Glossary · 3 min read

DNS Ports Explained

Understand which network ports DNS uses, including port 53 for standard queries, port 443 for DNS over HTTPS, and port 853 for DNS over TLS.

DNS Ports Explained

DNS traffic uses specific network ports depending on the protocol and transport method. Understanding these ports is essential for firewall configuration, network troubleshooting, and implementing encrypted DNS.

Port 53: Standard DNS

Port 53 is the default port for DNS queries and responses, used for both UDP and TCP transport.

  • UDP/53 handles the vast majority of DNS queries. Standard DNS queries and responses fit within a single UDP datagram (originally limited to 512 bytes, extended to 4096 bytes with EDNS0 per RFC 6891).
  • TCP/53 is used when responses exceed the UDP payload limit, when the resolver retries after a truncated UDP response (the TC flag), and for zone transfers (AXFR and IXFR) between authoritative servers.

If your firewall blocks port 53, DNS resolution fails entirely. This is the first port to check when troubleshooting DNS connectivity. Use our DNS lookup tool to verify that your domain's records resolve correctly from external resolvers.

Port 443: DNS over HTTPS (DoH)

DNS over HTTPS (DoH), defined in RFC 8484, encapsulates DNS queries inside standard HTTPS traffic on port 443.

  • Queries are sent as HTTP POST or GET requests to a resolver's DoH endpoint (e.g., https://1.1.1.1/dns-query).
  • Because it uses the same port as regular HTTPS, DoH traffic is indistinguishable from normal web browsing to network observers.
  • Browser support: Firefox, Chrome, Edge, and Safari all support DoH. Firefox uses Cloudflare's resolver by default in the U.S.
  • Trade-off: DoH provides privacy from on-path observers but makes network-level DNS filtering (used by corporate firewalls and parental controls) difficult to enforce.

Port 853: DNS over TLS (DoT)

DNS over TLS (DoT), defined in RFC 7858, wraps DNS queries in a TLS connection on a dedicated port.

  • Unlike DoH, DoT uses its own port (853), making it identifiable and filterable by network administrators.
  • DoT provides the same encryption and privacy benefits as DoH but is easier to manage in enterprise environments because firewalls can specifically allow or block port 853.
  • OS support: Android 9+ supports DoT natively ("Private DNS" setting). Linux resolvers like systemd-resolved also support it.

Zone Transfers: TCP/53

DNS zone transfers (AXFR for full transfers, IXFR for incremental) use TCP on port 53. Zone transfers replicate the entire contents of a DNS zone from a primary server to secondary servers.

Because zone transfers expose all records in a zone, they should be restricted by IP address using access control lists (ACLs) on the authoritative server. Unrestricted zone transfers are a well-known security misconfiguration.

Port Summary

Port Protocol Purpose
53 UDP Standard DNS queries
53 TCP Large responses, zone transfers
443 TCP (HTTPS) DNS over HTTPS (DoH)
853 TCP (TLS) DNS over TLS (DoT)

Firewall Recommendations

For a standard DNS server, allow inbound and outbound UDP/53 and TCP/53. If you run a recursive resolver that supports encrypted DNS, also open 443 (DoH) or 853 (DoT) as appropriate. Always restrict zone transfer access on TCP/53 to known secondary server IPs.

Verify that your domain's DNS is reachable and returning correct records using our DNS lookup tool.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

More glossary terms

DNS Record Types: A Complete Reference Guide

A technical reference for all major DNS record types including A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV, and CAA. Includes example values and use cases.

How Do IP Addresses Work?

Understand how IP addresses work, including IPv4 vs IPv6 formats, public vs private addresses, static vs dynamic assignment, NAT, and CIDR notation.

SMTP Ports Explained: 25, 465, 587, and 2525

Understand the four SMTP ports, when to use each one, the difference between STARTTLS and implicit TLS, and why ISPs block port 25.

What Is DKIM (DomainKeys Identified Mail)?

Learn how DKIM uses cryptographic signatures to authenticate email, including selector records, public/private key pairs, and the verification process per RFC 6376.

What Is DMARC?

Understand DMARC, how it builds on SPF and DKIM with alignment checks, policy options (none, quarantine, reject), and aggregate vs forensic reporting per RFC 7489.

What Is DNS (Domain Name System)?

Learn how the Domain Name System works, including recursive and iterative queries, root servers, caching, and TTL values. A technical overview referencing RFC 1035.

What Is Secure DNS (DoH and DoT)?

Learn about secure DNS protocols including DNS over HTTPS, DNS over TLS, and DNSSEC. Understand why standard DNS is insecure and how to protect your queries.

What Is a Domain Name?

Learn what a domain name is, how domains map to IP addresses via DNS, the difference between TLD types, and how subdomains, URLs, and hostnames relate.

What Is a Gateway IP Address?

Learn what a gateway IP address is, how default gateways route traffic between networks, and how to find your gateway address on any operating system.

What Is a Reverse Lookup?

Understand reverse lookups including reverse DNS (PTR records), reverse IP lookups, and reverse email lookups. Learn how each works, common use cases, and limitations.

What Is a Reverse Proxy?

Learn how reverse proxies work, the difference between forward and reverse proxies, and common use cases including load balancing, SSL termination, and caching.

What Is an Email Bounce?

Understand email bounces, the difference between hard and soft bounces, common SMTP error codes, and how bounces affect sender reputation.

What Is an Email Domain Name?

Learn what an email domain is, how the @domain.com part of email addresses works with MX records to route messages, and the difference between free and custom email domains.

What Is an SMTP Server?

Learn how SMTP servers work, the difference between MTA, MSA, and MDA, and how email is delivered hop by hop using the SMTP protocol defined in RFC 5321.

What Is an SPF Record?

Understand SPF records, how they authorize email senders, the TXT record format, and how receivers evaluate SPF results including pass, fail, and softfail.

What Is an SSL Certificate?

Learn how SSL/TLS certificates encrypt internet traffic, how the chain of trust works, the difference between DV, OV, and EV certificates, and why TLS replaced SSL.