Skip to content
ProtocolPorts

What ports does DNS use? 53, DoT, mDNS & LLMNR

DNS uses port 53 over both UDP and TCP, with DNS-over-TLS on 853, mDNS on 5353 and LLMNR on 5355. Learn why, plus DNS attacks and how to encrypt lookups.

Published on 4 min read
portsdnssecurity

DNS is the phone book of the internet, translating names like example.com into IP addresses. Most people know it lives on port 53 — but the full picture involves two transport protocols on that one port, an encrypted variant, and a couple of local-network discovery cousins. This guide walks through every DNS port and the security issues that come with them. Every port links to its full ProtocolPorts entry, or you can browse all ports.

DNS ports at a glance

PortProtocol / ServiceEncrypted?Role
53DNS (UDP)NoStandard name lookups
53DNS (TCP)NoZone transfers, large responses
853DNS-over-TLS (DoT)TLSEncrypted lookups
443DNS-over-HTTPS (DoH)TLSEncrypted lookups inside HTTPS
5353mDNSNoLocal zero-config discovery
5355LLMNRNoLocal name resolution (Windows)

Why port 53 uses both UDP and TCP

The unusual thing about DNS is that port 53 is registered for both UDP and TCP, and a healthy server uses both.

UDP is the default for normal queries. A lookup is a tiny request and a tiny response, so the connectionless, low-overhead nature of UDP is perfect — no handshake, just ask and answer. The vast majority of DNS traffic is UDP on port 53.

TCP kicks in for two situations:

  • Zone transfers. When a secondary DNS server copies an entire zone from a primary, the data is far too large and too important to risk over UDP, so the transfer uses TCP.
  • Large responses. UDP responses were historically capped, and any answer that does not fit — common with DNSSEC signatures or records with many entries — falls back to TCP. The server sets a "truncated" flag and the client retries over TCP.

So if you firewall DNS, remember to allow port 53 on both transports, or large and signed responses will silently fail.

Encrypted DNS: DoT and DoH

Classic DNS on port 53 is unencrypted. Every lookup you make is visible to your network, your ISP, and anyone in between, and it can be tampered with. Two standards fix this:

  • DNS-over-TLS (DoT) wraps DNS in a TLS session on its own dedicated port 853. Because it has a distinct port, network operators can see that you are using encrypted DNS, even though they cannot read the contents.
  • DNS-over-HTTPS (DoH) sends DNS queries inside ordinary HTTPS on port 443. Since it looks like any other web traffic, it is much harder to block or even detect — a feature for privacy, and a headache for network administrators who want visibility.

Both protect the confidentiality and integrity of your lookups. Choose DoT when you want encryption plus network manageability, and DoH when you want lookups to blend into web traffic.

Local-network name resolution: mDNS and LLMNR

Two protocols handle name resolution on a local network without a central DNS server:

  • Multicast DNS (mDNS) on port 5353 powers zero-configuration discovery — finding printers, speakers, and .local hostnames on the LAN. It is what Bonjour and Avahi use.
  • Link-Local Multicast Name Resolution (LLMNR) on port 5355 is a Microsoft protocol that resolves local names when DNS is unavailable.

Both are convenient but carry a security caveat: because any device on the segment can answer a multicast name query, LLMNR (and its NetBIOS sibling) is a well-known target for spoofing and credential-relay attacks on Windows networks. Many security teams disable LLMNR on port 5355 entirely.

DNS-based attacks to know

DNS's openness makes it a frequent target and tool for attackers:

  • Amplification / reflection. Because a small spoofed UDP query to port 53 can trigger a large response, attackers abuse open resolvers to flood a victim with traffic. Do not run open recursive resolvers, and apply response-rate limiting.
  • Cache poisoning. An attacker injects forged records into a resolver's cache so victims are sent to malicious IPs. DNSSEC, which signs responses, is the primary defense — and one reason TCP fallback on port 53 matters, since signed answers are larger.
  • Unauthorized zone transfers. If a server allows zone transfers over TCP port 53 to anyone, attackers can download your entire internal DNS map for reconnaissance. Restrict transfers to known secondaries.

Conclusion

DNS lives on port 53 over both UDP and TCP — UDP for speed, TCP for zone transfers and large responses. Encrypt your lookups with DoT on port 853 or DoH on port 443, be wary of local resolvers on port 5353 and port 5355, and harden against amplification, poisoning, and zone-transfer leaks. Look up any unfamiliar port on ProtocolPorts.

Related articles

Common backdoor and trojan ports to investigate
Ports tied to trojans, backdoors and C2 — NetBus, Back Orifice, ingreslock, Meterpreter and abused legit services — and how to detect a compromise.
portssecuritymalware
Common TCP and UDP ports: a cheat sheet
A scannable reference of common TCP and UDP ports grouped by purpose — web, mail, file transfer, remote access, databases, and infrastructure.
portssecurityreference
The most commonly attacked ports (and how to secure them)
The internet-facing ports attackers hit first — RDP, SSH, SMB, databases — and the single most important hardening step for each.
portssecurityhardening