Port 53 (DNS)

Q: How do I check if port 53 is open?

Use 'nmap -sU -sT -p 53 hostname' to scan both TCP and UDP, 'dig @hostname example.com' to test DNS resolution, 'netstat -tlnp | grep :53' to check locally on Linux, or 'Test-NetConnection -ComputerName hostname -Port 53' in Windows PowerShell. For UDP specifically, use 'nmap -sU -p 53 hostname'.

Q: How do I configure BIND to listen on port 53?

In BIND's named.conf, set 'listen-on { 127.0.0.1; your-ip; };' in the options block to specify which interfaces to listen on. Use 'allow-recursion' to control who can make recursive queries, 'allow-transfer' to restrict zone transfers, and 'dnssec-validation auto;' to enable DNSSEC validation.

What is Port 53?

Port 53 is used by DNS (Domain Name System), the internet's directory service that translates human-readable domain names into IP addresses. DNS is one of the most critical internet infrastructure services, handling billions of queries daily. Without DNS, you would need to memorize IP addresses like 142.250.80.46 instead of typing google.com.

DNS operates on both TCP and UDP port 53. UDP is used for standard queries and responses (up to 512 bytes, or 4096 with EDNS0), while TCP handles zone transfers (AXFR/IXFR), large responses, DNSSEC-signed records, and serves as a fallback when UDP responses are truncated. Every time you visit a website, send an email, or use any internet service, your device queries DNS servers on port 53 to resolve the domain name.

The DNS hierarchy consists of root servers (.), TLD servers (.com, .org), authoritative nameservers, and recursive resolvers. Your ISP or configured resolver (like 8.8.8.8 or 1.1.1.1) handles the recursive lookup process, caching results according to TTL values to improve performance.

Modern DNS security includes DNSSEC for response validation, DNS over HTTPS (DoH) on port 443, and DNS over TLS (DoT) on port 853. These encrypted alternatives help prevent DNS spoofing and protect user privacy from surveillance and man-in-the-middle attacks.

Port 53: TCP vs UDP

Feature	UDP Port 53	TCP Port 53
Primary Use	Standard queries & responses	Zone transfers, large responses
Max Payload	512 bytes (4096 with EDNS0)	65,535 bytes
Connection	Connectionless (single packet)	Connection-oriented (3-way handshake)
Speed	Faster (no handshake overhead)	Slower (connection setup required)
Reliability	No guarantee of delivery	Guaranteed ordered delivery
Zone Transfers	Not used	Required (AXFR/IXFR)
DNSSEC	May be truncated, falls back to TCP	Handles large signed responses

Most DNS traffic uses UDP for performance reasons. However, RFC 7766 recommends that all DNS implementations support TCP, as DNSSEC adoption increases the size of DNS responses beyond UDP limits. Modern resolvers like Cloudflare (1.1.1.1) and Google (8.8.8.8) support both protocols.

Common Uses of Port 53

Recursive DNS Resolvers: Services like Google Public DNS (8.8.8.8), Cloudflare (1.1.1.1), and Quad9 (9.9.9.9) accept queries on port 53 and recursively resolve domain names on behalf of clients. Your ISP also runs recursive resolvers for its customers.

Authoritative DNS Servers: Nameservers like those run by domain registrars and hosting providers listen on port 53 to answer queries for the domains they are authoritative for. Examples include NS1, Route 53, and Cloudflare DNS.

Zone Transfers (AXFR/IXFR): Secondary DNS servers use TCP port 53 to pull zone data from primary servers. AXFR transfers the complete zone, while IXFR transfers only changes. These must be restricted to authorized secondary servers.

DNS over TLS (DoT): While DoT uses port 853 by default, it builds on the same DNS protocol. Some implementations can be configured to upgrade traditional port 53 connections to TLS.

Local DNS Services: Software like dnsmasq, Pi-hole, and systemd-resolved listen on port 53 locally (127.0.0.1) to provide DNS caching, ad blocking, and local name resolution for the host machine or LAN.

Port 53 Security

DNS Amplification Attacks: Open DNS resolvers on port 53 are frequently abused for DDoS amplification attacks. Attackers send small queries with a spoofed source IP, and the resolver sends much larger responses (amplification factor up to 70x) to the victim. Mitigation includes disabling open recursion, implementing BCP38/BCP84 source address validation, and enabling Response Rate Limiting (RRL).

DNS Cache Poisoning: Attackers attempt to inject forged DNS responses into a resolver's cache, redirecting users to malicious servers. DNSSEC (DNS Security Extensions) prevents this by cryptographically signing DNS records, allowing resolvers to verify response authenticity. Enable dnssec-validation auto; in BIND or val-permissive-mode: no in Unbound.

DNS Tunneling: Attackers can encode data within DNS queries and responses to exfiltrate data or establish covert command-and-control channels through port 53. Monitor for unusually long domain names, high query volumes to single domains, and TXT record abuse. Tools like iodine and dnscat2 exploit this technique.

DNS over TLS/HTTPS: Traditional DNS on port 53 sends queries in plaintext, allowing ISPs and network operators to monitor and modify DNS traffic. DNS over TLS (DoT, port 853) and DNS over HTTPS (DoH, port 443) encrypt queries to prevent eavesdropping and tampering. Configure clients to use DoH/DoT where privacy is required.

Firewall Best Practices: Restrict UDP and TCP port 53 access to only authorized DNS servers. Block outbound port 53 from all hosts except your designated resolvers to prevent DNS tunneling and data exfiltration. Use iptables, nftables, or cloud security groups to enforce these rules.

Configuring DNS on Port 53

BIND (named)

options {
    listen-on { 127.0.0.1; 192.168.1.1; };
    listen-on-v6 { ::1; };
    allow-recursion { 192.168.1.0/24; };
    allow-transfer { 10.0.0.2; };  // secondary NS
    dnssec-validation auto;
    rate-limit { responses-per-second 10; };
};

Unbound

server:
    interface: 0.0.0.0
    port: 53
    access-control: 192.168.1.0/24 allow
    access-control: 0.0.0.0/0 refuse
    auto-trust-anchor-file: "/var/lib/unbound/root.key"
    val-permissive-mode: no
    hide-identity: yes
    hide-version: yes

dnsmasq

# /etc/dnsmasq.conf
listen-address=127.0.0.1,192.168.1.1
port=53
no-resolv
server=1.1.1.1
server=8.8.8.8
cache-size=1000
dnssec
dnssec-check-unsigned

Firewall Rules

iptables (UDP): iptables -A INPUT -p udp --dport 53 -s 192.168.1.0/24 -j ACCEPT
iptables (TCP): iptables -A INPUT -p tcp --dport 53 -s 10.0.0.2 -j ACCEPT
UFW: ufw allow from 192.168.1.0/24 to any port 53
firewalld: firewall-cmd --permanent --add-service=dns

How to Check Port 53

Remote Scanning

To check if port 53 is open on a remote host:

nmap (both): nmap -sU -sT -p 53 hostname — scan TCP and UDP
nmap (service): nmap -sV -p 53 hostname — detect DNS service version
dig: dig @hostname example.com — test DNS resolution directly
nslookup: nslookup example.com hostname — query a specific server
PowerShell: Test-NetConnection -ComputerName hostname -Port 53

Local Listening Check

To check if port 53 is listening on your local machine:

Linux: ss -tulnp | grep :53 or netstat -tulnp | grep :53
macOS: lsof -i :53
Windows: netstat -an | findstr :53

You can also use our Port Scanner tool to check port 53 on any host directly from your browser.

Troubleshooting Port 53

Port 53 already in use: On many Linux systems, systemd-resolved binds to port 53 on 127.0.0.53. To free the port for BIND or Unbound, disable it: sudo systemctl disable --now systemd-resolved and update /etc/resolv.conf manually.

DNS queries timing out: Check that your firewall allows both UDP and TCP on port 53. Some firewalls block TCP port 53, causing DNSSEC and large responses to fail. Verify with dig +tcp @server example.com.

SERVFAIL responses: Often caused by DNSSEC validation failures. Check if the domain's DNSSEC signatures are valid using dig +dnssec example.com. Temporarily test with dig +cd example.com (checking disabled) to confirm.

Zone transfer failures: Ensure TCP port 53 is open between primary and secondary servers. Verify allow-transfer in BIND or provide-xfr in NSD includes the secondary server's IP. Check with dig @primary AXFR example.com.

High query latency: Enable DNS caching on your resolver. For BIND, tune max-cache-size. For Unbound, increase msg-cache-size and rrset-cache-size. Consider prefetching popular records with prefetch: yes in Unbound.

Related Ports

Frequently Asked Questions

What is port 53 used for?

Port 53 is the default port for DNS (Domain Name System), the internet's directory service that translates domain names into IP addresses. It handles recursive queries from clients, authoritative responses from nameservers, zone transfers between DNS servers, and local DNS caching services like Pi-hole and dnsmasq.

Is port 53 TCP or UDP?

Port 53 uses both TCP and UDP. UDP is used for standard DNS queries and responses (up to 512 bytes, or 4096 with EDNS0). TCP is used for zone transfers (AXFR/IXFR), responses larger than 512 bytes, DNSSEC-signed responses that exceed UDP limits, and as a fallback when UDP responses are truncated (TC flag set).

What is a DNS amplification attack?

A DNS amplification attack is a DDoS technique where attackers send small DNS queries with a spoofed source IP to open resolvers on port 53. The resolvers send much larger responses (amplification factor up to 70x) to the victim's IP address. Mitigation includes disabling open recursion, implementing BCP38 source address validation, enabling Response Rate Limiting (RRL), and using allow-recursion ACLs.

Should port 53 be open?

Port 53 should only be open if you are running a DNS server (BIND, Unbound, dnsmasq, etc.). For authoritative servers, restrict TCP port 53 to trusted secondary nameservers for zone transfers. For recursive resolvers, limit access to your internal network. Close port 53 on all other systems to reduce attack surface.

What is the difference between DNS over TLS and DNS over HTTPS?

DNS over TLS (DoT) runs on port 853 and wraps DNS queries in TLS encryption, making it easy to identify and block at the network level. DNS over HTTPS (DoH) runs on port 443, encapsulating DNS in standard HTTPS traffic, making it indistinguishable from normal web browsing. DoH provides better privacy against network-level blocking, while DoT is easier for administrators to monitor and manage.

How do I check if port 53 is open?

Use nmap -sU -sT -p 53 hostname to scan both TCP and UDP, dig @hostname example.com to test DNS resolution directly, ss -tulnp | grep :53 to check locally on Linux, or Test-NetConnection -ComputerName hostname -Port 53 in Windows PowerShell. For UDP specifically, use nmap -sU -p 53 hostname.

How do I configure BIND to listen on port 53?

In BIND's named.conf, set listen-on { 127.0.0.1; your-ip; }; in the options block to specify which interfaces to listen on. Use allow-recursion to control who can make recursive queries, allow-transfer to restrict zone transfers, and dnssec-validation auto; to enable DNSSEC validation. Restart BIND with systemctl restart named.

🔍 Check Your IP Address

While you're here, find out your public IP address, location, and ISP details instantly.

Check My IP →