Skip to Content

Exploring DNS Port with Examples

DNS port is confusing for many people. In this article, we’ll describe how DNS works, and what DNS port numbers are used for DNS protocol.

Port Usage
TCP port 53: Large DNS responses (TCP is used when the DNS response exceeds the maximum size that can be accommodated in a single UDP packet.)
DNS zone transfers ( TCP is used for DNS zone transfers, which involve transferring a copy of the entire DNS zone.)
UDP port 53: Most DNS queries and responses (UDP is the default protocol used for DNS queries and responses. It is lightweight and faster than TCP.)
HTTPS port 443: DNS over HTTPS (DoH) (HTTPS is used when DNS queries are encrypted and sent over the HTTPS protocol for enhanced security and privacy.)
TLS port 853: Secure DNS queries DNS over TLS( DNS over TLS (DoT) provides encryption for DNS queries, offering improved security and privacy.)

What is DNS port?

Port 53 is the well-known default port for DNS communication. DNS queries and responses can be transmitted over both UDP (User Datagram Protocol) and TCP (Transmission Control Protocol) on Port 53.

DNS queries are typically sent using UDP on Port 53. UDP is a connectionless protocol that offers fast and lightweight communication. It is suitable for most DNS queries, which are small and do not require guaranteed delivery or ordered transmission.

While UDP is the preferred protocol for most DNS communication, TCP is used in certain scenarios. For example, if a DNS response exceeds the maximum size supported by UDP (known as a truncated response), the client can reissue the query using TCP to obtain the complete response.

Additionally, TCP is utilized for zone transfers and other larger DNS transactions that require reliable and ordered transmission.

How does DNS Query work?

DNS communication occurs via two types of messages: queries and replies.

DNS queries are messages sent by DNS clients (such as web browsers or other applications) to DNS servers, requesting information about a specific domain name or resource. When a user enters a domain name (e.g., example.com) in a web browser, the browser initiates a DNS query to obtain the corresponding IP address.

DNS replies, also known as DNS responses, are messages sent by DNS servers in response to DNS queries. When a DNS server receives a query, it processes the request and generates a reply containing the requested information or an error message if the requested information is not available.

Query DNS record with Dig Command

The dig command is a popular command-line tool used for querying DNS (Domain Name System) records. It provides detailed information about DNS responses, including IP addresses, nameservers, TTL (Time to Live) values, and more. Here’s an example of how to use the dig command to query a DNS record:

Syntax: dig <domain> <record_type>

By default, it will query the DNS server with UDP protocol. We will demonstrate more for this. Check this post to learn more about Best and Fastest DNS Server For PS4 PS5.

$ dig google.com +short
74.125.24.100
74.125.24.101
74.125.24.113
74.125.24.139
74.125.24.102
74.125.24.138

Capture DNS Query on UDP Port 53 with Tcpdump command

Tcpdump is a very powerful Linux command to capture packets. We can use the following tcpdump command to capture DNS packets.

# tcpdump -i eth0 UDP port 53

We will see many packets like this. All of these packets are based on UDP protocol.

20:28:52.629628 IP 10.79.98.233.50109 > 64.104.76.247.53: 58821+ AAAA? time-macos.apple.com. (38)
20:28:52.749950 IP 64.104.76.247.53 > 10.79.98.233.50109: 58821 1/1/0 CNAME time-osx.g.aaplimg.com. (125)

Let’s break down the information.

20:28:52.629628 IP 10.79.98.233.50109 > 64.104.76.247.53: 58821+ AAAA? time-macos.apple.com. (38)

Timestamp: 20:28:52.629628
IP Address and Port: The source IP address is 10.79.98.233, and the source port is 50109. The destination IP address is 64.104.76.247, and the destination port is 53 (the standard DNS port).
DNS Query: The query being sent is a AAAA query, which is used to request the IPv6 address of the domain “time-macos.apple.com”.
Query Identifier: The query identifier is 58821.
Domain Name: The domain name being queried is “time-macos.apple.com”.
Packet Length: The length of the packet is 38 bytes.

20:28:52.749950 IP 64.104.76.247.53 > 10.79.98.233.50109: 58821 1/1/0 CNAME time-osx.g.aaplimg.com. (125)

Timestamp: 20:28:52.749950
IP Address and Port: The source IP address is 64.104.76.247, and the source port is 53. The destination IP address is 10.79.98.233, and the destination port is 50109.
DNS Response: The response being sent contains the answer to the previous query.
Query Identifier: The query identifier is 58821, matching the previous query.
Response Details: The response includes 1 answer, 1 authoritative name server, and 0 additional records.
CNAME Record: The answer in the response is a CNAME record. It states that “time-macos.apple.com” is an alias (CNAME) for “time-osx.g.aaplimg.com”.
Packet Length: The length of the packet is 125 bytes.

This is the packet of DNS query we get with the above dig command.

20:11:00.466866 IP 10.79.98.233.54127 > 64.104.76.247.53: 60712+ [1au] A? google.com. (39)

This is the packet of the DNS query response we get from the DNS server.

20:11:00.560294 IP 64.104.76.247.53 > 10.79.98.233.54127: 60712 6/4/1 A 74.125.24.113, A 74.125.24.102, A 74.125.24.139, A 74.125.24.138, A 74.125.24.100, A 74.125.24.101 (207)

What is private DNS servers?

From the above example, we can see that all the DNS query data can be easily captured.  Your ISP record every DNS query that you make — and ISPs are often legally required to keep these records for years.

The private DNS servers will safely handle all DNS requests, keeping everyone else out of the loop. Your ISP will only know that you’ve logged in to these servers.

DNS zone transfer uses TCP port 53

Most organizations have numerous DNS servers. These servers will exchange information between each other in what is referred to as zone transfers. The main DNS server( master DNS server) is the one that replicates all the DNS information.

It is referred to as the primary zone and replicates to secondary zones. This main DNS server is also likely to be classed as the authoritative server for the domain. These zone transfers connect to port 53 and use TCP at the transport layer so as to guarantee delivery of the transfer.

This usually happens on the DNS server side. But we can also use this way to get all the DNS records for one domain. Here is one example:

dig axfr zonetransfer.me @nsztm1.digi.ninja.

;; XFR size: 50 records (messages 1, bytes 1994)

From the output, we can see that there are 50 records in this DNS zone file.

DNS query with encryption over TLS Port and HTTPS Port

Traditional DNS queries and responses are sent over UDP or TCP without encryption. This is vulnerable to eavesdropping and spoofing (including DNS-based Internet filtering). DNS over TLS and DNS over HTTPS are two standards developed for encrypting plaintext DNS traffic in order to prevent malicious parties, advertisers, ISPs, and others from being able to interpret the data.

DNS over TLS only uses port 853, while DNS over HTTPS uses port 443.

Here we will use dns.google as an example for DNS over https.

To query the “example.com” domain using the Google Public DNS over HTTPS (DoH) endpoint at “https://dns.google/dns-query”, you can use the curl command.

$ curl -X GET "https://dns.google/resolve?name=howtouselinux.com&type=A"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"howtouselinux.com.","type":1}],"Answer":[{"name":"howtouselinux.com.","type":1,"TTL":3600,"data":"164.92.86.53"}],
"Comment":"Response from 216.239.36.101."}

This command sends an HTTPS GET request to the Google Public DNS DoH endpoint with the query parameters name=howtouselinux.com and type=A, requesting the IPv4 address (A record) for the domain “howtouselinux.com”. The response will be in JSON format.

 

Related:

More: