howtouselinux

Understanding DNS Port 53 with Examples

Table of Contents

DNS port is confusing for many people. In this article, we’ll describe how DNS works, and what DNS port numbers are used for DNS protocol.

What is DNS port?

DNS port is the port assigned to the domain name system. The most frequently used DNS Port is UDP 53. It is the default port for almost all DNS queries. UDP is lightweight and faster than TCP. This can reduce performance overhead on DNS servers.

DNS zone transfers rely on TCP port 53 because TCP is more reliable. TCP is slower and uses more bandwidth.DNS zone transfer usually happens on the DNS server side. DNS port is important because it allows computers to communicate with each other using domain names instead of IP addresses.

Query DNS record with Dig Command

Dig is a powerful Linux command to query DNS info. We can use this command to query A record for a domain name. By default, it will query the DNS server with UDP protocol. We will demonstrate more for this. Check this post to learn more about Best and Fastest DNS Server For PS4 PS5.

$ dig google.com +short
74.125.24.100
74.125.24.101
74.125.24.113
74.125.24.139
74.125.24.102
74.125.24.138

How does DNS Query work?

DNS communication occurs via two types of messages: queries and replies. Both DNS query format and reply format consist of the following sections:

  • The header section contains Identification; Flags; Number of questions; Number of answers; Number of authority resource records (RRs); and Number of additional resource records.
  • The flag field contains sections of one or four bits, indicating the type of message, whether the name server is authoritative; whether the query is recursive or not, whether the request was truncated, and status.
  • The question section contains the domain name and type of DNS record (A, AAAA, MX, TXT, etc.) being resolved. Each label in the domain name is prefixed by its length.
  • The answer section has the resource records of the queried name.

 

DNS Header (RFC1035)

MESSAGE FORMAT
+———————+
| Header |
+———————+
| Question | the question for the name server
+———————+
| Answer | RRs answering the question
+———————+
| Authority | RRs pointing toward an authority
+———————+
| Additional | RRs holding additional information
+———————+

Capture DNS Query on UDP Port 53 with Tcpdump command

Tcpdump is a very powerful Linux command to capture packets. We can use the following tcpdump command to capture DNS packets.

# tcpdump -i eth0 UDP port 53

We will see many packets like this. All of these packets are based on UDP protocol.

20:28:52.629628 IP 10.79.98.233.50109 > 64.104.76.247.53: 58821+ AAAA? time-macos.apple.com. (38)
20:28:52.749950 IP 64.104.76.247.53 > 10.79.98.233.50109: 58821 1/1/0 CNAME time-osx.g.aaplimg.com. (125)

This is the packet of DNS query we get with the above dig command.

20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)

This is the packet of the DNS query response we get from the DNS server.

20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)

What is private DNS servers?

From the above example, we can see that all the DNS query data can be easily captured.  Your ISP record every DNS query that you make — and ISPs are often legally required to keep these records for years. The private DNS servers will safely handle all DNS requests, keeping everyone else out of the loop. Your ISP will only know that you’ve logged in to these servers.

The private DNS servers from NordVPN will encrypt all of your online traffic and shield your DNS requests from third parties. This means no one can spy on you or secretly redirect you to a malicious site. It also delivers lightning-quick DNS resolution times.

DNS zone transfer uses TCP port 53

Most organizations have numerous DNS servers. These servers will exchange information between each other in what is referred to as zone transfers. The main DNS server( master DNS server) is the one that replicates all the DNS information.

It is referred to as the primary zone and replicates to secondary zones. This main DNS server is also likely to be classed as the authoritative server for the domain. These zone transfers connect to port 53 and use TCP at the transport layer so as to guarantee delivery of the transfer.

This usually happens on the DNS server side. But we can also use this way to get all the DNS records for one domain. dig axfr zonetransfer.me @nsztm1.digi.ninja. From the output, we can see that there are 50 records in this DNS zone file. ;; XFR size: 50 records (messages 1, bytes 1994)

DNS query with encryption over TLS Port and HTTPS Port

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.

DNS over TLS only uses port 853, while DNS over HTTPS uses port 443.

Related:

More:

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.