The Domain Name System (DNS) is a key part of the internet’s infrastructure. It provides a mapping between domain names and IP addresses, enabling users to access websites and other internet services using human-friendly names like example.com instead of hard-to-remember IP addresses. Understanding how DNS works, including what port it uses, is important for configuring networks and servers properly.
Overview of DNS
DNS is a hierarchical and decentralized naming system for devices connected to the internet or other IP networks. It translates domain names that people find easy to remember into the numerical IP addresses that computers use to communicate with each other.
Some key facts about DNS:
- DNS associates various information with domain names, including IP addresses of the domain’s servers. This allows routing traffic appropriately.
- The process of translating a domain name to an IP address is called name resolution.
- DNS uses a client-server model. DNS clients request information, and DNS servers (like your ISP’s) provide answers.
- DNS servers do not interact directly with each other. Instead, they form a hierarchy and communicate from the top down.
How DNS name resolution works
When you type a web address like example.com into your browser, here is what happens behind the scenes:
- Your device checks its local DNS cache for the IP address of example.com. If found, it will use that.
- If not cached locally, your DNS client (operating system or app) sends a query to your configured DNS Recursive Resolver. This is typically your ISP or local network’s DNS server.
- The Recursive Resolver checks its cache. If no match, it queries Root Name Servers to find the name server authoritative for .com.
- The Recursive Resolver queries the .com Top Level Domain (TLD) Name Server, which returns the IP of the example.com Authoritative Name Server.
- Finally, the Recursive Resolver queries the Authoritative server and gets the IP for example.com, which it returns to the DNS client.
This process is cached at each step, speeding up future lookups. DNS name resolution typically occurs over UDP port 53.
What port does DNS use?
DNS primarily uses UDP port 53 for DNS queries and responses. Some requests that exceed 512 bytes may use TCP port 53.
Here are a few key points about the standard DNS port:
- Port 53 is reserved for DNS traffic by IANA.
- This port is used for communication between DNS clients and servers, and between different types of DNS servers.
- Firewalls, routers, and other network devices must allow UDP/TCP 53 traffic so DNS can function.
- Using a non-standard port breaches protocol and requires extra configuration. It should only be done in special cases.
- Some DNS server software allows configuring a custom port, but both sides must use the same port.
So in summary, the standard DNS port is UDP 53, with TCP 53 as a fallback. Client software will attempt to use this port by default when making DNS queries. For typical home or office setups, the main requirement is keeping port 53 open on local networks and firewalls.
Why port 53 is reserved for DNS
There are a few key reasons why UDP and TCP port 53 are designated for DNS:
- Standardization – Having a defined port for DNS makes interoperability easy. Client and server software know which port to use without extra configuration.
- Compatibility – Port 53 is almost universally accessible across networks. Firewalls tend to allow it. Using non-standard ports breaks connectivity.
- Distinction from web traffic – DNS uses distinct ports from web traffic (HTTP port 80, HTTPS port 443). This allows splitting DNS and web servers, or redirecting traffic as needed.
- Security best practices – Keeping DNS on port 53 allows it to be handled appropriately in security policies. Non-standard ports bypass defenses tuned for port 53.
Adhering to the standard ports enables the seamless integration of DNS across the diverse servers, networks, and applications that rely on it. For individual users, this simply means keeping port 53 open. For larger networks, administrators must carefully manage traffic on these ports.
How clients connect to DNS servers
DNS clients need to be configured with the address of at least one DNS server to query for name resolutions. Here are some common ways this happens:
DHCP – On local networks, DHCP automatically assigns client machines a local DNS server IP address along with an IP address, subnet mask, default gateway, etc. This allows easy central management at the router.
ISP provided – Internet Service Providers often push DNS server addresses to modems/routers via DHCP or PPPoE. This redirects clients to the ISP’s DNS by default.
Manual IP settings – In static IP configurations, users must manually enter a DNS server IP address. This is common on servers and headless devices.
Overrides – Even with DHCP or ISP provided servers, client systems usually allow manually overriding DNS settings. This allows using alternative resolvers like Google (220.127.116.11).
Conditional forwarding – DNS servers can be configured to forward certain queries to different servers based on domain. This allows internal DNS resolution.
As long as the client has the IP address of any valid DNS recursor it can reach, it will be able to resolve DNS names by first querying that server over UDP port 53.
Common DNS servers
There are several common DNS servers that client systems may be configured to use:
- ISP DNS servers – All ISPs provide their own DNS servers for customers. This often provides benefits like filtering, caching, and IP-location tracking.
- Public DNS servers – Public resolvers like Google (18.104.22.168), Cloudflare (22.214.171.124), and OpenDNS (126.96.36.199) often have better performance than ISP servers.
- Local network DNS – Organizations often run their own DNS recursor to handle internal host resolutions and caching.
- Operating system defaults – Linux distributions, routers, and other systems have a built-in DNS client that needs to be configured with a working server.
- Manually specified – In some cases, users or administrators will explicitly configure alternative resolvers for performance, filtering, or other reasons.
Google public DNS
Google Public DNS is a popular alternative resolver at 188.8.131.52 and 184.108.40.206. Benefits include:
- Fast performance and low latency worldwide.
- Generally less prone to hijacking than ISP resolvers.
- Support for the latest protocols like DNS over TLS (DoT) and DNS over HTTPS (DoH).
- Filtering of known malicious domains.
Switching to Google DNS or any public resolver is a client-side change that simply requires setting those server IPs in the client network configuration.
Configuring DNS servers
The specific steps to configure DNS resolver IP addresses depends on the operating system and environment:
- Open the Ethernet/Wi-Fi Network Properties.
- Select TCP/IPv4 or TCP/IPv6.
- Click Properties and enter preferred DNS server IPs.
- Edit /etc/resolv.conf file.
- Enter nameserver entries pointing to DNS IP addresses.
- Go to System Preferences > Network.
- Select DNS and click Add for each server.
- Access the router admin console.
- Find DHCP Name Server settings.
- Enter upstream DNS IPs.
For home use, an easy option is using a public DNS provider like Google. For servers, using the local DNS recursor is best. Network-wide changes are done at the router level.
DNS traffic must be allowed on port 53
For DNS to work properly, port 53 traffic must be allowed:
- Client firewalls – Local firewall software should permit UDP and TCP port 53 (in and out).
- Network firewalls – Corporate/office firewalls must allow DNS traffic from internal clients to external resolvers.
- Home routers – Consumer routers need port 53 open for DNS queries to pass through.
- Server daemons – Software firewalls on Linux servers should permit port 53. ufw allow 53
- Cloud networks – Cloud virtual networks need security groups enabling DNS access (port 53) to and from instances.
- Container platforms – Kubernetes, Docker, etc. must allow pods/containers to access the configured DNS resolver.
Validating that port 53 traffic can flow between clients and your DNS server is key for troubleshooting name resolution issues. DNS security filtering should still be applied where possible.
How DNS over HTTPS uses port 443
DNS over HTTPS (DoH) is an emerging protocol that encrypts and authenticates DNS traffic by tunneling it over HTTPS connections. This uses standard HTTPS port 443 instead of port 53:
- A DNS client establishes a TLS-secured HTTPS connection to the DoH server.
- The client embeds DNS queries and responses within the HTTP request and response bodies.
- The connection is authenticated and encrypted end-to-end, protecting against surveillance and manipulation.
- DoH prevents DNS query details from being visible to local networks.
- Web browsers and operating systems are starting to adopt DoH support.
DoH trades off some enterprise security controls for end-user privacy and integrity. Running on port 443, it bypasses typical port 53 inspection but allows leveraging HTTPS infrastructure.
Specialized DNS server ports
Though most DNS transactions use port 53, there are some specialized server ports to be aware of:
- 953 – Used for secure recursive-to-authoritative server transfers.
- 5353 – Multicast DNS, allows local network device discovery. Common on home routers.
- 9153 – P2P distributed DNS used by OpenNIC resolvers. Enables collective public DNS.
- 5355 – LLMNR, for local network name resolution when no DNS available.
These alternative ports support specific use cases like local service discovery and resilience. But the vast majority of regular DNS queries use standard port 53.
- DNS uses UDP and TCP port 53 for standard name queries and responses.
- Port 53 is registered with IANA for this purpose and supported universally.
- Firewalls and networks must permit access to port 53 for DNS to function.
- For end clients, using ISP or public DNS servers over port 53 is most common.
- DNS over HTTPS uses port 443 instead to tunnel over HTTPS connections.
- Special uses like local discovery use ports 5353, 5355 and others. But most DNS uses port 53.
Keeping DNS port 53 open, configuring clients properly, and avoiding non-standard ports allows this essential internet service to work reliably.
DNS is a fundamental networking service that maps domain names to IP addresses using a hierarchical distributed database. For DNS to operate, its clients need to be configured with the IP addresses of DNS servers to query. These queries use the standard ports of UDP 53 and TCP 53, which must be permitted by firewalls and networks. This port is reserved with IANA expressly for this purpose. While alternative ports exist for specific use cases, the vast majority of DNS transactions use UDP port 53 for performance and interoperability. Understanding the standard DNS port and protocols allows properly configuring the DNS clients, servers and network infrastructure that make domain name resolution possible.
Frequently Asked Questions (FAQ)
- Why is port 53 used for DNS queries?
Port 53 is the IANA registered standard port for DNS, allowing easy interoperability between DNS clients and servers worldwide.
- What types of packets does DNS use?
DNS primarily uses UDP datagrams for standard queries and responses. Larger requests may fallback to TCP.
- Can DNS use other ports?
Technically yes, but port 53 should always be used by default for interoperability. Using non-standard ports will break most DNS access.
- Is port 53 TCP or UDP?
Mainly UDP, with TCP acting as a fallback for large requests. UDP is preferred for performance.
- Can I change the DNS port on my PC?
Yes, client settings can override the standard port, but this is not recommended in most cases. The server must also use the same non-standard port.
- How do I make sure port 53 is open?
Verify firewall policies allow outbound UDP 53 traffic, and inbound responses. Test with tools like nslookup to confirm.
- Why is my DNS not working?
Firewalls blocking UDP 53 is a common cause. Also check client DNS settings match your resolver, and that the resolver is accessible from that client.
- What is DNS over HTTPS?
DNS over HTTPS (DoH) tunnels DNS traffic over HTTPS connections on port 443 for security and privacy reasons.
- Does DoH replace normal DNS?
Not yet. DoH will complement rather than replace legacy DNS in the near future.
- What is a local DNS server?
A DNS server (recursor) provided by your ISP or private network authority to handle queries from local clients.
- What is a public DNS server?
Public DNS resolvers like Google (220.127.116.11) or Cloudflare (18.104.22.168) that anyone can use as an alternate to ISP provided servers.
- When should I use a local vs public DNS?
Use ISP/local DNS on company networks. Use public DNS for home networks and public Wi-Fi for more reliability.
- Can multiple DNS servers be configured?
Yes, client systems often allow entering multiple DNS server IPs for failover purposes. The first reachable server will handle queries.
- How does DNS over TLS work?
DNS over TLS (DoT) uses TLS encryption versus plain TCP for secure transport. It still uses port 53.
- Is DNS name resolution secure?
No, basic DNS uses no encryption. DNSSEC validates responses cryptographically but traffic is still visible. Use DoT/DoH for secure DNS.
- Does VPN protect DNS traffic?
Yes, using a VPN tunnels all your traffic including DNS queries, preventing snooping and manipulation locally.
- What are the most popular DNS servers?
Google public DNS (22.214.171.124) and Cloudflare (126.96.36.199) are among the top public resolvers. ISP provided servers also have significant use.
- How does CDN use DNS?
CDNs use DNS geolocation to route users to nearby cache nodes. This is done by resolving CDN hostnames from local DNS resolvers.
- What are common DNS server software?
Bind and Unbound are common open source DNS servers. Microsoft DNS Server, PowerDNS, and BlueCat are also popular solutions.
- How can I test DNS connectivity?
Use dig, nslookup or host commands to check name resolution. Web based DNS lookup tools can test from remote locations.
DNS is a fundamental networking service relying on the standard port 53 to provide name resolutions that power the internet. Understanding that port 53 must be open and accessible between DNS clients and servers helps troubleshoot connectivity issues. While encryption, authentication and alternative transports like DNS over HTTPS are growing in adoption, legacy unencrypted UDP-based DNS still dominates and depends on port 53 universally being permitted and properly configured at endpoints and on networks.