The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily. DNS has always been designed to use both UDP and TCP port 53 from the start1 , with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.
When Does DNS Switch to TCP?
The next natural question is: when will DNS messages exceed 512 bytes? Actually, this happens quite often in today’s environment. When DNS was first implemented, the only thing that would be so large that it exceeded the 512-byte limit was a zone transfer, in which one DNS server sends every single resource record in the zone to another machine, usually another DNS server.
In modern DNS systems though, we are increasingly seeing resource record sets (or RRsets) that have a larger combined size. For example, Figure FAQ-5 illustrates querying for www.example.com may yield results such as this (AAAA are IPv6 records):
Or the same query might return the following TXT records, each providing a specific function such as spam detection or site verification as demonstrated in Figure FAQ-6:
If a zone is signed by DNSSEC, it will routinely return large responses due to the cryptographic keys and signatures as shown in Figure FAQ-7:
As more and more people adopt newer features such as IPv6, spam avoidance, and DNSSEC, DNS is more likely to switch to TCP due to the larger response size.
What Happens If TCP Is Blocked?
Whatever the case, when the message size exceeds 512 bytes, it will trigger the ‘TC’ bit (Truncation) in DNS to be set, informing the client that the message length has exceeded the allowed size. In these situations, the client needs to re-transmit over TCP for which the size limit is 64000 bytes. If DNS servers and network environment cannot support large UDP packets, it will cause retransmission over TCP; if TCP is blocked, the large UDP response will either result in IP fragmentation or be dropped completely. The end symptom to the end client is usually slow DNS resolution, or inability to resolve certain domain names at all.
Size Matters: EDNS
You might be wondering where the size limit of 512 bytes come from. The 512-byte UDP payload size is a dependency on IPv4. The IPv4 standard2 specifies that every host must be able to reassemble packets of 576 bytes or less, take away header and other options, that leaves 512 bytes for payload data. This is the reason why there are precisely 13 DNS root servers3 originally: 13 domain names and 13 IPv4 addresses fit nicely into a single UDP packet.
This size limitation was recognized long ago as a problem. In 1999, Extension Mechanism for DNS (EDNS) was proposed, and it has been updated over the years, increasing the size all the way to 4096 bytes, or 4 kilobytes. So, if you are running a reasonably up to date DNS server, the chances of it switching to TCP should be slim(mer).
However, even though EDNS has been around a long time, its support has not been as universal as it should be4 . Some network equipment, such as firewalls, might still make assumptions about DNS packet size. A firewall may drop or reject a large DNS packet, thinking it is an attack. This behavior may not have caused visible problems in the past (or it did but no one understood why), but as DNS data continues to increase in size, it is important that all network equipment is configured correctly to support large DNS packet sizes. If the network environment does not fully support large DNS messages, it may lead to the DNS message being rejected by network gear, or partially dropped during fragmentation. What this looks like to the end user is that DNS queries are going unanswered, or take a very long time, giving the impression that “DNS/network is really slow.”
While EDNS is necessary for the operation of modern-day DNS, the ability to send larger messages contributed to volumetric attacks such as Amplification and Reflection.
1 RFC 1034, written in 1987, specified the use of TCP for DNS as a requirement.
2 RFC 791, which was published in 1981
3 While there are still only 13 IPv4 addresses for DNS root today, it is actually distributed across many nodes across the world using techniques such as anycast and load balancing.
4 Recognizing this problem, the DNS community held a “DNS Flag Day” event on February 1st, 2019, declaring it the day that EDNS must be fully support going forward.
FAQs
The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily.
What is DNS base port 53? ›
The DNS uses TCP Port 53 for zone transfers, for maintaining coherence between the DNS database and the server. The UDP protocol is used when a client sends a query to the DNS server. The TCP protocol should not be used for queries as it gives a lot of information, which is useful to attackers.
Why does HTTP use TCP and DNS use UDP? ›
Simplicity - UDP is a lot simpler than TCP. TCP is optimized for long data transfers and has a bunch of complex mechanisms such as flow control and congestion control for optimizing the rate of data flow. DNS doesn't need any of these mechanisms for simple queries since the typical amount of sent data is tiny.
What is port 43 and 53? ›
Port 43 is dedicated to the WHOIS system which can check who owns a domain. The domain name service (DNS) makes use of port 53. DHCP uses port 67 as the server port, and port 68 as the client port. HTTP, the hypertext transfer protocol, uses port 80 to deliver web pages.
What ports are required for DNS forwarding? ›
By default, DNS Forwarder uses TCP port 443. However, you can modify the DoT port in Security Connector to TCP port 853. If you modify the DoT port, make sure you allow port 853 in your firewall.
Is port 53 TCP or UDP? ›
The standard port for DNS is port 53. DNS client applications use the DNS protocol to query and request information from DNS servers, and the server returns the results to the client using the same port. Port 53 is used for both TCP and UDP communication.
Is DNS port TCP or UDP? ›
DNS has always been designed to use both UDP and TCP port 53 from the start 1 , with UDP being the default, and fall back to using TCP when it is unable to communicate on UDP, typically when the packet size is too large to push through in a single UDP packet.
Why is DNS sent with UDP? ›
DNS requests use UDP because the user will retry an operation if the DNS resolution fails. As another example, the Network File System (NFS), a remote file system application, performs recovery with application layer code, so UDP features are acceptable to NFS."....
Why would you use UDP instead of TCP? ›
The main difference between TCP (transmission control protocol) and UDP (user datagram protocol) is that TCP is a connection-based protocol and UDP is connectionless. While TCP is more reliable, it transfers data more slowly. UDP is less reliable but works more quickly.
Is DHCP a TCP or UDP port? ›
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It is implemented with two UDP port numbers for its operations which are the same as for the bootstrap protocol (BOOTP). The server listens on UDP port number 67, and the client listens on UDP port number 68.
Configuring Firewalls for Port 53
To allow access to port 53 on a device, you must configure your firewall to open the port. But you should only do this if the device provides DNS services.
Is port 53 vulnerable? ›
Security & Compliance
UDP port 53 is used by the DNS protocol to resolve domain names to IP addresses and vice versa. If it is left open and unrestricted, it can be exploited by attackers to redirect users to malicious websites, intercept sensitive information or launch DDoS attacks.
What is the best port for DNS? ›
Port 53 is the well-known port number for DNS.
What port does DNS normally use? ›
A DNS server uses well-known port 53 for all its UDP activities and as its server port for TCP. It uses a random port above 1023 for TCP requests. A DNS client uses a random port above 1023 for both UDP and TCP.
What ports does DNS connection use? ›
DNS uses port 53. DNS configuration is optional. You only need to configure DNS if destinations use host names (destination include SNMP, E-mail, Outbound SCI). You can add up to three DNS servers (see Launch the Configuration Wizard).
Is DNS port 53 Secure? ›
Security & Compliance
UDP port 53 is used by the DNS protocol to resolve domain names to IP addresses and vice versa. If it is left open and unrestricted, it can be exploited by attackers to redirect users to malicious websites, intercept sensitive information or launch DDoS attacks.
Is DNS port 53 source or destination? ›
A server-to-client response - source port is 53, destination port is above 1023. A server-to-server query or response - at least with UDP, where both source and destination port are 53; with TCP, the requesting server will use a port above 1023.
What is DNS tunneling port 53? ›
This enables various types of communication over the DNS protocol, including file transfer, C2 and web browsing. Why perform DNS tunneling? DNS normally uses UDP port 53, which is usually open on clients, systems, servers and firewalls to transmit DNS queries. DNS is a fundamental component of the internet.
Why is DNS called Route 53? ›
The name for our service (Route 53) comes from the fact that DNS servers respond to queries on port 53 and provide answers that route end users to your applications on the Internet.
