DNS Ports: A Little Tech Dive Into How the Internet Works (and Why It’s Getting Better)

Hey everyone! So, I was doing a little digging into how the internet works behind the scenes – you know, the stuff we usually don’t think about. I ended up down a bit of a rabbit hole with the Domain Name System (DNS), which is basically the internet’s phone book. It turns out, there’s more to it than just typing in a web address, and a lot of it boils down to ports!

Let’s talk about how DNS evolved, the ports it uses, and why privacy matters.

Port 53: The OG DNS and a UDP Story

DNS all started with port 53. For decades, if you needed to look up where a website was (to translate that human-readable name like example.com into a number computers can use), you’d likely be using this port. The very first DNS implementations relied on UDP to send queries. UDP is what’s known as a “connectionless” protocol.

What that really means is that a UDP packet goes out without a specific guarantee that it will ever reach it’s destination or not! Unlike making a phone call, where the two ends need to connect for communication to be established. UDP just sends the data and hopes for the best. Think of it like dropping a letter in the mailbox – you don’t know if it was delivered to the right place. In fact, the sender won’t know for sure, unless the application using it was expecting a response and was programmed to detect if the message was never delivered and try again. Honestly, that would kind of be silly, as we have TCP for exactly that kind of reliability.

As UDP doesn’t guarantee data delivery, there is a bit of a “wild west” feeling to it:

• I’d tell you a UDP joke, but you might not get it, and I don’t care :)

This was fine at first when most messages were small, however as time went on, the need for more reliable messaging appeared in the protocol, hence the addition of TCP on port 53.

• TCP on Port 53: TCP on the other hand is more reliable, as it is a connection-oriented protocol, setting up a full duplex communication pathway before sending the data, and using checksums, sequencing and acknowledgements to guarantee data delivery to the destination, so its a bit more work to use for DNS purposes.

But despite the reliability offered by TCP it still didn’t address some important security concerns!

DNS Grows Up, So Do Security Concerns

For a while, everything was fine, but as the internet became a big part of our lives, a couple of issues with the traditional DNS on port 53 became apparent:

• Everything’s in Plaintext: The main problem was that all that DNS traffic on port 53 – the domain you wanted to visit — was totally unencrypted. Anyone between you and your DNS server could see what you were trying to access, allowing your data to be visible and could be potentially manipulated.
• Man-in-the-Middle Shenanigans: Bad guys could not only see that traffic, they could potentially even change your request, sending you to a totally different website. Not good, not good at all.

So, what did we do? We needed something more private and secure!

DoH: Enter Port 443 and Encrypted Queries!

This is where DNS over HTTPS (DoH) came into play. Basically, DoH says, “Hey, let’s put these DNS requests inside secure HTTPS connections using port 443.” Here’s the cool part:

• Privacy First: The biggest win with DoH is privacy. Everything is now encrypted with TLS and sent over port 443, like any secure connection to a webpage. No more peeking from the “man in the middle” to check your browsing history! This is a much needed privacy upgrade to the internet experience for every single user.

• Trusted Connections: By sending requests over encrypted HTTPS, it’s way more difficult for those bad actors to manipulate what DNS results are returned. This makes our communication more secure!

How does it all work?

1. Instead of that unencrypted conversation on port 53, you connect to a DNS resolver using standard HTTPS over port 443!
2. The actual DNS request gets wrapped up inside of this encrypted HTTPS connection and sent across the wire.
3. The DNS server processes the request and the response gets wrapped up in another HTTPS packet and sent back to you.
4. Your browser or OS unwraps the encrypted message and then has the result of the DNS query, as normal!

Why Port 443 specifically?

• Everyone’s Using It: We use HTTPS (and port 443) all the time for websites. Reusing it for DNS is just easier, everyone knows how to implement HTTPS!
• Simple Integration: Because browsers, websites and other servers all use HTTPS it was trivial to make DoH servers behave like standard HTTPS webservers.
• Firewall Friendly: If everyone already uses HTTPS it was also an easy move for network firewalls as that is generally an approved port, preventing blocking of DoH requests.

What’s Next?

From a chaotic UDP to secured communication over port 443, we’ve made a lot of improvements in how the Internet works, and in the way in which our devices retrieve the names and locations of servers from all around the world. By making these communication protocols better we also provide improved levels of privacy, and reduced opportunities for anyone to eavesdrop on internet traffic. We went from a chaotic Wild-West UDP port to secured communications over HTTPS, ensuring a safer, more private and more secure internet. Pretty cool, huh?

So, yeah, that’s my little dive into DNS ports and why we’ve moved away from an almost exclusively port 53 landscape, and why we needed a port like 443, and why it matters. Hopefully, this makes the behind-the-scenes stuff of the internet a little clearer! What do you guys think? Let me know in the comments.