how to restrict svchost.exe to dns, dhcp and ntp only.

Hi all.
I have win 7 and cis 10.
i have seen that svchost.exe and system process connect to outside ip addresses. i want to block it.

I have come to know that svchost must connect to dns, dhcp and ntp servers for the PC to work.

steps that i have taken till now are:-
i have made the network zone name “allowed zone” with dns addresses.
now i have gone to svchost and allowed all the connections to home detected and blocked all the addresses except dns.

I know my dns server address but not dhcp and ntp. how to find dhcp and ntp to allow them only and block the rest?
and should i do the same for system process as well?

pls tell me an efficient way to do this.

Thanks in advance. 8)

Few months ago I found these two posts on the forum:

https://forums.comodo.com/firewall-help-cis/windows-operating-system-trying-to-connect-to-the-internet-is-it-safe-t103656.0.html;msg763144#msg763144

https://forums.comodo.com/firewall-help-cis/rules-to-protect-the-system-from-udp-attacks-t104904.0.html;msg763569#msg763569

I made those rules (it took a while), but I have never seen a blocked request for svchost or system… so, when I installed CFW 10 from scratch, I didn’t bother to change the default firewall rules (I just created two custom rules to block Cortana and Edge, plus I set Chrome to follow the pre-defined browser ruleset)

Desktop (static ip for router and/or permanent leased designated IP for computer) or roaming laptop?
Use command:

ipconfig /all

to detemine assigned IP (could change if not locked in the router) and the IP of the gateway or router.

DHCP UDP port ranges for IPv4 and IPv6 respectively are 67-68, and 546-547.
DNS UDP port for IPv4 and IPv6 respectively are 53 and 953.
LLMNR UDP port is 5355. You may need this?
NTP UDP port is remote 123. Use nslookup for the address(es) in the command or set the rule to ask and log. I use different time servers from the default install (hacked the registry to use Canadian NRC and Canadian NTP servers) so not much help. In the command:

nslookup time.windows.com

I think that is the correct domain.

I allow the ICMPs for the svchost and system files (really no harm or foul as a non business set-up). Others will say the opposite.

Other ranges to be included that are maybe needed are broadcast and unicast, and depending in your situation perhaps multicast .