Skip to main content
DNSnexus
Free Developer Tools
DNS
Email
Network
Webmaster
Security
IP
Guides
Live Tools
60+
Categories
6
Result URLs
Shareable
Availability
24/7
DNSnexus
Free Developer Tools
Free DNS, email, network, and security diagnostics with crawlable tool pages and shareable result URLs.
Run DNS CheckBrowse All Tools
Popular Tools
DNS Propagation CheckerDNS LookupWHOIS LookupSPF Record CheckerDMARC CheckerSSL Certificate CheckerPort Scanner
Quick Path
Fix Email Deliverability
Quick Path
Troubleshoot DNS Changes
Quick Path
Validate SSL & Open Ports
DNS Tools
A Record LookupAAAA Record LookupCERT LookupCNAME LookupDNS CheckDNS LookupDNS Propagation CheckerDNSKEY LookupDS LookupIPSECKEY LookupLOC LookupNS LookupNSEC LookupNSEC3PARAM LookupReverse DNS LookupRRSIG LookupSOA LookupSRV LookupTXT LookupWHOIS Lookup
Email Tools
BIMI LookupBlacklist CheckDKIM CheckerDMARC CheckerDMARC Report AnalyzerEmail Deliverability ReportEmail Header AnalyzerEmail Health ReportGoogle/Yahoo Compliance CheckerMicrosoft Compliance CheckerMTA-STS LookupMX Record LookupSMTP TestSPF Record Checker
Network Tools
HTTP LookupHTTPS LookupMAC Address GeneratorMAC Address LookupOnline TraceroutePingSubnet Calculator
Webmaster Tools
HTTP Headers CheckSearch Presence CheckWebsite Link AnalyzerWebsite Operating System CheckWebsite Redirect CheckerWhat is My User Agent?
Security Tools
DKIM Record GeneratorDMARC GeneratorDomain DNS Security CheckEmail Security CheckerPort ScannerSPF GeneratorSSL Certificate CheckerWebsite Vulnerability Scanner
IP Tools
ARIN LookupASN LookupIP Blacklist CheckIP Geolocation LookupWhat Is My IP
Company
All Tools DirectoryGuides & PlaybooksAbout DNSnexusContactAPI DocsPrivacy PolicyTerms & ConditionsCookie Policy
© 2026 DNSnexus — DNS, Email, Network & Security Tool Platform
All ToolsAboutContactPrivacyTerms
Home › Guides › Network Operations › Common Network Ports: Complete Reference Table
Network Operations•9 min•Published 2026-07-14

Common Network Ports: Complete Reference Table

Every TCP or UDP connection on the internet is addressed to an IP and a port number, and the vast majority of that traffic funnels through fewer than 30 common network ports. Knowing which port maps to which service — and which of those ports should never face the public internet — is baseline knowledge for troubleshooting connectivity, configuring firewalls, and reading a port scan without guessing.

Quick Answer
Common network ports include 20/21 (FTP), 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 143 (IMAP), 443 (HTTPS), 445 (SMB), 3306 (MySQL), 3389 (RDP), and 5432 (PostgreSQL). Ports 0–1023 are IANA-assigned "well-known" ports; 1024–49151 are registered ports; 49152–65535 are dynamic/ephemeral ports assigned per-connection.

What Are Network Ports?

A port is a 16-bit number (0–65535) that identifies a specific process or service on a device, sitting alongside the IP address to form a complete socket. The IP address gets a packet to the right machine; the port number gets it to the right application on that machine. A single server can run a web server on port 80, an SSH daemon on port 22, and a mail server on port 25 simultaneously — the port number is what keeps their traffic from colliding.

Port numbers are governed by RFC 6335, which defines the IANA Service Name and Transport Protocol Port Number Registry and splits the 65,536 possible ports into three ranges:

  • System / well-known ports (0–1023): Reserved by IANA for core internet services — HTTP, HTTPS, SSH, DNS, SMTP. On Unix-like systems, binding to a port in this range requires root or elevated privileges.
  • User / registered ports (1024–49151): IANA-registered but not privileged. This is where most application and database servers live — MySQL (3306), RDP (3389), PostgreSQL (5432).
  • Dynamic / ephemeral ports (49152–65535): Never assigned to a fixed service. The OS hands one of these out temporarily whenever a client opens an outbound connection, and it's released once the connection closes.

The full, authoritative list — updated continuously — lives in the IANA Service Name and Port Number Registry. Everything in the reference table below is drawn from that registry, cross-checked against current vendor documentation.

How Do Port Numbers Work?

Every TCP or UDP connection is uniquely identified by a 4-tuple: source IP, source port, destination IP, destination port. When your browser requests https://example.com, it opens a connection from an ephemeral source port (say, 51342) on your machine to destination port 443 on the server. The server's response comes back to that same ephemeral port, so your OS knows which browser tab it belongs to — not port 443 on your own machine.

TCP and UDP maintain separate port namespaces. Port 53/TCP (DNS zone transfers) and port 53/UDP (standard DNS queries) are two different sockets that happen to share a number — a service can bind to one without touching the other. That's why the reference table below lists a protocol column: the same number means different things on TCP versus UDP for services like DNS and DHCP.

A worked example — a client opening two connections to the same HTTPS server looks like this on the server side:

Code
Proto  Local Address        Foreign Address       State
tcp    203.0.113.10:443     198.51.100.22:51342   ESTABLISHED
tcp    203.0.113.10:443     198.51.100.22:52108   ESTABLISHED

Same destination port (443), two different foreign (client) ports — that's how one web server handles thousands of simultaneous connections on a single port number.

Common Network Ports Reference Table

PortProtocolServiceDescription
20/21TCPFTPFile Transfer Protocol — 20 is data, 21 is control. Unencrypted; superseded by SFTP/FTPS.
22TCPSSH / SFTPSecure Shell — encrypted remote login, command execution, and secure file transfer.
23TCPTelnetUnencrypted remote login. Legacy only — credentials pass in plaintext.
25TCPSMTPMail server-to-server relay. Most ISPs block outbound 25 to fight spam.
53TCP/UDPDNSUDP for standard queries (<512 bytes); TCP for zone transfers and large/DNSSEC responses.
67/68UDPDHCPServer (67) and client (68) — automatic IP address assignment.
69UDPTFTPTrivial File Transfer Protocol — no authentication, used for network boot/config.
80TCPHTTPUnencrypted web traffic.
88TCP/UDPKerberosNetwork authentication protocol used heavily in Active Directory.
110TCPPOP3Retrieves mail and typically deletes it from the server after download.
123UDPNTPNetwork Time Protocol — clock synchronization.
143TCPIMAPRetrieves mail while keeping it synced on the server across devices.
161/162UDPSNMPNetwork device monitoring (161 queries, 162 traps/alerts).
389TCP/UDPLDAPDirectory service queries — user/group lookups in AD and other directories.
443TCP/UDPHTTPSEncrypted web traffic (TLS). UDP/443 carries HTTP/3 over QUIC.
445TCPSMBWindows file and printer sharing. High-value attack target — see below.
465TCPSMTPSSMTP over implicit TLS, commonly used for authenticated mail submission.
514UDPSyslogUnencrypted log forwarding to a centralized log server.
587TCPSMTP SubmissionThe standard port for authenticated outbound mail from clients (per RFC 6409).
993TCPIMAPSIMAP over implicit TLS.
995TCPPOP3SPOP3 over implicit TLS.
1433TCPMSSQLMicrosoft SQL Server default listener port.
1521TCPOracle DBOracle database default listener port.
3306TCPMySQLMySQL / MariaDB default port.
3389TCP/UDPRDPWindows Remote Desktop Protocol. High-value attack target — see below.
5432TCPPostgreSQLPostgreSQL default port.
5900TCPVNCVirtual Network Computing remote desktop.
6379TCPRedisRedis default port — unauthenticated by default in older versions.
8080TCPHTTP-AltCommon alternate HTTP port for proxies, dev servers, and app servers.
8443TCPHTTPS-AltCommon alternate HTTPS port for admin panels and app servers.
27017TCPMongoDBMongoDB default port.

Ports 80, 443, 22, and 53 account for the large majority of general internet traffic; everything from 1024 up is either a registered application port or a temporary one your OS assigned for an outbound connection.

Which Ports Are High-Risk and Should Never Be Exposed?

Not every port on this list is safe to leave open to the internet. A handful carry a track record of remote-exploitation that makes internet-facing exposure a direct incident risk:

  • 445 (SMB): Windows file sharing. The MS17-010 vulnerability in SMBv1 was the entry point for the 2017 WannaCry and NotPetya outbreaks — Microsoft's own guidance is to block inbound/outbound SMB (ports 445, 139, 137, 138) at the network perimeter.
  • 3389 (RDP): Windows Remote Desktop. CVE-2019-0708 ("BlueKeep") is a wormable, pre-authentication remote code execution flaw in RDP; CISA's guidance is to never expose RDP directly to the internet — put it behind a VPN or an RD Gateway with MFA instead.
  • 23 (Telnet): Sends credentials in cleartext. There is no legitimate reason to expose this externally in 2026 — use SSH (22).
  • 3306 / 5432 / 1433 / 27017 / 6379 (database ports): MySQL, PostgreSQL, MSSQL, MongoDB, and Redis are designed to be reached by application servers on a private network, not the public internet. Exposing a database port directly is one of the most common causes of ransomware-driven data-wipe attacks against misconfigured cloud instances.
  • 69 (TFTP) and 514 (Syslog): Both are unauthenticated by design. They belong on isolated management VLANs, never on a public interface.

The rule of thumb: if a port carries authentication, file access, or a database protocol, it should sit behind a VPN, bastion host, or firewall allow-list — not a public IP. Run your own perimeter against this list with the Port Scanner to confirm nothing on this shortlist is reachable from outside your network.

How Do You Check Which Ports Are Open?

On Linux, list listening sockets with process names:

Code
ss -tulpn
# -t TCP  -u UDP  -l listening only  -p show process  -n numeric ports
Code
sudo netstat -tulpn

On macOS, netstat doesn't show process names by default — use lsof:

Code
sudo lsof -i -P -n | grep LISTEN

On Windows (PowerShell), list active TCP connections with owning process:

Code
Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess

Or the classic:

Code
netstat -ano

To check whether a specific remote port is reachable (not just locally listening), test the connection directly:

Code
nmap -p 22,80,443,3389 203.0.113.10
Code
Test-NetConnection -ComputerName 203.0.113.10 -Port 443

A port scan against a well-configured host should show filtered or closed for anything not intentionally exposed, and open only for the services you meant to publish. Run the same check from outside your network with the Port Scanner — a locally-run netstat only tells you what's listening, not what's actually reachable past your firewall or NAT.

Common Port Errors and What They Mean

"Connection refused" — A device answered at that IP, but nothing is listening on the port you targeted (or a firewall actively rejected the packet with an RST). Fix: confirm the service is running and bound to the expected interface, not just 127.0.0.1.

"Connection timed out" — No response at all; usually a firewall silently dropping the packet, an unreachable host, or a NAT/routing gap. Fix: check the firewall rule chain in both directions and confirm the route with a traceroute.

"Filtered" in a port scan — The scanner can't tell if the port is open or closed because something (a firewall, an IDS) is dropping probe packets without a response. This is the expected, correct state for any port you haven't deliberately opened.

Address already in use (bind failure) — Another process already holds that port on the local machine. Fix: find the owning process with ss -tulpn or lsof -i :PORT and stop or reconfigure it before the new service can bind.

Port open but the application still doesn't respond — The transport layer is fine; the failure is in the application itself (wrong vhost, expired TLS cert, application crash). Rule out the network layer first with a plain connection test, then check the app's own logs.

Key Takeaways

  • ✓ Ports 0–1023 are IANA well-known ports, 1024–49151 are registered, and 49152–65535 are dynamic/ephemeral, per RFC 6335.
  • ✓ TCP and UDP keep separate port namespaces — port 53/UDP and 53/TCP are distinct sockets that serve different DNS functions.
  • ✓ 445 (SMB) and 3389 (RDP) have documented wormable RCE histories (MS17-010, CVE-2019-0708) and should never face the public internet directly.
  • ✓ Database ports (3306, 5432, 1433, 27017, 6379) belong on a private network, reachable only by application servers — not the internet.
  • ✓ "Filtered" is the correct, expected result for a port scan against anything you haven't deliberately published.

Frequently Asked Questions

Q: What port does HTTPS use?

HTTPS uses TCP port 443 for standard TLS connections. As of 2026, browsers and servers supporting HTTP/3 also use UDP port 443 for QUIC-based connections, so 443 now carries both TCP and UDP traffic depending on protocol support.

Q: What is the difference between a well-known port and a registered port?

Well-known ports (0–1023) are IANA-reserved for core internet services like HTTP and SSH and require elevated privileges to bind on most operating systems. Registered ports (1024–49151) are documented with IANA but aren't privileged — this range covers most database and application servers.

Q: Why do some ports show as "filtered" instead of "open" or "closed"?

"Filtered" means a firewall or filtering device is dropping the scan probes without sending a response, so the scanner can't confirm the port's true state. This is normal and expected for any port you haven't intentionally exposed.

Q: Is it safe to leave port 22 (SSH) open to the internet?

SSH itself is encrypted and reasonably safe to expose, but it's a constant brute-force target. Reduce risk by disabling password authentication in favor of key-based auth, moving it off the default port as one layer of noise reduction, and rate-limiting or fail2ban-ing failed login attempts.

Q: What port does DNS use, and why does it matter that it's both TCP and UDP?

DNS uses UDP port 53 for standard queries under 512 bytes and TCP port 53 for zone transfers, DNSSEC responses, and any response too large for UDP. A firewall that blocks TCP/53 while allowing UDP/53 will cause intermittent DNS failures on large or DNSSEC-signed responses — check both with the DNS Lookup tool.

Q: Which ports should a home router never have open to the internet?

At minimum, block inbound 23 (Telnet), 445 (SMB), 3389 (RDP), and any database port (3306, 5432, 1433) at the router. Most consumer routers don't forward these by default — the risk is usually a manual port-forward rule added for remote access and never removed. See the Home Network Security Guide for a full router hardening checklist.

Q: What's the difference between port 20 and port 21 in FTP?

Port 21 is the FTP control channel — it handles authentication and commands. Port 20 is the data channel used in active-mode FTP to actually transfer file contents. Passive-mode FTP (the modern default) negotiates a different data port instead of using 20 directly.

Next Steps

Cross-reference this table against your own network before trusting it in production. Run an external scan with the Port Scanner to see which ports are actually reachable from outside your firewall — don't assume a rule you set months ago is still in effect. If you're mapping out subnet ranges or firewall rules, pair it with the Subnet Calculator, and use IP Lookup or What Is My IP to confirm which address you're actually testing from.

For the concepts behind the numbers, see CIDR & Subnetting Explained, How to Read a Traceroute, and What Is a Network Security Key? — and if a connection is timing out rather than refusing, walk the path with the Ping Test or Traceroute tools before assuming it's a port problem at all.

Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.

On this page
  • What Are Network Ports?
  • How Do Port Numbers Work?
  • Common Network Ports Reference Table
  • Which Ports Are High-Risk and Should Never Be Exposed?
  • How Do You Check Which Ports Are Open?
  • Common Port Errors and What They Mean
  • Key Takeaways
  • Frequently Asked Questions
  • Next Steps
Related links
Port ScannerSubnet CalculatorIp LookupOnline TraceroutePingWhat Is My Ip
Related Tools
MAC Address Lookup→MAC Address Generator→Subnet Calculator→HTTP Lookup→