Nmap open port 53/tcp

I was playing with nmap on my local network and I was wondering why all of my other devices have port 53/tcp open (router, 2 raspberry pies and an android phone). Only my main machine (source of nmap scan) did not show any open ports.

As far as I can tell when I was poking in my RPi with ss I was not able to find anything that was using port 53.

Is this normal? Is there other way how to find out why is port 53 considered open?
The command was sudo nmap -sT ''

Nmap scan report for pio (*redacted_ip*)
Host is up (0.045s latency).
Not shown: 998 closed ports
22/tcp open  ssh
53/tcp open  domain
MAC Address: *redacted_mac* (Raspberry Pi Foundation)

Port 53 is usually DNS.

OK but I do not have any DNS server running as far as I can find. ss doesn’t show it and systemctl list-units | grep -i dns doesn’t show anything either.

I think it’s DNS anyway. Can you surf the net? Then you have a DNS.

I can’t see how is that connected. The port is open for incomming connection.
I get DNS from my ISP I do not need DNS active on my device to access net. My main machine does not have this port open and the net works just fine.

Besides only installed package with dns in it on the RPi is

pie:~ >>> aptitude search '~i dns'
i   libdns-export1104                 - Exported DNS Shared Library

Is this the culprit that keeps port open?

ss | grep 53

Will show you the processes running that are using port 53.

Run the command sudo netstat -lep on one of the machines with port 53 open. That should show you what is listening on that port.

Also, having local firewalls on those machines would stop the traffic even if something was listening.

According to this list, port 53 is DNS.


Trying on the device which should have port 53 open according to nmap.

This gives me nothing relevant
u_str   ESTAB    0         0                                          * 61531                                                  * 0     
Neither this
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 *               LISTEN      mysql      13175      620/mysqld
tcp        0      0   *               LISTEN      root       13124      546/sshd
tcp        0      0 localhost:smtp*               LISTEN      root       17776      993/exim4
tcp6       0      0 localhost:9665          [::]:*                  LISTEN      jdown      41944      14484/java
tcp6       0      0 localhost:9666          [::]:*                  LISTEN      jdown      44504      14484/java
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       13126      546/sshd
tcp6       0      0 [::]:42553              [::]:*                  LISTEN      jdown      44503      14484/java
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN      root       17777      993/exim4
udp        0      0*                           root       12861      521/dhcpcd
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7           root       12865      521/dhcpcd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ACC ]     STREAM     LISTENING     61530    19824/systemd        /run/user/1000/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     61535    19824/systemd        /run/user/1000/gnupg/S.dirmngr
unix  2      [ ACC ]     STREAM     LISTENING     61536    19824/systemd        /run/user/1000/gnupg/S.gpg-agent
unix  2      [ ACC ]     STREAM     LISTENING     61537    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.browser
unix  2      [ ACC ]     STREAM     LISTENING     61538    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.extra
unix  2      [ ACC ]     STREAM     LISTENING     61539    19824/systemd        /run/user/1000/gnupg/S.gpg-agent.ssh
unix  2      [ ACC ]     STREAM     LISTENING     9679     1/init               /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     9686     1/init               /run/systemd/fsck.progress
unix  2      [ ACC ]     SEQPACKET  LISTENING     9697     1/init               /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     9701     1/init               /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     13486    1/init               /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     12793    521/dhcpcd           /var/run/dhcpcd.sock
unix  2      [ ACC ]     STREAM     LISTENING     12794    521/dhcpcd           /var/run/dhcpcd.unpriv.sock
unix  2      [ ACC ]     STREAM     LISTENING     13146    532/python3          /var/run/fail2ban/fail2ban.sock
unix  2      [ ACC ]     STREAM     LISTENING     13176    620/mysqld           /run/mysqld/mysqld.sock

Also ufw is up and running
Status: active
Logging: on (low)
Default: reject (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    *redacted_ip*/24            # ssh
42553/tcp                  ALLOW IN    *redacted_ip*/24            # MyJdownloader
5201                       ALLOW IN    *redacted_ip*/24            # iperf3 - network speed test
3306                       ALLOW IN    *redacted_ip*/24            # mariadb

This person reported erroneous nmap results on port 53 when they were connected to a vpn on the machine running the scan.

I am not sure I understand why that would matter but I thought it might be worth pointing out.

1 Like
I couldn't not...


Mystery solved. :smiley:
I totaly forgot that some years ago I was messing with my router NAT settings and it was redirecting all dns requests to correct dns server. So that machines on my network would not call dns like :nerd_face: For example a call to (which has no port opened) would end in which has port 53 opened.

Disabling this feature shows correct results from nmap.
Why am I doing things like this to myself? :sweat_smile: :rofl:

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.