Endpoint Protection

Is there a way to create a firewall rule or policy that will capture all DNS lookup requests an endpoint makes?  I have tried a few things as far as source/destination and local/remote port 53, UDP, svchost etc.  But nothing seems to accurately capture the packets I want to show the various lookups that an enpoint makes.

I believe you are choosing to log.

right click on logging > write to packet log.

Choose both UDP & TCP.

what about destination/source and port information?  Should that be specified?  I do not want all data, just the DNS lookups.

check this article

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121714495348

It depends what you want to do.  Do you want to capture DNS queries inbound or outbound or both?

By default, DNS queries are simple UDP packets. There are some TCP generated packets, but if all you want to capture are the DNS queries, than UDP should suffice.  As stated above, you could choose to capture both (TCP & UDP).

Obviously, DNS is using port 53.  So you will need to specify the Port number in your rule. 

* * * * * *

Allow connections to Any Host from Any Host -> Specify the port number DNS (53) and choose to lo the events that match.

Be aware that the "Smart DNS" feature allows DNS lookup, which has higher priority than the FW rules you created and doesn't log.

therefore, disable the Smart DNS feature if you want to create a FW rule that capture the DNS queries.

Create a rule as per the below screen shot,

Hope this helps.

OK, so SmartDNS must be unchecked in order to collect usable data?

Correct, Smart DNS needs to be uncheck.