We recently installed an IPS system internally and I had a question about the way MWG does DNS queries. From looking at packet captures it appears that MWG uses UDP and always uses the same source port for all DNS queries. Is this the default behavior and is it possible to force it to randomize the source ports for DNS queries so that it will use a different source port for each request? The problem is that once the IPS sees a query for a name that fires an intrusion event it effectively shuts down all return traffic to the MWG over that source port. Since it's UDP the MWG doesn't know that its been shutdown and keeps sending DNS requests over the same port which never get answered.
go to Configuration -> File Editor -> "mwg".
Review this section:
# renew the port for dns lookups. Set to 0 for disable (default: 1000)
# export DNS_PORT_REUSAGE_LIMIT
This might help.