Need a second set of eyes on a DNS drop rule

Question

I think I have this configured correctly to drop any DNS query out to the open internet: 
 
 Last match wins, correct? 
 John

DouglasFoster · Answer

This is all DNS traffic to Google's DNS servers. I do not know why you would want to block it, nor that you can block it with firewall rules. 
 The firewall rules are only activated if traffic bypasses all of the proxies. (Read the articles in the Wiki section.) In this case, I think the DNS subsystem acts like a proxy so the firewall rules are not evaluated. 
 The firewall live log has less data than the full log. If logging is enabled for a rule, a log entry is created for each packet, and the rule number is in the log entry. Judicious use of Allow Rule logging can help hunt down unexpected firewall behavior, as long as the packet is actually handled by the firewall rules.