Ultimate CKS exam 1 task 2 question

Certified Kubernetes Security Specialist
#1
  1. Blocks ALL egress traffic to the following malicious CIDR ranges:
  • 192.168.100.0/24
  • 10.0.99.0/24
  1. Allows DNS traffic (UDP and TCP port 53) to ensure basic network functionality
  2. Allows all other egress traffic except the blocked malicious ranges

The answer is in the checker is:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: block-malicious-egress
  namespace: threat-prevention
spec:
  podSelector: {}
  policyTypes: ["Egress"]
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
        except: ['192.168.100.0/24', '10.0.99.0/24']
  - ports:
    - port: 53
      protocol: UDP
    - port: 53
      protocol: TCP

But that still allows any connection to 192.168.100.0/24 on port 53 or is here some precedence happening? Or what if I didn’t specify the explicit rule for DNS ports, this will still allow any connectivity to any port in ranges excluding malicious ones?