Pub Quiz: The Wireshark filter udp.port==53
- Mike Pennacchi
- Jul 5, 2022
- 1 min read
Over half the people that answered this question got that correct answer. This filter will display any traffic to and from UDP port 53. The next highest response was Only DNS Traffic. It is true that DNS uses UDP port 53, but there is nothing specific in this filter to DNS.
If we only wanted DNS traffic, we would need to be more specific with the filter to only include UDP port 53 traffic that was also DNS. If you only want DNS traffic, it is best to use the 'dns' filter within Wireshark. This will ensure the structure of the data matches a DNS packet.
Be sure to also include tcp as many responses will be larger than the limited udp DNS max payload size
These days you can also find DNS on tcp port 853 commonly used for DNS over TLS (or DoT) and many browsers are enabling DNS over https (DoH) which is on tcp 443 its worth checking out if you want to stay current with DNS protocols