DNS-Client/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-DNS-Client%4Operational.evtx

Almost every malicious implant - regardless of how sophisticated - eventually needs Windows to resolve a domain name into an IP address. The DNS Client Operational log records every query the OS executes, making it a devastating forensic source against attackers who rely on domain-based C2 infrastructure and didn't bother implementing their own DNS resolver.

Log Channel Microsoft-Windows-DNS-Client/Operational - written by the Windows DNS Client service (Dnscache)

Trace Type Network Activity C2 Detection DNS Queries

Req. Audit Policy Yes Disabled by default. Must be explicitly enabled via Event Viewer or wevtutil sl Microsoft-Windows-DNS-Client/Operational /e:true.

User Specific No System-wide. All DNS queries generated by any process on the system are captured regardless of user context.

General

The DNS Client Operational log captures every DNS resolution request made by the Windows DNS Client service (Dnscache). Because the DNS cache is the single chokepoint through which nearly all hostname-to-IP resolutions pass, enabling this log provides endpoint-level DNS visibility without needing network infrastructure like DNS server logs or packet captures. When enabled, each query event records the queried hostname, the requesting process ID and the query result - information that is typically only visible at the network level. This makes it especially powerful in cloud environments, heavily encrypted networks or cases where no network capture was available during the incident.

Traces

The most forensically significant Event IDs in the DNS-Client Operational log are:

Event ID	Description
3006	DNS query initiated. Records the queried FQDN, query type (A, AAAA, MX etc.) and the process ID that initiated the lookup. The primary source for C2 domain identification.
3008	DNS query response received. Contains the resolved IP address(es) alongside the original query - allows correlation of a domain to its resolved IP at a specific point in time.
3020	DNS query completed with result. Combines the queried name and final resolution outcome, including cache hits and NXDOMAIN responses that indicate failed C2 beaconing.

Forensic Value

Identify C2 beaconing without packet captures: High-frequency resolution of the same unknown domain (often at regular intervals) in Event 3006 is a direct signature of C2 beaconing activity - observable from the endpoint alone without any network infrastructure.
Attribute DNS queries to specific processes: The Process ID field in Event 3006 allows direct correlation between a suspicious DNS query and the process responsible via Security Event 4688 (process creation), enabling precise process-to-C2-domain attribution.
Detect DGA activity: A burst of NXDOMAIN responses (Event 3020 with failed resolution) against algorithmically generated domain names is a strong indicator of a Domain Generation Algorithm (DGA) implant attempting to locate its active C2 server.
Reconstruct network activity from offline systems: In cases where no network logs survive - seized devices, air-gapped networks or destroyed infrastructure - DNS Client events provide the only available record of which external domains the endpoint attempted to contact.