There was a time where there was an alarming rate at which malware would use some unique port that wasn’t used by other services. The port was usually some ephemeral port. These days though, it is being seen more and more of malware using ports commonly open outbound on a system such as 22, 25, 53, 80, and 443. The one that we will focus on is 53, which is registered for DNS, and blocking it from an attack commonly known as DNS tunneling.

It is best to think through what systems are needed to be contacted for DNS services. Once you have that in mind, we can begin blocking any other DNS traffic that might be malicious. We will do this with the Windows Firewall.

Configuring the way to block port 53 traffic to a specific IP address and to every IP address except for one can be found HERE.

Understand the DNS traffic can be routed through another port. Unfortunately, the Windows Firewall won’t be able to help with that detection.