In the case of port 53, on an AlgoVPN systemd-resolved (by default) and dnscrypt-proxy (as configured by Jack) listen on private addresses, not on the primary network interface. However I can't think of another port likely to be used on a server where only private addresses would be used, and that a user would also want to use for WireGuard.

May 28, 2019 (no subject) - comp.protocols.dns.bind.narkive.com Hi all, I had a bind 9.16.4 as recursive name server. I want to forward all queries to a specific dns server out of my net such as 8.8.8.8. While I have a new How To Open A Port In CentOS / RHEL 7 – The Geek Diary A TCP/IP network connection may be either blocked, dropped, open, or filtered. These actions are generally controlled by the IPtables firewall the system uses and is independent of any process or program that may be listening on a network port. This post will outline the steps to open a port required by a application. For this post example, we will be opening Application Specific (Apache) Port

The DNS Server service should listen on DNS port 53, but

0.0.0.0:53 means listening on all interfaces. To prove this, switch off any firewalls on the server and use telnet to establish a connection to the port: telnet 53 If you get a connection (i.e.: it doesn't just close immediately) something is listening on port 53.

Even if configuring the DNS to use a single IP (dnsmgmt.msc->server properties->Interfaces-tab), it will when checking netdiag bind port 53 to all IPs including 127.0.0.1 The amount of reserved ports when starting DNS service looks like "as design" to handle performance. The benchmark described at the link below had 1300 dynamic updates/second.

dnscrypt making init/1 - systemd listen on port 53 tcp/udp Aug 23, 2017