Didier Stevens

A friend asked me for more info on the QueryStatus field in sysmon‘s DNS events.

When a DNS query succeeds, e.g., when there’s a DNS reply with an answer, that status field is 0.

But what can cause it to be different from 0?

A bit of testing revealed that a query for an unknown domain gives a QueryStatus value of 9003. 9003 is a Windows System Error Code for DNS. And the rcode for NXDOMAIN is 3. So maybe the QueryStatus value is the rcode value plus 9000.

I added a feature to my dnsresolver.py script, that allows me to choose the rcode I want to receive. It works with this command-line:

dnsresolver.py “type=rcode,label=rcodetest”

And then I can just do DNS queries for a hostname like this:

4.rcodetest.example.com.

When my dnsresolver replies to such a query, it will send a reply without answer and with rcode equal to 4 (because the first label of the DNS query is 4). This allows me to quickly test different rcodes:

And this does indeed confirm that QueryStatus is equal to the rcode (greater than 0) plus 9000.

If the rcode is 0, the QueryStatus is 0, unless there is no answer in the DNS reply. Then the QueryStatus is 9501:

FYI: to test this, I configured a Windows VM with DNS server IP = 127.0.0.1, ran sysmon and dnsresolver.py inside that VM and did ping requests (I didn’t use nslookup, because that tool talks directly to the DNS server, it doesn’t use the Windows DNS client service).