Network Traffic Analysis (NTA) relies heavily on understanding the context and payload of network communications, not just the ports they use. If you simply create a standard Layer 4 firewall rule allowing TCP/UDP port 53 (Option B), the firewall will let the traffic pass without deep inspection.

To detect advanced DNS anomalies (like DNS Tunneling, where attackers hide data inside DNS queries, or DGA), the NTA engine must be able to read the actual DNS query strings. By configuring a Layer 7 APPID rule specifically for DNS (Option C), you force the vDefend architecture to send that traffic through the Deep Packet Inspection (DPI) engine. This DPI visibility is an absolute prerequisite for the NTA detectors to successfully analyze the DNS payload for malicious patterns.