Skip to content
ProtocolPorts

Port reference

Port 853 (TCP) – DNS over TLS (DoT)

DNS over TLS — wraps DNS queries in a TLS tunnel so resolution cannot be read or tampered with in transit.

tcpWell-knownCommonly attacked

Default state

Open on resolvers that offer encrypted DNS. Distinct, easily blocked port, unlike DoH which hides inside HTTPS on 443.

Common attacks

  • Downgrade to plaintext DNS on port 53 when DoT is blocked
  • Port-853 blocking for censorship or to force cleartext resolution
  • Certificate spoofing / MITM against clients that skip validation
  • Malware abusing DoT to hide DNS-based C2 from inspection

Hardening

  • Pin or strictly validate the resolver's certificate and SPKI
  • Use Strict mode so failures do not silently fall back to port 53
  • Block outbound plaintext DNS to force encrypted resolution
  • Choose trusted resolvers and keep the DoT server (e.g. Unbound) patched
  • Log and monitor DoT endpoints for anomalous query volume

nmap snippet

nmap -p853 --script ssl-cert,ssl-enum-ciphers <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 853?

Port 853 carries DNS over TLS (DoT), which wraps ordinary DNS queries in a TLS tunnel so that they cannot be read or altered in transit. It addresses the core weakness of plain DNS on port 53, where queries travel in cleartext and can be sniffed or spoofed. DoT uses a dedicated port, which makes it easy to identify — in contrast to DoH on port 443, which blends DNS into normal HTTPS traffic.

Why it matters for security

DoT protects the confidentiality and integrity of resolution: an on-path attacker can no longer see which domains a user visits or inject forged answers. That privacy gain matters, but DoT does not hide queries from the resolver itself, and its distinct port makes it a clean target for blocking. Adversaries who cannot read the traffic instead try to force a downgrade to plaintext DNS, where their usual interception and poisoning techniques work again.

How it's attacked

Network operators and attackers block port 853 to force clients back to cleartext port 53, then sniff or poison those queries — a downgrade attack. Clients that fail to validate the resolver's certificate can be MITM'd with a spoofed cert. Conversely, malware abuses DoT to encrypt its DNS-based C2, hiding tunnelled commands from network inspection.

Hardening checklist

Validate or pin the resolver certificate and its SPKI so MITM fails. Configure clients in Strict mode so a blocked or broken DoT connection does not silently fall back to port 53, and block outbound plaintext DNS to enforce encrypted resolution. Choose trusted resolvers and keep your DoT server (such as Unbound) patched. The nmap scripts above inspect the TLS certificate and ciphers on hosts you are authorised to test. </content>

Related ports

Port 53Port 443Port 853Port 5355

Frequently asked questions

What is the difference between port 853 (DoT) and port 443 (DoH)?
DoT on 853 is a dedicated TLS port carrying only DNS, so it is easy to identify and block. DoH on 443 hides DNS inside ordinary HTTPS traffic, making it harder to distinguish.
Does DNS over TLS make me anonymous?
No. DoT encrypts queries from eavesdroppers on the path, but the resolver itself still sees every domain you look up. It is privacy from the network, not anonymity.