Port reference
Port 53 (TCP/UDP) – DNS
Domain Name System — resolves hostnames to IP addresses and serves zone data.
Quick facts
- Transport
- tcp, udp
- Category
- Well-known
- Risk level
- High
Frequently targeted — restrict exposure and harden it.
Default state
Open on every recursive resolver and authoritative nameserver. Often unintentionally exposed as an open resolver on the internet.
Common attacks
- DNS amplification / reflection DDoS via open resolvers
- Unauthorized zone transfer (AXFR) leaking internal records
- Cache poisoning and spoofing of recursive answers
- DNS tunneling for covert exfiltration and C2
Hardening
- Disable open recursion — answer recursive queries only for trusted clients
- Restrict zone transfers (AXFR) to authorized secondaries by IP and TSIG
- Enable DNSSEC validation to defeat cache poisoning
- Rate-limit responses (RRL) to blunt amplification abuse
- Keep BIND/Unbound/Knot patched; separate authoritative and recursive roles
nmap snippet
nmap -sU -p53 --script dns-recursion,dns-zone-transfer,dns-cache-snoop <target>Replace <target> with the host or range you're authorized to scan.
How to check if this port is open
ss -tulpn | grep :53
nmap -p 53 <target>netstat -ano | findstr :53
Test-NetConnection <host> -Port 53lsof -i :53
nmap -p 53 <target>How to block this port
sudo ufw deny 53/tcpsudo firewall-cmd --permanent --remove-port=53/tcp
sudo firewall-cmd --reloadsudo iptables -A INPUT -p tcp --dport 53 -j DROPNew-NetFirewallRule -DisplayName "Block 53" -Direction Inbound -Protocol TCP -LocalPort 53 -Action BlockWhat runs on port 53?
Port 53 carries the Domain Name System (DNS), which translates human-readable hostnames into IP addresses and serves other record types (MX, TXT, SRV). It is used by both recursive resolvers that look up answers on behalf of clients and authoritative nameservers that publish a zone's records. UDP 53 handles the bulk of queries; TCP 53 is used for large responses and for zone transfers.
Why it matters for security
DNS is foundational — if resolution is poisoned or unavailable, almost everything downstream breaks. Because a tiny UDP query can trigger a large response, open resolvers are abused as amplifiers in reflection DDoS that swamp third-party victims. Authoritative servers that allow unrestricted zone transfers leak a full map of internal hosts, and resolvers without DNSSEC can be tricked into caching forged answers that redirect users to attacker infrastructure.
How it's attacked
Attackers enumerate open resolvers and reflect spoofed-source queries off them for amplification DDoS. Against authoritative servers they attempt AXFR zone transfers to harvest internal records. Recursive resolvers are targeted with cache-poisoning and spoofing to hijack name resolution, while compromised hosts use DNS tunneling to smuggle data out past firewalls that trust port 53.
Hardening checklist
Turn off open recursion and serve recursive queries only to known clients. Restrict AXFR to authorized secondaries using IP allowlists and TSIG keys. Deploy DNSSEC validation to stop cache poisoning, and enable response rate limiting to curb amplification. Split authoritative and recursive roles, and keep your DNS software patched. Use the nmap snippet above to check for recursion and zone-transfer exposure on servers you are authorized to test.
Related ports
Frequently asked questions
- Does DNS use TCP or UDP?
- Both. DNS uses UDP 53 for most queries and falls back to TCP 53 for responses larger than the UDP limit and for zone transfers (AXFR).
- Why is an open DNS resolver dangerous?
- Open resolvers answer recursive queries from anyone, letting attackers spoof a victim's IP and use the small-query/large-response gap for amplification DDoS.