Understanding DNS Port 53 with Examples

Updated: 9 hours ago

DNS port is confusing for many people. In this article, we’ll describe how DNS works, what DNS port numbers are used for DNS protocol.



DNS uses both TCP and UDP port 53

  • Most of the time, DNS happens over UDP port 53. It's lightweight and faster than TCP. This is to reduce performance overhead on the DNS server due to the number of requests it is likely to receive.

  • But DNS servers still need to be available on TCP. Zone transfers happen over TCP port 53. This happens on the DNS server side which is not related to the end-user. What is zone transfer? We will discuss more on this next.

Check this post to learn more about DNS port.



Query DNS records with Dig Command

Dig is a powerful Linux command to query DNS info. We can use this command to query A record for a domain name. By default, it will query the DNS server with UDP protocol. We can also use TCP as an underline protocol. Please don't confuse. The system usually doesn't use TCP protocol for DNS query purposes. We will demonstrate more for this.


$ dig google.com +short
74.125.24.100
74.125.24.101
74.125.24.113
74.125.24.139
74.125.24.102
74.125.24.138

How does DNS Query work?

DNS communication occurs via two types of messages: queries and replies. Both DNS query format and reply format consist of the following sections:

  • The header section contains Identification; Flags; Number of questions; Number of answers; Number of authority resource records (RRs); and Number of additional resource records.

  • The flag field contains sections of one or four bits, indicating the type of message, whether the name server is authoritative; whether the query is recursive or not, whether the request was truncated, and status.

  • The question section contains the domain name and type of DNS record (A, AAAA, MX, TXT, etc.) being resolved. Each label in the domain name is prefixed by its length.

  • The answer section has the resource records of the queried name.



DNS Header (RFC1035)

 MESSAGE FORMAT
+---------------------+
|        Header       |
+---------------------+
|       Question      | the question for the name server
+---------------------+
|        Answer       | RRs answering the question
+---------------------+
|      Authority      | RRs pointing toward an authority
+---------------------+
|      Additional     | RRs holding additional information
+---------------------+

Capture DNS Query on UDP Port 53 with Tcpdump

Tcpdump is a very powerful Linux command to capture DNS packets. We can use the following tcpdump command to capture DNS packets.

# tcpdump -i eth0 UDP port 53

We will see many packets like this. All of these packets are based on UDP protocol.

20:28:52.629628 IP 10.79.98.233.50109 > 64.104.76.247.53: 58821+ AAAA? time-macos.apple.com. (38)
20:28:52.749950 IP 64.104.76.247.53 > 10.79.98.233.50109: 58821 1/1/0 CNAME time-osx.g.aaplimg.com. (125)

This is the packet of DNS query we run with the above dig command.

20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)


This is the packet of the DNS query response we get from the DNS server.

20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)

Capture DNS Packets on TCP Port 53 with tcpdump

The above example is based on the UDP protocol. We can also query DNS records with TCP protocol like this.


dig google.com +short +tcp

This is a typical TCP connection request which includes a 3-way handshake, transfer data, four-way closure. This is much more complex compared to UDP.


20:17:45.641154 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [S], seq 3824616929, win 65535, options [mss 1350,nop,wscale 6,nop,nop,TS val 1027646250 ecr 0,sackOK,eol], length 0
20:17:45.729487 IP 64.104.76.247.53 > 10.79.98.233.56272: Flags [S.], seq 2631059348, ack 3824616930, win 8190, options [mss 1220,nop,wscale 8,nop,nop,sackOK], length 0
20:17:45.729537 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [.], ack 1, win 4096, length 0
20:17:45.729643 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [P.], seq 1:42, ack 1, win 4096, length 41 45963+ [1au] A? google.com. (39)
20:17:45.838388 IP 64.104.76.247.53 > 10.79.98.233.56272: Flags [.], ack 42, win 512, length 0
20:17:45.887796 IP 64.104.76.247.53 > 10.79.98.233.56272: Flags [P.], seq 1:386, ack 42, win 512, length 385 45963 6/4/9 A 74.125.24.102, A 74.125.24.139, A 74.125.24.113, A 74.125.24.100, A 74.125.24.101, A 74.125.24.138 (383)
20:17:45.887833 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [.], ack 386, win 4089, length 0
20:17:45.888056 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [F.], seq 42, ack 386, win 4096, length 0
20:17:45.975094 IP 64.104.76.247.53 > 10.79.98.233.56272: Flags [F.], seq 386, ack 43, win 512, length 0
20:17:45.975153 IP 10.79.98.233.56272 > 64.104.76.247.53: Flags [.], ack 387, win 4096, length 0


What is zone transfer?

Most organizations have numerous DNS servers. These servers will exchange information between each other in what is referred to as zone transfers. The main DNS server( master DNS server) is the one that replicates all the DNS information.


It is referred to as the primary zone and replicates to secondary zones. This main DNS server is also likely to be classed as the authoritative server for the domain. These zone transfers connect to port 53 and use TCP at the transport layer so as to guarantee delivery of the transfer.


This usually happens on the DNS server side. But we can also use this way to get all the DNS records for one domain.


dig  axfr zonetransfer.me @nsztm1.digi.ninja.

From the output, we can see that there are 50 records in this DNS zone file.

;; XFR size: 50 records (messages 1, bytes 1994)

DNS over TLS Port and DNS over HTTPS Port

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering).


DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.


DNS over TLS only uses port 853, while DNS over HTTPS uses port 443.



Related:





1,569 views