DNS (Domain Name System) on port 53 is the internet's phonebook — translating human-readable domain names to IP addresses. Every web request, email send, software update, and most application network calls begin with a DNS lookup. DNS uses both UDP and TCP on port 53; UDP for typical small queries, TCP for larger responses (zone transfers, DNSSEC) and increasingly for fallback when UDP responses are unreliable.
DNS attacks come in several distinct categories: DNS hijacking (attacker controls the DNS resolver and returns malicious IPs), DNS cache poisoning (injecting false records into a resolver's cache), DNS amplification DDoS (sending small spoofed queries that produce large responses to victim IPs), DNS tunnelling (using DNS queries as a covert channel for command-and-control or data exfiltration), and DNS-based reconnaissance (zone transfers, subdomain enumeration to map target infrastructure).
For defenders, modern DNS hygiene includes: DNSSEC for cryptographic record signing (prevents poisoning), DNS over HTTPS or DNS over TLS for encrypted resolver queries (prevents on-path observation/manipulation), response rate limiting (mitigates amplification abuse), restricted zone transfers (prevents reconnaissance), and monitoring for unusual DNS patterns (long subdomain names suggesting tunnelling, queries to known malicious domains).
Standard pentest reconnaissance: enumerate subdomains of the target organisation. Tools: amass, subfinder, assetfinder, dnsdumpster. Subdomains often expose less-protected services (staging, internal admin tools, abandoned marketing pages with vulnerabilities). Comprehensive subdomain enumeration is one of the highest-ROI recon activities for both attackers and defenders.
Incident response — DNS logs for malware family attribution
When investigating malware infections, DNS query patterns help identify the malware family — specific C2 domain patterns, DGA patterns, infrastructure-overlap with known threat actors. DNS logs are often the only evidence remaining after memory-resident malware is cleared from a system; the queries persisted in resolver caches and SIEM logs.
Threat hunting — proactive hunting for compromise indicators
DNS query analysis is the highest-value source for proactive threat hunting. Patterns to hunt for: queries to recently-registered domains (less than 90 days old), high-entropy subdomains suggesting DGA, unusual subdomain length distribution suggesting tunnelling, queries to known malicious infrastructure, unusual TXT or NULL record queries.
Monitor for newly-registered domains similar to your organisation's name (typosquatting, character substitution, subdomain confusion). Tools like dnstwist and Phishstats CT log monitoring identify these proactively. Block them at your DNS resolver before phishing campaigns activate.
Compliance — DNSSEC deployment for organisational domains
Many compliance frameworks now expect DNSSEC for authoritative DNS. Deployment requires KSK and ZSK key generation, DS records at the parent domain, and ongoing key rollover management. Modern DNS providers (Cloudflare, Route 53, Google Cloud DNS) automate most of this. Verify deployment with dig +dnssec target.example.com.
Common mistakes & edge cases
Allowing zone transfers (AXFR) to anyone
Zone transfers were intended for secondary DNS server synchronisation — modern DNS uses NOTIFY+IXFR with TSIG authentication. Open AXFR allows anyone to download your entire DNS zone, exposing all subdomains and infrastructure. Test with dig @ns1.target.com target.com AXFR — should fail. Restrict via allow-transfer in BIND config or equivalent.
Using ISP-default DNS resolvers without considering privacy/security
ISP DNS resolvers see every query — full record of browsing activity. Many ISPs sell or analyze this data. Switch to privacy-respecting resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9 with malware filtering, Mullvad DNS) — usually faster too. For organisations: deploy internal DNS resolvers, log queries for security, forward externally to a privacy-respecting upstream.
No monitoring of DNS queries
DNS query logs catch most attack indicators earlier than other telemetry. Most organisations do not centrally log DNS. Deploy a logging DNS resolver (Pi-hole for small networks, Splunk DNS app for enterprise, AWS Route 53 Resolver query logs in cloud environments).
Not monitoring for typosquatting domains targeting your brand
Attackers register lookalike domains for phishing campaigns. Without monitoring, you find out when employees report receiving phishing from "your domain". Tools like dnstwist and CT log monitors find new registrations proactively.
DNSSEC requires careful key management — expired or misconfigured signatures cause complete domain unavailability for DNSSEC-validating resolvers. High-profile outages have happened to government and corporate domains. Use managed DNS providers that handle DNSSEC complexity unless you have specific operational expertise.
Hardcoded DNS settings preventing centralised management
Some applications, IoT devices, and legacy systems hardcode external DNS resolvers (often Google's 8.8.8.8) bypassing your internal DNS infrastructure. This breaks centralised logging, threat intel filtering, and policy enforcement. Audit network traffic for outbound DNS to non-internal resolvers; firewall-block direct DNS queries to bypass internal infrastructure.
Frequently Asked Questions about port 53
Domain Name System — translates human-readable domain names (example.com) to IP addresses (192.0.2.1). Every internet request begins with a DNS lookup. Uses port 53 UDP for typical queries, TCP for larger responses. Hierarchical system with root servers, TLD servers, and authoritative servers for individual domains.
Authoritative DNS servers hold the actual records for specific domains and respond with definitive answers. Recursive resolvers (like ISP DNS, 1.1.1.1, 8.8.8.8) act as intermediaries — they receive queries from clients, look up the answer by recursively querying authoritative servers, cache results, and return answers to clients.
Encrypts DNS queries inside HTTPS — port 443 instead of port 53. Prevents network-path observers from seeing what domains you query and from manipulating responses. Supported by all major browsers and modern operating systems.
Similar to DoH but uses port 853 instead of HTTPS. Easier for network operators to identify and either allow or block (whereas DoH blends with regular HTTPS traffic). Less common in browsers; more common in operating system DNS stacks.
DNS Security Extensions — cryptographic signatures on DNS records preventing cache poisoning attacks. The record returned to your resolver is signed by the authoritative server's key; the resolver validates the signature against keys verified up to the root. DNSSEC does not encrypt queries (DoH/DoT does that); it ensures the responses are authentic and unmodified.
Attacker sends small DNS queries with the source IP spoofed to the victim. The DNS server responds with a much larger response sent to the (spoofed) victim IP. Multiplies attack traffic. Mitigated by response rate limiting, source IP validation (BCP 38), and not running open recursive resolvers on internet-facing servers.
Encoding data in DNS query/response patterns to use DNS as a covert channel for command-and-control or data exfiltration. Works because DNS is usually allowed through firewalls without deep inspection. Tools like dnscat2 and iodine implement this explicitly; many malware families use it for C2.
Linux/Mac: dig example.com for verbose output, nslookup example.com for simpler output. Windows: nslookup example.com. For specific record types: dig MX example.com for mail records, dig TXT example.com for text records (often contains SPF/DKIM/DMARC).
A and/or AAAA (IPv4/IPv6 addresses), MX (mail servers if you receive mail), TXT (often for SPF/DKIM/DMARC email auth), CAA (which CAs can issue certs for the domain), and NS (authoritative nameservers).
Forward DNS resolver query logs to a SIEM. Alert on: queries to recently-registered domains, queries to known malicious domains (subscribe to threat intel feeds), high-entropy subdomain queries (DGA detection), unusual query type patterns (lots of TXT or NULL queries), and queries from unusual internal hosts.