Port 53 — DNS
Every website visit, every app connection, every API call — almost all of them start with a DNS query on port 53. Your device asks a DNS server "what's the IP address for google.com?" and the answer comes back on port 53. Without DNS, you'd have to memorize IP addresses to visit any website. Port 53 is the most queried port on the internet, and you use it thousands of times a day without knowing it.
UDP vs TCP on Port 53
DNS is unusual — it uses both UDP and TCP on the same port:
| Protocol | When Used |
|---|---|
| UDP 53 | Normal queries — fast, single packet request/response. 99% of DNS traffic |
| TCP 53 | Large responses (over 512 bytes), zone transfers between DNS servers, DNSSEC responses |
UDP is used for most queries because it's faster — no connection setup overhead. DNS queries are small and the response fits in a single packet. TCP is used when the response is too large for a single UDP packet, or for reliability-critical operations like zone transfers (copying entire DNS zones between servers).
Running Your Own DNS Server
There are practical reasons to run a local DNS server on port 53:
Pi-hole — Network-Wide Ad Blocking
Pi-hole is a DNS sinkhole that blocks ads and trackers for every device on your network. Instead of installing ad blockers on each device, you point your router's DNS to the Pi-hole, and it filters at the DNS level — ads never even download.
# Install Pi-hole (Raspberry Pi or any Linux machine)
curl -sSL https://install.pi-hole.net | bash
# Or run in Docker
docker run -d --name pihole \
-p 53:53/tcp -p 53:53/udp \
-p 80:80 \
-e TZ='America/New_York' \
pihole/piholeAfter installation, go to your router's admin panel (find your router IP) and change the DNS server to the Pi-hole's IP address. Every device on your network automatically gets ad blocking.
Local DNS for Development
For web development, you can run a local DNS server to use custom domain names (like myproject.local) instead of localhost. dnsmasq is lightweight and easy to configure:
# Install dnsmasq
# Mac
brew install dnsmasq
# Linux
sudo apt install dnsmasq
# Add local domains to /etc/dnsmasq.conf
address=/myproject.local/127.0.0.1
address=/api.local/127.0.0.1DNS Security
Traditional DNS on port 53 is unencrypted. Anyone monitoring your network (your ISP, public WiFi operators, attackers) can see every domain you look up. Modern alternatives encrypt DNS queries:
| Protocol | Port | How It Works |
|---|---|---|
| DNS (traditional) | 53 | Plaintext UDP/TCP — anyone can see your queries |
| DoH (DNS over HTTPS) | 443 | DNS queries inside HTTPS — looks like normal web traffic |
| DoT (DNS over TLS) | 853 | DNS encrypted with TLS — dedicated port |
Most modern browsers (Chrome, Firefox) now use DoH by default, sending DNS queries to Cloudflare or Google over HTTPS instead of using your ISP's DNS server on port 53. This improves privacy but means your Pi-hole or local DNS server might get bypassed — you may need to disable DoH in your browser if you're running local DNS.
Troubleshooting DNS on Port 53
Check if DNS is reachable:
# Test DNS directly
nslookup google.com 8.8.8.8
# Check if port 53 is open
# Windows
nslookup google.com your-dns-server-ip
# Mac/Linux
dig @8.8.8.8 google.com"Port 53 already in use" when starting Pi-hole or dnsmasq — something else is using port 53. On Ubuntu, systemd-resolved runs a stub DNS listener on 53 by default. Disable it:
sudo systemctl disable systemd-resolved
sudo systemctl stop systemd-resolved
# Then update /etc/resolv.conf to point to your preferred DNSOn macOS, mDNSResponder handles local DNS resolution but doesn't bind to port 53 for external queries, so conflicts are less common.