DNS (Domain Name Service) used for domain name resolution. There are some attacks that target vulnerabilities within DNS servers.
Cisco Webex Teams services uses these ports:
443,444,5004 TCP
53, 123, 5004, 33434-33598 UDP (SIP calls)
Xbox 360 (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP
Xbox One (Live) ports: 3074 TCP/UDP, 53 TCP/UDP, 80 TCP, 88 UDP, 500 UDP, 3544 UDP, 4500 UDP
Apple MacDNS, FaceTime also use this port.
Some trojans also use this port: ADM worm, Bonk (DoS) trojan, li0n, MscanWorm, MuSka52, Trojan.Esteems.C [Symantec-2005-051212-1727-99] (2005.05.12), W32.Spybot.ABDO [Symantec-2005-121014-3510-99] (2005.12.10).
W32.Dasher.B [Symantec-2005-121610-5037-99] (2005.12.16) - a worm that exploits the MS Distributed Transaction Coordinator Remote exploit (MS Security Bulletin [MS05-051]).
Listens for remote commands on port 53/tcp. Connects to an FTP server on port 21211/tcp. Scans for systems vulnerable to the [MS05-051] exploit on port 1025/tcp.
Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53.
References: [CVE-2003-1491] [BID-7436]
Stack-based buffer overflow in the dns_decode_reverse_name function in dns_decode.c in dproxy-nexgen allows remote attackers to execute arbitrary code by sending a crafted packet to port 53/udp, a different issue than [CVE-2007-1465].
References: [CVE-2007-1866] [SECUNIA-24688]
Siemens Gigaset SE461 WiMAX router 1.5-BL024.9.6401, and possibly other versions, allows remote attackers to cause a denial of service (device restart and loss of configuration) by connecting to TCP port 53, then closing the connection.
References: [CVE-2009-1152] [BID-34220]
Cisco IOS is vulnerable to a denial of service, caused by an error in NAT of DNS. By sending specially-crafted DNS packets to TCP port 53, a remote attacker could exploit this vulnerability to cause the device to reload.
References: [CVE-2013-5479], [XFDB-87455]
haneWIN DNS Server is vulnerable to a denial of service attack. A remote attacker could send a large amount of data to port 53 and cause the server to crash.
References: [XFDB-90583], [BID-65024], [EDB-31014]
named in ISC BIND 9.x (before 9.9.7-P2 and 9.10.x before 9.10.2.-P3) allows remote attackers to cause denial of service (DoS) via TKEY queries. A constructed packet can use this vulnerability to trigger a REQUIRE assertion failure, causing the BIND daemon to exit. Both recursive and authoritative servers are vulnerable. The exploit occurs early in the packet handling, before checks enforcing ACLs or configuration options that limit/deny service.
See: [CVE-2015-5477]
Tftpd32 is vulnerable to a denial of service, caused by an error when processing requests. If the DNS server is enabled, a remote attacker could send a specially-crafted request to UDP port 53 to cause the server to crash.
References: [XFDB-75884] [BID-53704] [SECUNIA-49301]
TP-Link TL-WR886N 7.0 1.1.0 devices allow remote attackers to cause a denial of service (Tlb Load Exception) via crafted DNS packets to port 53/udp.
References: [CVE-2018-19528]
MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated remote attacker to cause a denial of service by connecting to TCP port 53 and sending data that begins with many '\0' characters, possibly related to DNS.
References: [CVE-2017-17537], [EDB-43200]
FAQs
The answer is DNS is mostly UDP Port 53, but as time progresses, DNS will rely on TCP Port 53 more heavily.
Is it okay to have port 53 open? ›
UDP port 53 is used by the DNS protocol to resolve domain names to IP addresses and vice versa. If it is left open and unrestricted, it can be exploited by attackers to redirect users to malicious websites, intercept sensitive information or launch DDoS attacks.
Why would port 53 be unreachable? ›
One of the biggest issues related to using port 53 is when the port is unreachable on a given device. To resolve this, you must ensure the port has been properly opened on your firewall.
What is the vulnerability of port 53? ›
Port 53 Vulnerabilities
This port is particularly vulnerable to Distributed Denial of Service (DDoS) attacks, where attackers overwhelm the DNS server with a flood of requests, potentially disrupting service.
How do I know if my port is TCP or UDP? ›
netstat -a : This will display all connections and listening ports. netstat -t : Displays only TCP connections. netstat -u : Used to display only UDP connections. netstat -n : Shows numerical addresses instead of trying to determine symbolic host, port or user names.
What ports are UDP? ›
UDP gets to use the whole range of ports TCP does, 1 to 65535, and even shares a few with similar services in the TCP world. UDP is an IP protocol, not a port. (Don't get the idea that all IP protocols have the same port range or ports at all, either.
Should I disable port 53? ›
Normally a firewall should have an explicit deny all policy, then multiple allow policies for what IS allowed (i.e. exception to the deny all). If it's set up that way, you don't need to disable port 53, it will be covered by the deny all. Port 53 is usually NOT web traffic, so a web filtering policy would not work.
How to check if port 53 is open? ›
Easy Ways to Identify Open Ports
- On Windows devices, enable Telnet. Open a command prompt and type “ipconfig.” Use the IP address and port number to locate an open port.
- For Mac devices, open a Terminal window. Type “netsat -nr | grep default” into the program. Then, type “nc -vs” + your IP + port number to locate.
Is Port 53 secure? No, plain DNS traffic over port 53 is unencrypted and insecure. It is susceptible to attacks like snooping, spoofing, and interception. To secure port 53, it is recommended that DNS queries be encrypted using VPNs, DNSCrypt, DoH, etc.
Does DNS use TCP or UDP? ›
For example, DNS uses both TCP and UDP for valid reasons described below. UDP messages aren't larger than 512 Bytes and are truncated when greater than this size. DNS uses TCP for Zone transfer and UDP for name, and queries either regular (primary) or reverse.
Common High-Risk Ports
| Port | Protocol | Recommended Action |
|---|
| 25 | TCP | Disable always. Use SMTPS instead. |
| 110 | TCP | Disable always. Use POP3S instead. |
| 143 | TCP | Disable always. Use IMAPS instead. |
| 80, 8000, 8080, and 8888 | TCP | Disable recommended. Use HTTPS instead. |
28 more rowsApr 6, 2023
The UDP protocol reveals that the DNS server is down or unreachable. As evident by the results of the network analysis, the ICMP echo reply returned the error message “udp port 53 unreachable,” Port 53 is commonly used for DNS protocol tra±c. It is highly likely that the DNS server is not responding.
What is port 53 UDP used for? ›
The standard port for DNS is port 53. DNS client applications use the DNS protocol to query and request information from DNS servers, and the server returns the results to the client using the same port. Port 53 is used for both TCP and UDP communication.
What are the three most common ports that get hacked? ›
Ports 80, 443, 8080 and 8443 (HTTP and HTTPS)
As the most popular internet protocols, HTTP and HTTPS tend to be targeted by malicious actors. Their actions often involve SQL injections, cross-site scripting, DDoS attacks, and request forgery.
What listens on port 53? ›
DNS servers listen on port 53 for queries from DNS clients. Incoming UDP packets carry queries which expect a short reply, and TCP connections carrying queries requiring longer and more complete replies.
What is the TCP IP 53 port? ›
Port 53 is the standard port for DNS traffic and allows computers to translate domain names into IP addresses through DNS queries. It uses both TCP and UDP for communications. UDP is more common for standard DNS queries, while TCP is used for zone transfers between DNS servers.
Is DHCP TCP or UDP? ›
The DHCP employs a connectionless service model, using the User Datagram Protocol (UDP). It is implemented with two UDP port numbers for its operations which are the same as for the bootstrap protocol (BOOTP). The server listens on UDP port number 67, and the client listens on UDP port number 68.
What is IP protocol 53? ›
A swIPe packet is an IP packet of protocol type 53. A swIPe packet starts with a header, which contains identifying data and authentication information; the header is followed by the original IP datagram, which in turn is followed by any padding required by the security processing.
Is port 49 TCP or UDP? ›
