Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DNS port 53?

Featured Replies

Happened to notice unraid is using port 53 for DNS instead of secure DNS like on port 853 etc.

7.1.4

Is there a way to change this?

Screenshot is from me changing to local pfsense router.

Screenshot 2025-06-25 at 10.47.42.png

  • Community Expert

Form my testing UNraid dns never was encrypted unless you setup dockers and other systems...

As port 53 is the default dns port yes...

if you have and use dns encrypt and other than it will use the other ports..
*Would requires other 3rd party dns servers running... (Unraid is not networking equipment)

Standard Linux network setup and internal routing will still go over port UDP 53 per the /etc/resolv.conf

Unraid doesn't run nor uses encrypted dot/doh dns systems...

Per some examples from Adguard Home for IANNA / IEEE Port Standards

Here's a breakdown of the key ports:

  • 53/UDP: Standard DNS port used by clients to query the AdGuard Home DNS server and any linux server to handled DNS. 

  • 853/TCP: Used for DNS-over-TLS (DoT) connections. 

  • 443/TCP: Used for DNS-over-HTTPS (DoH) connections. 

  • 784/UDP: Used for DNS-over-QUIC. 

  • 67/68: Used for DHCP if AdGuard Home is also acting as a DHCP server or any dhcp service.

This is often why others run pihole / adguard on unraid.

Theses would be the ports I'd look for as listening address on the system if it has and is using dns encryption.

Edited by bmartino1

  • Community Expert

I'm so used to having a debain client to test soem of theses most linux coamnds may not be compatiable with slackware unraid without a 3rd party install...

netstat -tunlp | grep :53

  • netstat: A utility for displaying network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

  • -t: Displays TCP connections.

  • -u: Displays UDP connections.

  • -n: Displays numerical addresses and port numbers instead of trying to determine hostnames and service names (speeds up the output).

  • -l: Lists only listening sockets.

  • -p: Displays the Process ID (PID) and the name of the program that owns the socket.

  • |: Pipes the output of netstat to the next command.

  • grep :53: Filters the output to show only lines containing ":53" (the DNS port number). 

Should work on unraid. see if the other 853,784 ports exisit and have listening address.

  • Community Expert

You will most likly have to hevaily eidt things on both devices. as this is local PRT as it is in a "trusted" lan and thus pfsense has 0 need to run encrypted traffic to the local lan network.

Pfsense setups:

Secure DNS:
https://www.youtube.com/watch?v=8VRk38h33TY&pp=ygUHI3BzZW5zZQ%3D%3D

Dnssec - TLS

https://www.youtube.com/watch?v=Z3-E90VEIbY

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

Here's how to configure DNS over TLS on pfSense:

1. Disable DNS Forwarder and Enable DNS Resolver:

  • Navigate to Services > DNS Forwarder and disable the DNS Forwarder service. Only one DNS service can listen on port 53 at a time, according to pfSense documentation.

  • Navigate to Services > DNS Resolver and enable the DNS Resolver service. 

2. Configure DNS Resolver Settings:

3. Configure DNS Servers:

  • Go to System > General Setup.

  • In the DNS Server Settings section, you can choose to use the DNS Resolver or Forwarder on the firewall, or specify external DNS servers. 

  • If you are using a specific DNS provider (like Cloudflare or Google), enter their IP addresses (e.g., 1.1.1.1 and 1.0.0.1 for Cloudflare). 

  • Uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN to prevent external devices from changing the DNS settings. 

  • Uncheck Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall if you want the firewall to resolve its own hostnames internally. 

4. Apply Changes:

  • Click Save on the DNS Resolver configuration page.

  • Click Apply Changes on the General Setup page. 

5. Test your configuration:

  • Use Diagnostics > DNS Lookup to test if DNS resolution is working correctly.

  • Use Diagnostics > Packet Capture to verify that DNS queries are being sent over port 853 (for TLS).

  • You can also check for states using port 853 in Status > System Logs > Firewal

Then you can edit lan systems to use tls encrypted dns...

as You're observing Unraid using port 53 (unencrypted DNS) instead of secure DNS over TLS (port 853) or DNS over HTTPS (DoH). This behavior is expected unless you explicitly configure your network (specifically your pfSense router) to force DNS encryption.

Many way to go about it honestly. and is more dictated on what your using for upstream dns servers.

?cloud flare 1.1.1.1
?unbound/stubby

as we can also Block and/or redirect unencrypted DNS port 53 on the LAN...

2. Block Unencrypted DNS (Port 53) on LAN

To prevent any device from using port 53 DNS, create firewall rules:

Steps:

  1. Go to Firewall > Rules > LAN

  2. Add a new rule at the top:

    • Action: Block

    • Protocol: TCP/UDP

    • Destination Port: 53

    • Destination: Any

    • Description: Block Port 53 DNS

  3. Apply Changes

This forces clients to only use pfSense for DNS and breaks all manual DNS attempts over port 53 (unless they're encrypted).


3. Redirect Port 53 to 127.0.0.1:853 (optional)

You can optionally redirect port 53 traffic to pfSense (to catch devices that hardcode 8.8.8.8 etc.):

  1. Go to Firewall > NAT > Port Forward

  2. Add a new rule:

    • Interface: LAN

    • Protocol: TCP/UDP

    • Destination: ! LAN net

    • Destination Port: 53

    • Redirect target IP: 127.0.0.1

    • Redirect target Port: 853

    • Description: Redirect DNS to pfSense DoT

Its been awhile since I messed with pfsense...
Left due to issues with freebsd. ITs not a secure OS and I don't wnat a unsecure OS being the head of my network... Attack vector risk is too hight for me ... Simlar with opensense...

Better asked on the pfsense forum as this is more on hwo to edit pfsesne setting to enfroce encrypted dns

  • Author

Cheers.

Its probably all going over the DNS forwarder anyway, but I will add that catch all rule.

Somewhat bizarre its saying its using an IP that doesn't exists the 192.168.122.1:53
should be 192.168.22.1

Out of interest what do you use for your Router/Firewall these days?


Screenshot 2025-06-25 at 17.33.52.png

  • Community Expert

I'm on C-gnat Fiber these days.. using a fiber media convertor to ethernet for a modem that conect to ubquity hardware. Paying for a static IPv4.

I then I use unifi curently a UCG: https://store.ui.com/us/en/products/ucg-ultra

as its a esentail a debain linux box running networking software in guise as netorking equipment.

with ssh terminal access I can run scirpt and patch / run other stuff (even though Unbquity frowns about it)..
the main CVE Is usualy with mongdb and thing that unifi doesn't update there unifi software stack as often as they should.
Debain unattend updates application for security only and soem side stuff onthe unifi forum...

At one time I did run pfsense, ipfire, openwrt, opensense, even a machien with bare OS ubuntu/debain with networking coamnds.
Some name brads I have run int he past have been Firewalla, netgear, linksys, asus, intel mini PC..

all of them have pros/cons but all of them failed. Unfi while it has some problems hasn't broken or been an attack vector for me for soem time.

Also due to my ISP work this is what we ran and setup so i'm more comfortable with arm hardware form unifi.

But i'm more into enterprse equipment.

Frebsd has some of the best networkign tools and dev on the platform. but the OS itself refused to acept and handle base CVE at the OS Level
Even rungin mitigate and check softwre it fails making them an atack vecotr and since frebsd(Pfsens) once in has all my router and networking info...

Don't get me wrong unfi has some backdoor and problems too, I just haven't been hit and protected with unfi equimpent then I have with other platforms.

The only otehr Great linux box router I used and trusted was IPfire whcih is based of freebsd and ipcop ... ipcop is long dead and ipfire is compiled and written form scratch linux.

but some settings I'm do like for dhcp options and other ipfire has killed in lattest os updates under teh guies of security.

Depends on your risk factor what you want it to do and how you wnat ti interact with it.
pfsense isn't bad I just dont' trust the underling OS

I would have you look at
https://www.ipfire.org/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.