Port 53: The Questions That Start Every Connection

Your browser doesn't know where anything is. It has to ask.

Before your device can connect to google.com, it needs to learn that google.com lives at 142.250.80.46. Before it can send email, check an API, or load a single image from a CDN, it needs to translate a name into a number. This translation—DNS resolution—happens on port 53, and it happens constantly. Every connection starts with a question.

Two Protocols, One Port

DNS uses both UDP and TCP on port 53, choosing between them based on what's needed.

UDP handles the common case. Your device sends a small packet asking "where is example.com?" and gets back a small packet with the answer. No handshake, no connection setup—just question and answer. Most DNS queries fit in a single UDP packet and complete in milliseconds.

TCP handles everything else. When responses are too large for UDP (common with DNSSEC signatures), the server signals truncation and the client retries over TCP. Zone transfers—where secondary nameservers synchronize records from primary servers—always use TCP because they involve megabytes of ordered data that can't be lost.

Block TCP on port 53 and you break DNSSEC validation and zone transfers. Both protocols matter.

Why DNS Gets Attacked

DNS is infrastructure. Every connection depends on it. Attack DNS and you attack everything that relies on it.

Cache poisoning injects false records into a resolver's memory. Ask for your-bank.com and get sent to an attacker's server instead. DNSSEC adds cryptographic signatures to prevent this—resolvers can verify answers haven't been tampered with—but adoption remains low. Only about 4-5% of .com domains are signed¹, though some country-code TLDs like .nl, .cz, and .se exceed 50%.

Amplification attacks turn DNS servers into weapons. An attacker sends a tiny query with your IP address forged as the source. The DNS server sends its response—sometimes 50 times larger—to you. Multiply this across thousands of servers and you have a flood.

DNS tunneling encodes stolen data inside DNS queries, smuggling information through what looks like innocent name lookups. Because DNS traffic flows freely through most firewalls, it makes an effective covert channel. Detection requires watching for strange patterns: excessive queries, unusually long domain names, requests to domains that look like random strings.

The Privacy Hole

Traditional DNS has no encryption. Every query travels in plain text.

You visit encrypted websites, but your DNS queries announce your destinations in plain text—like whispering into a phone while shouting the phone number. Your ISP sees every domain you visit. Network administrators see it. Anyone positioned to intercept your traffic sees it.

Two protocols fix this:

DNS over HTTPS (DoH) wraps DNS queries inside normal HTTPS traffic on port 443. From the network's perspective, it looks like any other web request. Firefox enabled DoH by default for US users in 2020; Chrome, Edge, and Safari followed². Strong privacy, but network administrators can no longer distinguish DNS traffic from everything else—breaking DNS-based filtering and monitoring.

DNS over TLS (DoT) encrypts DNS queries using TLS on port 853. The queries are protected, but visibly DNS traffic. Administrators can see that DNS is happening without seeing what's being queried.

Both protect your queries from eavesdroppers. Neither protects you from your resolver—whoever answers your queries sees everything you ask.

Firewall Rules

Outbound: Don't let every device query any DNS server it wants. Malware uses alternative DNS to bypass your security controls. Force traffic through designated resolvers you control.

Inbound: If you run authoritative nameservers, they need to accept queries from the Internet. If you run recursive resolvers, they should only answer internal clients. An open recursive resolver enables amplification attacks and serves the entire Internet for free.

Encrypted DNS: DoT on port 853 is easy to block if you need visibility. DoH on port 443 is nearly impossible to block without breaking the web. If your security model depends on seeing DNS queries, you'll need to provide approved encrypted resolvers internally.

What This Means

Port 53 carries the questions that make the Internet navigable. Before your device can connect anywhere, something has to translate the name into a number.

The protocol is shifting—encrypted DNS is becoming the default—but the fundamental role remains. And now you understand what's been happening invisibly, thousands of times a day, every time you've ever connected to anything.

Sources