Lab: DNS Filtering in Windows Firewall

By /

Listen to this Post

Featured Image

Objectives:

  1. Locate and access the Microsoft Windows Firewall interface.
  2. Create a new outbound rule in Windows Firewall to block DNS traffic.
  3. Verify the existence and effectiveness of the new outbound rule.

You Should Know:

Step 1: Accessing Windows Firewall

  1. Press Win + R, type wf.msc, and hit Enter to open Windows Defender Firewall with Advanced Security.

2. Alternatively, navigate via:

  • Control Panel > System and Security > Windows Defender Firewall > Advanced Settings.

Step 2: Creating an Outbound Rule to Block DNS
DNS uses UDP port 53 (and sometimes TCP port 53 for larger queries).

Block DNS via Command Line (Admin PowerShell):

New-NetFirewallRule -DisplayName "Block Outbound DNS" -Direction Outbound -Protocol UDP -RemotePort 53 -Action Block -Enabled True

Verify the rule:

Get-NetFirewallRule -DisplayName "Block Outbound DNS" | Select-Object Name, Enabled, Action, Direction

GUI Method:

  1. In Windows Firewall with Advanced Security, select Outbound Rules > New Rule.
  2. Choose Custom > All programs > Protocol Type: UDP > Remote Port: 53.
  3. Select Block the connection > Apply to Domain, Private, Public.
  4. Name the rule (e.g., “Block DNS”) and finish.

Step 3: Testing the Rule

  1. Open Command Prompt and try querying a domain: 
    nslookup example.com

– If blocked, you’ll see a timeout or failure.
2. Check firewall logs (Event Viewer > Applications and Services Logs > Microsoft > Windows > Windows Defender Firewall with Advanced Security).

Step 4: Allow DNS for Specific Servers (Optional)

To permit internal DNS (e.g., `192.168.1.1`):

New-NetFirewallRule -DisplayName "Allow Internal DNS" -Direction Outbound -Protocol UDP -RemotePort 53 -RemoteAddress 192.168.1.1 -Action Allow -Enabled True

What Undercode Say

DNS filtering is critical for security—blocking malicious domains or restricting external DNS queries forces traffic through controlled servers. Combine this with:
– Linux DNS Blocking (iptables): 

sudo iptables -A OUTPUT -p udp --dport 53 -j DROP

– Logging Blocked Queries: 

sudo iptables -A OUTPUT -p udp --dport 53 -j LOG --log-prefix "DNS BLOCKED: "

– Windows DNS Cache Inspection: 

ipconfig /displaydns

– Flush DNS Cache (Post-Rule Testing): 

ipconfig /flushdns

For advanced users, tools like dnscrypt-proxy or Pi-hole add granular control. Always test rules in a lab before production deployment.

Expected Output:

  • Successful DNS blocking confirmed via `nslookup` timeout.
  • Firewall logs showing blocked UDP/53 packets.
  • Optional allow-rules functioning for permitted DNS servers.

Prediction

As cyber threats evolve, DNS-layer security will become standard in enterprise environments, with increased adoption of encrypted DNS (DoH/DoT) bypassing traditional filters—requiring deeper protocol inspection.

References:

Reported By: Shamseer Siddiqui – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: