGenerationAlgorithm UnicodeString | |
DSRecordSetTtl UInt32 | |
EnableRfc5011KeyRollover UnicodeString | |
IsKeyMasterServer UnicodeString | |
KeyMasterServer AnsiString | |
NSec3HashAlgorithm UInt32 | |
NSec3Iterations UInt32 | |
NSec3OptOut UnicodeString | |
NSec3RandomSaltLength UInt32 | |
NSec3UserSalt UnicodeString | |
ParentHasSecureDelegation UnicodeString | |
PropagationTime UInt32 | |
SecureDelegationPollingPeriod UInt32 | |
SignatureInceptionOffset UInt32 |
Event ID 528: Rollover was started on the type Type with GUID GUID of zone Zone.
#Event ID 529: Rollover was completed on the type Type with GUID GUID of zone Zone.
#Event ID 530: The type Type with GUID GUID of zone Zone was marked for retiral.
#Event ID 531: Manual rollover was triggered on the type Type with GUID GUID of zone Zone.
#Event ID 533: The keys signing key with GUID GUID on zone Zone that was waiting for a Delegation Signer(DS) update on the parent has been forced to move to rollover ...
#Event ID 534: DNSSEC setting metadata was exported WithWithout key signing key metadata from zone Zone.
#Event ID 535: DNSSEC setting metadata was imported on zone Zone.
#Event ID 536: A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.
#Description
A record of type QTYPE, QNAME QNAME was purged from scope Scope in cache.
Message #
Fields #
| Name | Description |
|---|---|
QTYPE UInt32 | Known values
|
QNAME AnsiString | |
Scope UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 536,
"version": 0,
"level": 4,
"task": 9,
"opcode": 0,
"keywords": 4611686020574871552,
"time_created": "2026-03-13T20:23:59.987128+00:00",
"event_record_id": 173,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 6156
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"QTYPE": 255,
"QNAME": "*",
"Scope": "Default"
},
"message": ""
}
Event ID 537: The forwarder list on scope Scope has been reset to Forwarders.
#Description
The forwarder list on scope Scope has been reset to Forwarders.
Message #
Fields #
| Name | Description |
|---|---|
Forwarders AnsiString | |
Scope UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 537,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 4611686018444165120,
"time_created": "2026-05-30T01:44:01.4462386+00:00",
"event_record_id": 298,
"correlation": {
"ActivityID": "{855B5F38-AB0E-488F-A046-747AA920EAE1}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Forwarders": "10.2.10.254",
"Scope": "."
},
"message": "The forwarder list on scope . has been reset to 10.2.10.254."
}
Event ID 540: The root hints have been modified.
#Description
The root hints have been modified.
Message #
Event ID 541: The setting Setting on scope Scope has been set to NewValue.
#Description
The setting Setting on scope Scope has been set to NewValue.
Message #
Fields #
| Name | Description |
|---|---|
Setting AnsiString | |
Scope UnicodeString | |
NewValue UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 541,
"version": 0,
"level": 4,
"task": 10,
"opcode": 0,
"keywords": 4611686018561605632,
"time_created": "2026-05-28T00:51:39.7295350+00:00",
"event_record_id": 37,
"correlation": {},
"execution": {
"process_id": 4716,
"thread_id": 4208
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1000"
}
},
"event_data": {
"Setting": "MaxCacheTtl",
"Scope": ".",
"NewValue": "2"
},
"message": "The setting MaxCacheTtl on scope . has been set to 2."
}
Event ID 542: The scope RecursionScope of DNS server was created.
#Event ID 543: The scope RecursionScope of DNS server was deleted.
#Event ID 544: The DNSKEY with Key Protocol KeyProtocol, Base64 Data Base64Data and Crypto Algorithm CryptoAlgorithm has been added at the trust point Name.
#Event ID 545: The DS with Key Tag: KeyTag, Digest Type: DigestType, Digest: Digest and Crypto Algorithm: CryptoAlgorithm has been added at the trust point Name.
#Description
The DS with Key Tag: KeyTag, Digest Type: DigestType, Digest: Digest and Crypto Algorithm: CryptoAlgorithm has been added at the trust point Name.
Message #
Fields #
| Name | Description |
|---|---|
Name AnsiString | |
KeyTag UInt32 | |
DigestType UnicodeString | |
BufferSize UInt32 | |
Digest Binary | |
CryptoAlgorithm UnicodeString |
Event ID 546: The trust point at Name of type Type has been removed.
#Event ID 547: The trust anchor for the root zone has been added.
#Description
The trust anchor for the root zone has been added.
Message #
Event ID 548: A request to restart the DNS server service has been received.
#Description
A request to restart the DNS server service has been received.
Message #
Event ID 549: The debug logs have been cleared from FilePath on DNS server.
#Event ID 550: The in-memory contents of all the zones on DNS server have been flushed to their respective files.
#Description
The in-memory contents of all the zones on DNS server have been flushed to their respective files.
Message #
Event ID 551: All the statistical data for the DNS server has been cleared.
#Description
All the statistical data for the DNS server has been cleared.
Message #
Event ID 552: A resource record scavenging cycle has been started on the DNS Server.
#Description
A resource record scavenging cycle has been started on the DNS Server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 552,
"version": 0,
"level": 4,
"task": 11,
"opcode": 0,
"keywords": 4611686155866341376,
"time_created": "2026-03-13T20:16:07.476971+00:00",
"event_record_id": 111,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 553: EventString.
#Event ID 554: The resource record scavenging cycle has been terminated on the DNS Server.
#Description
The resource record scavenging cycle has been terminated on the DNS Server.
Message #
Event ID 555: The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.
#Description
The DNS server has been prepared for demotion by removing references to it from all zones stored in the Active Directory.
Message #
Event ID 556: The information about the root hints on the DNS server has been written back to the persistent storage.
#Description
The information about the root hints on the DNS server has been written back to the persistent storage.
Message #
Event ID 557: The addresses on which DNS server will listen has been changed to ListenAddresses.
#Event ID 558: An immediate RFC 5011 active refresh has been scheduled for all trust points.
#Description
An immediate RFC 5011 active refresh has been scheduled for all trust points.
Message #
Event ID 559: The zone Zone is paused.
#Event ID 560: The zone Zone is resumed.
#Event ID 561: The data for zone Zone has been reloaded from FilePath.
#Event ID 562: The data for zone Zone has been refreshed from the master server MasterServer.
#Event ID 563: The secondary zone Zone has been expired and new data has been requested from the master server MasterServer.
#Event ID 564: The zone Zone has been reloaded from the Active Directory.
#Event ID 565: The content of the zone Zone has been written to the disk and the notification has been sent to all the notify servers.
#Event ID 566: All DNS records at the node NodeName in the zone Zone will have their aging time stamp set to the current time.
#Event ID 567: The Active Directory-integrated zone Zone has been updated.
#Description
The Active Directory-integrated zone Zone has been updated. Only ScavengeServers can run scavenging.
Message #
Fields #
| Name | Description |
|---|---|
Zone UnicodeString | |
ScavengeServers UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "EB79061A-A566-4698-9119-3ED2807060E7",
"event_source_name": "",
"event_id": 567,
"version": 0,
"level": 4,
"task": 5,
"opcode": 0,
"keywords": 4611686018427912192,
"time_created": "2026-03-13T20:16:07.469361+00:00",
"event_record_id": 110,
"correlation": {},
"execution": {
"process_id": 3936,
"thread_id": 7972
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Zone": "evtgen.test.local",
"ScavengeServers": "NULL"
},
"message": ""
}
Event ID 568: The key master role for zone Zone has been SeizedOrTransfered.
#Event ID 569: A KeyOrZone signing key (KskOrZsk) descriptor has been added on the zone Zone with following properties: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider...
#Description
A KeyOrZone signing key (KskOrZsk) descriptor has been added on the zone Zone with following properties: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider=KeyStorageProvider; StoreKeysInAD=StoreKeysInAD; CryptoAlgorithm=CryptoAlgorithm; KeyLength=KeyLength; DnsKeySignatureValidityPeriod=DnsKeySignatureValidityPeriod; DSSignatureValidityPeriod=DSSignatureValidityPeriod; ZoneSignatureValidityPeriod=ZoneSignatureValidityPeriod; InitialRolloverOffset=InitialRolloverOffset; RolloverPeriod=RolloverPeriod; RolloverType=RolloverType; NextRolloverAction=NextRolloverAction; LastRolloverTime=LastRolloverTime; NextRolloverTime=NextRolloverTime; CurrentRolloverStatus=CurrentRolloverStatus; ActiveKey=ActiveKey; StandbyKey=StandbyKey; NextKey=NextKey. The zone will be resigned with the KskOrZsk generated with these properties.
Message #
Fields #
| Name | Description |
|---|---|
KeyOrZone UnicodeString | |
KskOrZsk UnicodeString | |
Zone UnicodeString | |
KeyId UnicodeString | |
KeyType UnicodeString | Known values
|
CurrentState UnicodeString | |
KeyStorageProvider UnicodeString | |
StoreKeysInAD Boolean | |
CryptoAlgorithm UnicodeString | |
KeyLength UInt32 | |
DnsKeySignatureValidityPeriod UInt32 | |
DSSignatureValidityPeriod UInt32 | |
ZoneSignatureValidityPeriod UInt32 | |
InitialRolloverOffset UInt32 | |
RolloverPeriod UInt32 | |
RolloverType UnicodeString | |
NextRolloverAction UnicodeString | |
LastRolloverTime FILETIME | |
NextRolloverTime FILETIME | |
CurrentRolloverStatus UnicodeString | |
ActiveKey UnicodeString | |
StandbyKey UnicodeString | |
NextKey UnicodeString |
Event ID 570: A KeyOrZone signing key (KskOrZsk) descriptor with GUID GUID has been updated on the zone Zone.
#Description
A KeyOrZone signing key (KskOrZsk) descriptor with GUID GUID has been updated on the zone Zone. The properties of this KskOrZsk descriptor have been set to: KeyId=KeyId; KeyType=KeyType; CurrentState=CurrentState; KeyStorageProvider=KeyStorageProvider; StoreKeysInAD=StoreKeysInAD; CryptoAlgorithm=CryptoAlgorithm; KeyLength=KeyLength; DnsKeySignatureValidityPeriod=DnsKeySignatureValidityPeriod; DSSignatureValidityPeriod=DSSignatureValidityPeriod; ZoneSignatureValidityPeriod=ZoneSignatureValidityPeriod; InitialRolloverOffset=InitialRolloverOffset; RolloverPeriod=RolloverPeriod; RolloverType=RolloverType; NextRolloverAction=NextRolloverAction; LastRolloverTime=LastRolloverTime; NextRolloverTime=NextRolloverTime; CurrentRolloverStatus=CurrentRolloverStatus; ActiveKey=ActiveKey; StandbyKey=StandbyKey; NextKey=NextKey. The zone will be resigned with the KskOrZsk generated with these properties.
Message #
Fields #
| Name | Description |
|---|---|
KeyOrZone UnicodeString | |
KskOrZsk UnicodeString | |
GUID UnicodeString | |
Zone UnicodeString | |
KeyId UnicodeString | |
KeyType UnicodeString | Known values
|
CurrentState UnicodeString | |
KeyStorageProvider UnicodeString | |
StoreKeysInAD Boolean | |
CryptoAlgorithm UnicodeString | |
KeyLength UInt32 | |
DnsKeySignatureValidityPeriod UInt32 | |
DSSignatureValidityPeriod UInt32 | |
ZoneSignatureValidityPeriod UInt32 | |
InitialRolloverOffset UInt32 | |
RolloverPeriod UInt32 | |
RolloverType UnicodeString | |
NextRolloverAction UnicodeString | |
LastRolloverTime FILETIME | |
NextRolloverTime FILETIME | |
CurrentRolloverStatus UnicodeString | |
ActiveKey UnicodeString | |
StandbyKey UnicodeString | |
NextKey UnicodeString |
Event ID 571: A KeyOrZone signing key (KskOrZsk) descriptor GUID has been removed from the zone Zone.
#Event ID 572: The state of the KeyOrZone signing key (KskOrZsk) GUID has been modified on zone Zone.
#Description
The state of the KeyOrZone signing key (KskOrZsk) GUID has been modified on zone Zone. The new active key is ActiveKey, standby key is StandbyKey and next key is NextKey.
Message #
Fields #
| Name | Description |
|---|---|
KeyOrZone UnicodeString | |
KskOrZsk UnicodeString | |
GUID UnicodeString | |
Zone UnicodeString | |
ActiveKey UnicodeString | |
StandbyKey UnicodeString | |
NextKey UnicodeString |
Event ID 573: A delegation for ChildZone in the scope Scope of zone Zone with the name server NameServer has been added.
#Description
A delegation for ChildZone in the scope Scope of zone Zone with the name server NameServer has been added. [virtualization instance: VirtualizationID].
Message #
Fields #
| Name | Description |
|---|---|
ChildZone AnsiString | |
Scope UnicodeString | |
Zone UnicodeString | |
NameServer AnsiString | |
VirtualizationID UnicodeString |
Event ID 574: The client subnet with name ClientSubnetRecord, and value ClientSubnetList has been added to the DNS server.
#Description
The client subnet with name ClientSubnetRecord, and value ClientSubnetList has been added to the DNS server.
Message #
Fields #
| Name | Description |
|---|---|
ClientSubnetRecord UnicodeString | |
ClientSubnetList AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 574,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611688217450643456,
"time_created": "2026-05-30T01:44:01.5740414+00:00",
"event_record_id": 302,
"correlation": {
"ActivityID": "{57540301-0F4B-4D0C-9193-97EFA7EA3929}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ClientSubnetRecord": "labsubnet",
"ClientSubnetList": "203.0.113.0/24"
},
"message": "The client subnet with name labsubnet, and value 203.0.113.0/24 has been added to the DNS server."
}
Event ID 575: The client subnet with name ClientSubnetRecord has been deleted from the DNS server.
#Description
The client subnet with name ClientSubnetRecord has been deleted from the DNS server.
Message #
Fields #
| Name | Description |
|---|---|
ClientSubnetRecord UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 575,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611688217450643456,
"time_created": "2026-05-30T01:44:01.6692404+00:00",
"event_record_id": 306,
"correlation": {
"ActivityID": "{E81A7F0E-43A9-49DF-92EC-D2E454B3E8B2}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ClientSubnetRecord": "labsubnet"
},
"message": "The client subnet with name labsubnet has been deleted from the DNS server."
}
Event ID 576: The client subnet with name ClientSubnetRecord has been updated on the DNS server.
#Description
The client subnet with name ClientSubnetRecord has been updated on the DNS server. The new IP subnets that it refers to are ClientSubnetList.
Message #
Fields #
| Name | Description |
|---|---|
ClientSubnetRecord UnicodeString | |
ClientSubnetList AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 576,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611688217450643456,
"time_created": "2026-05-30T01:44:01.5889889+00:00",
"event_record_id": 303,
"correlation": {
"ActivityID": "{B03E37E2-F9A5-4710-94EB-65FBFF348D5C}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"ClientSubnetRecord": "labsubnet",
"ClientSubnetList": "198.51.100.0/24"
},
"message": "The client subnet with name labsubnet has been updated on the DNS server. The new IP subnets that it refers to are 198.51.100.0/24."
}
Event ID 577: A server level policy Policy for Type has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Condition:Condition;...
#Description
A server level policy Policy for Type has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Condition:Condition; IsEnabled:IsEnabled.
Message #
Fields #
| Name | Description |
|---|---|
Type UnicodeString | |
ServerName AnsiString | |
ProcessingOrder UInt32 | |
Criteria UnicodeString | |
Action UnicodeString | |
Policy UnicodeString | |
Condition UnicodeString | |
IsEnabled UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 577,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611688217450643456,
"time_created": "2026-05-30T01:44:01.6353516+00:00",
"event_record_id": 304,
"correlation": {
"ActivityID": "{2566A2CE-4041-45DC-9238-F6B16BCA5CB7}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Type": "Query processing",
"ServerName": "JD-DC01-2022.ludus.domain",
"ProcessingOrder": "1",
"Criteria": "ClientSubnet=EQ,labsubnet",
"Action": "Deny",
"Policy": "labpolicy",
"Condition": "And",
"IsEnabled": "True"
},
"message": "A server level policy labpolicy for Query processing has been created on server JD-DC01-2022.ludus.domain with following properties: Processing order:1; Criteria:ClientSubnet=EQ,labsubnet; Action:Deny; Condition:And; IsEnabled:True."
}
Event ID 578: A zone level policy Policy for Type has been created on zone ZoneName on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scop...
#Description
A zone level policy Policy for Type has been created on zone ZoneName on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scopes:Scopes; Condition:Condition; IsEnabled:IsEnabled.
Message #
Fields #
| Name | Description |
|---|---|
Type UnicodeString | |
ServerName AnsiString | |
ProcessingOrder UInt32 | |
Criteria UnicodeString | |
Action UnicodeString | |
ZoneName UnicodeString | |
Scopes UnicodeString | |
Policy UnicodeString | |
Condition UnicodeString | |
IsEnabled UnicodeString |
Event ID 579: A policy Policy to control recursion settings has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Sco...
#Description
A policy Policy to control recursion settings has been created on server ServerName with following properties: Processing order:ProcessingOrder; Criteria:Criteria; Action:Action; Scope:RecursionScope; Condition:Condition; IsEnabled:IsEnabled.
Message #
Fields #
| Name | Description |
|---|---|
RecursionScope UnicodeString | |
ServerName AnsiString | |
ProcessingOrder UInt32 | |
Criteria UnicodeString | |
Action UnicodeString | |
Policy UnicodeString | |
Condition UnicodeString | |
IsEnabled UnicodeString |
Event ID 580: The server level policy Policy has been deleted from server ServerName.
#Description
The server level policy Policy has been deleted from server ServerName.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | |
ServerName AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 580,
"version": 0,
"level": 4,
"task": 13,
"opcode": 0,
"keywords": 4611688217450643456,
"time_created": "2026-05-30T01:44:01.6509631+00:00",
"event_record_id": 305,
"correlation": {
"ActivityID": "{C796662E-87B9-4F44-BC71-B0F14B2C4488}"
},
"execution": {
"process_id": 3196,
"thread_id": 12400
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Policy": "labpolicy",
"ServerName": "JD-DC01-2022.ludus.domain"
},
"message": "The server level policy labpolicy has been deleted from server JD-DC01-2022.ludus.domain."
}
Event ID 581: The zone level policy Policy has been deleted from zone Zone on server ServerName.
#Event ID 582: The policy Policy to control recursion settings has been deleted from server ServerName.
#Event ID 583: The server level policy Policy has been updated on server ServerName.
#Event ID 584: The zone level policy Policy has been updated on zone Zone of server ServerName.
#Description
The zone level policy Policy has been updated on zone Zone of server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | |
ServerName AnsiString | |
Zone UnicodeString | |
OldPropertyValues UnicodeString | |
NewPropertyValues UnicodeString |
Event ID 585: The server level policy Policy for recursion has been updated on server ServerName.
#Description
The server level policy Policy for recursion has been updated on server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | |
ServerName AnsiString | |
OldPropertyValues UnicodeString | |
NewPropertyValues UnicodeString |
Event ID 586: The zone level policy Policy has been updated on zone Zone of server ServerName.
#Event ID 587: The zone level policy Policy has been updated on zone Zone of server ServerName.
#Event ID 588: The zone level policy Policy has been updated on zone Zone of server ServerName.
#Description
The zone level policy Policy has been updated on zone Zone of server ServerName. The weight assigned to scope Scope has been updated from ScopeWeightOld to ScopeWeightNew.
Message #
Fields #
| Name | Description |
|---|---|
Policy UnicodeString | |
ServerName AnsiString | |
Scope UnicodeString | |
ScopeWeightNew UInt32 | |
ScopeWeightOld UInt32 | |
Zone UnicodeString |
Event ID 589: The server level policy Policy for recursion has been updated on server ServerName.
#Event ID 590: The Response Rate Limiting is configured on the DNS server ServerName.
#Description
The Response Rate Limiting is configured on the DNS server ServerName. The RRL settings are ResponsesPerSecond: ResponsePerSecond, ErrorsPerSecond: ErrorsPerSecond, LeakRate: LeakRate, TCRate: TCRate, Window: WindowSize, MaximumResponsesInWindow: TotalResponsesInWindow, IPv4PrefixLength: IPv4PrefixLength, IPv6PrefixLength: IPv6PrefixLength, Mode: Mode.
Message #
Fields #
| Name | Description |
|---|---|
ServerName AnsiString | |
ResponsePerSecond UInt32 | |
ErrorsPerSecond UInt32 | |
LeakRate UInt32 | |
TCRate UInt32 | |
WindowSize UInt32 | |
TotalResponsesInWindow UInt32 | |
IPv4PrefixLength UInt32 | |
IPv6PrefixLength UInt32 | |
Mode AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DNSServer",
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"event_source_name": "",
"event_id": 590,
"version": 0,
"level": 4,
"task": 15,
"opcode": 0,
"keywords": 4611721202799476736,
"time_created": "2026-05-30T01:44:06.7185486+00:00",
"event_record_id": 308,
"correlation": {},
"execution": {
"process_id": 12412,
"thread_id": 11636
},
"channel": "Microsoft-Windows-DNSServer/Audit",
"computer": "JD-DC01-2022.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"ServerName": "JD-DC01-2022.ludus.domain",
"ResponsePerSecond": "5",
"ErrorsPerSecond": "5",
"LeakRate": "3",
"TCRate": "2",
"WindowSize": "5",
"TotalResponsesInWindow": "1024",
"IPv4PrefixLength": "24",
"IPv6PrefixLength": "56",
"Mode": "LogOnly"
},
"message": "The Response Rate Limiting is configured on the DNS server JD-DC01-2022.ludus.domain. The RRL settings are ResponsesPerSecond: 5, ErrorsPerSecond: 5, LeakRate: 3, TCRate: 2, Window: 5, MaximumResponsesInWindow: 1024, IPv4PrefixLength: 24, IPv6PrefixLength: 56, Mode: LogOnly."
}
Event ID 591: A exceptionlist RRLExceptionlist against response rate limiting has been added on the DNS server ServerName with following settings: Criteria; Condition:Condition.
#Description
A exceptionlist RRLExceptionlist against response rate limiting has been added on the DNS server ServerName with following settings: Criteria; Condition:Condition. The queries that fall under this exceptionlist shall be exempt from response rate limiting.
Message #
Fields #
| Name | Description |
|---|---|
RRLExceptionlist UnicodeString | |
ServerName AnsiString | |
Criteria UnicodeString | |
Condition UnicodeString |
Event ID 592: A exceptionlist RRLExceptionlist against response rate limiting has been deleted from server ServerName.
#Event ID 593: A exceptionlist RRLExceptionlist against response rate limiting has been updated on server ServerName.
#Description
A exceptionlist RRLExceptionlist against response rate limiting has been updated on server ServerName. The properties OldPropertyValues have been updated to NewPropertyValues.
Message #
Fields #
| Name | Description |
|---|---|
RRLExceptionlist UnicodeString | |
ServerName AnsiString | |
OldPropertyValues UnicodeString | |
NewPropertyValues UnicodeString |
Event ID 594: The virtualization instance VirtualizationID with friendly name FriendlyName was created.
#Event ID 595: The virtualization instance VirtualizationID was removed.
#Event ID 596: The virtualization instance VirtualizationID was updated.
#Event ID 597: QUERY_RECEIVED: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; RD=RD; QNAME=QNAME; QTYPE=QTYPE; XID=XID; Port=Port; Flags=Flags; PacketData=PacketData; AdditionalInfo = ...
#Description
QUERY_RECEIVED: Channel=; ; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.
Message #
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EdnsInfo UnicodeString |
Event ID 597
#Description
QUERY_RECEIVED: Channel=; ; InterfaceIP=; Source=; RD=; QNAME=; QTYPE=; XID=; Port=; Flags=; PacketData=; AdditionalInfo = VirtualizationInstanceOptionValue: ; GUID=.
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
RD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
GUID UnicodeString | |
EdnsInfo UnicodeString |
Event ID 598: RESPONSE_SUCCESS: Channel=.
#Message #
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
DataTag UInt64 | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EdnsInfo UnicodeString | |
StaleRecordsPresent UnicodeString |
Event ID 598
#Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Destination AnsiString | |
AA UInt8 | |
AD UInt8 | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
DNSSEC UInt8 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Scope UnicodeString | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
DataTag UInt64 | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EdnsInfo UnicodeString | |
StaleRecordsPresent UnicodeString |
Event ID 599: RESPONSE_FAILURE: Channel=.
#Message #
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EdnsInfo UnicodeString |
Event ID 599
#Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Reason UnicodeString | |
Destination AnsiString | |
QNAME AnsiString | |
QTYPE UInt32 | Known values
|
XID UInt32 | |
RCODE UInt32 | Known values
|
Port UInt32 | |
Flags UInt32 | |
Zone UnicodeString | |
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary | |
AdditionalInfo UnicodeString | |
ElapsedTime UInt32 | |
GUID UnicodeString | |
EdnsInfo UnicodeString |
Event ID 600: IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.
#Event ID 600
#Description
IGNORED_QUERY: Channel=; ; InterfaceIP=; Source=; Reason=.
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
Reason UnicodeString |
Event ID 601: IGNORED_QUERY: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; Reason=Reason.
#Event ID 601
#Description
IGNORED_QUERY: Channel=; ; InterfaceIP=; Source=; Reason=.
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
Reason UnicodeString |
Event ID 602: DYN_UPDATE_RECV: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.
#Description
DYN_UPDATE_RECV: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Source=Source; QNAME=QNAME; XID=XID; Port=Port; Flags=Flags; SECURE=Secure; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
Secure UInt8 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 602
#Description
DYN_UPDATE_RECV: Channel=; ; InterfaceIP=; Source=; QNAME=; XID=; Port=; Flags=; SECURE=; PacketData=.
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Source AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
Port UInt32 | |
Flags UInt32 | |
Secure UInt8 | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 603: DYN_UPDATE_RESPONSE: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; Packet...
#Description
DYN_UPDATE_RESPONSE: Channel=Channel; ChannelInfo; InterfaceIP=InterfaceIP; Destination=Destination; QNAME=QNAME; XID=XID; ZoneScope=ZoneScope; Zone=Zone; RCODE=RCODE; PolicyName=PolicyName; PacketData=PacketData.
Message #
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Event ID 603
#Description
DYN_UPDATE_RESPONSE: Channel=; ; InterfaceIP=; Destination=; QNAME=; XID=; ZoneScope=; Zone=; RCODE=; PolicyName=; PacketData=.
Fields #
| Name | Description |
|---|---|
Channel UnicodeString | |
ChannelInfo UnicodeString | |
InterfaceIP AnsiString | |
Destination AnsiString | |
QNAME AnsiString | |
XID UInt32 | |
ZoneScope UnicodeString | |
Zone UnicodeString | |
RCODE UInt32 | Known values
|
PolicyName UnicodeString | |
BufferSize UInt32 | |
PacketData Binary |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {EB79061A-A566-4698-9119-3ED2807060E7}
Defined in dns.exe, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02