When leveraging the Firewall component for the Symantec Endpoint Protection (SEP) for Mac client in which rules are defined that use domains (manually entered or via Host Groups), DNS lookups are seen post-policy updates, and reboot/client daemon restart.
This behavior is by design.
As soon as the SEP for Mac client receives a new firewall policy which contains hostnames defined in the rules, the client will perform a DNS lookup for each hostname in order to get the IP address. The actual request is made to the configured DNS server for the host. The DNS response will contain the IP address of the host which the client will use to create/update the Firewall rule specific to the queried host’s IPs. This allows the Firewall to block or allow those IPs as defined in the applicable rule(s).