I added a rule called Block Google DNS, specified the Remote IP (18.104.22.168) and UDP port 53. I also move it to the top of my chain as shown below.
Once the rule is applied at the workstation, It shown at the top of the custom rules but below the McAfee default rules. The problem is there is a default rule called McAfee - Allow DNS Resolution which, when I browse to the Internet with DNS of 22.214.171.124, is allow through because that rule allows it and my rule is never used (see below).
I search the webs for answers to no avail. Does anybody know something I don't?
Lastly, I understand I can block the domain however, I am looking to block potential DNS tunneling using the port. I also understand that DNS traffic can be routed over different ports as well. I am trying to trigger as much as I can at the host level before it gets to the net. engineer's side.
Thanks in advance.
Blocking DNS traffic cannot be done with HIPS, as the default rule (McAfee - Allow DNS Resolution) will always allow all DNS traffic; this is not configurable.