====== DNS Ports ======

DNS communication basically happens over both main Internet transport layers: [[wp>User Datagram Protocol|UDP]] and [[wp>Transmission Control Protocol|TCP]]. DNS communication over both TCP and UDP uses port ''53''.

UDP is used for normal DNS operation (as outlined in the [[DNS overview]]): clients sending queries to caching DNS servers, and caching DNS servers sending queries to authoritative DNS servers. UDP messages have a size limit of 512 bytes, so when a message doesn't fit in an UDP message, it is sent over TCP.

TCP is also used for control messages between DNS servers, as outlined in [[Authoritative DNS]]: both zone transfers and DNS update messages are commonly sent over TCP because it is more reliable.

There is a separate document with details about the different kinds of [[DNS messages]].

In practice, this means both authoritative and caching DNS servers should listen to both TCP and UDP interfaces. Since normal DNS messages being too large to fit in a single UDP packet is a pretty rare event, you can probably get away with listening to UDP only if you run a caching DNS server, or if your DNS server doesn't use zone transfers or DNS update to communicate with other servers.

It is always important though that if you run a DNS server behind a firewall, you should forward both UDP and TCP port 53 to the DNS server.