Help with Snort Rules: Fake Tech Support Popup

I'm stuck on parts 7-9
part 7 wants me to Create a Snort rule to detect the domain 'site.topwebsite4.xyz', then submit the token.

alert udp any any -> any 53 (msg:"site.topwebsite4.xyz"; sid:1000001; rev:1;)

is the only snort rule giving me anything, but gives me 4 results, which is too many. I also tried adding the ports from said results to part 8, but none of those ports are the correct ports for the question. What do I do?