What is the difference between an open port and a closed port?

An open port means a service is actively listening and accepting connections on that port number. When a TCP connection attempt hits an open port, the service completes the three-way handshake with a SYN-ACK response. A closed port sends back a TCP RST (reset) packet immediately because nothing is bound to that port, even though the host is reachable. Both responses confirm the machine is online and not behind a packet-dropping firewall for that port. The security distinction is straightforward: only open ports expose a running service to potential exploitation. On a properly hardened server, you should see only ports you intentionally exposed (like 80 and 443 for web traffic or 22 for SSH), with everything else either closed or filtered by firewall rules.

What does filtered mean in port scan results?

Filtered means the port gave no response within the scan timeout. No TCP RST rejection, no SYN-ACK acceptance, just silence. This usually indicates a firewall, security group, or network ACL is silently dropping packets (a DROP rule) rather than rejecting them explicitly. The actual state of the port behind the firewall is unknowable from outside. It could be running a service or have nothing listening, but there is no way to tell from an external scan. Filtered is the most common result for hosts behind strict firewall configurations like AWS security groups, iptables DROP policies, or cloud provider network firewalls. From a security standpoint, filtered is actually better than closed for ports you want hidden, because a closed response at least confirms the host is reachable and responding on that interface.

What does open|filtered mean for UDP scans?

This result is unique to UDP scanning and reflects a fundamental ambiguity in the protocol. Unlike TCP, UDP has no handshake. When a probe packet is sent, the receiving service is under no obligation to respond. If nothing comes back within the timeout window, two things could be happening: the port is genuinely open (the service processed the packet but sent no reply, which is normal for many UDP protocols), or a firewall silently dropped the packet before it reached the host. Since both scenarios look identical from the scanner's perspective, the result is reported as open|filtered. A port can only be confirmed definitively open when the service sends back a UDP response, like a DNS reply on port 53 or an NTP response on port 123. If the host returns an ICMP Type 3 Code 3 (port unreachable) message, the port is confirmed closed.

Is port scanning legal?

Scanning your own servers, infrastructure, and cloud instances is legal and standard practice in network administration, penetration testing, and compliance auditing. Organizations routinely scan their own assets to verify firewall configs, detect unauthorized services, and meet standards like PCI DSS and SOC 2. Scanning third-party systems without authorization is a legal gray area that varies by jurisdiction. In the US, the Computer Fraud and Abuse Act (CFAA) can apply to unauthorized access attempts. In the UK, the Computer Misuse Act 1990 covers similar ground. The EU Network and Information Systems Directive addresses it as well. Security researchers regularly perform internet-wide scans for research purposes, but targeting specific organizations without permission can trigger legal consequences. The safe rule: always get written authorization before scanning systems you do not own or administer.

I just set up an AWS/GCP instance — which ports should I check?

Start with the Cloud Infra Audit preset. At minimum, confirm SSH (port 22) is only open from your authorized IPs, not 0.0.0.0/0. Check that HTTP (80) and HTTPS (443) are open if you are running a web server. Most importantly, verify that database ports are NOT publicly accessible: MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), and Elasticsearch (9200/9300). Cloud providers default to restrictive security groups, but setup misconfigurations remain the top cause of cloud data breaches according to Verizon DBIR and Unit 42 reports. Also scan for accidentally exposed admin interfaces: 8080 and 8443 for application servers, 9090 for management consoles, 10250 for the Kubernetes kubelet API, 2375/2376 for Docker daemon, and 6443 for the Kubernetes API server. After scanning, cross-reference every open port against your security group rules to make sure nothing slipped through.

Why are database ports dangerous to expose publicly?

Database ports like MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), and Elasticsearch (9200) should never be reachable from the public internet. They are the most direct path to your data. Redis is especially dangerous because it ships with no authentication by default and supports commands that enable remote code execution, including writing arbitrary files via CONFIG SET. MongoDB has been hit by mass automated ransom attacks where bots scan for open instances on port 27017, export all data, wipe the databases, and leave a ransom note. Elasticsearch exposes all indexed data through its REST API to anyone who can reach port 9200. Even databases with password auth enabled are vulnerable to brute-force attacks and protocol-level exploits targeting known CVEs. The correct setup is placing all database instances in private subnets with no public IP, then using SSH tunnels, VPN connections, or cloud provider private endpoints for admin access.

Where does the port scan originate from?

Every scan runs from DNS Checker external server infrastructure, not from your browser or local machine. This is intentional. The results show how your target host looks from the public internet's perspective, which is the viewpoint that matters when assessing exposure to outside users, attackers, or automated scanners. The scan source IP is a known, static address. If you see unexpected filtered results on ports you expect to be open, check that your firewall or cloud security group allows inbound connections from external sources, not just whitelisted IPs. For testing port accessibility from inside your own network or private subnet, use local tools like nmap, netcat (nc -zv), or PowerShell's Test-NetConnection cmdlet. Comparing internal and external scan results is a good way to catch firewall misconfigurations or NAT issues.

How many ports can I scan at once?

Each request supports up to 20 ports to balance coverage with response speed. Instead of typing port numbers manually, you can pick from purpose-built presets: Web Stack covers common web ports (80, 443, 8080, 8443), Cloud Infra Audit checks for exposed databases and admin panels, Attack Surface scans ports commonly targeted by automated exploits, IoT and Embedded covers smart device and IP camera protocols, DevOps Exposed checks for Docker daemon (2375/2376) and CI/CD tools, Windows Domain audits Active Directory and SMB ports, Database Exposure targets MySQL, PostgreSQL, Redis, MongoDB, and Elasticsearch, Remote Access covers SSH, RDP, and VPN endpoints, Mail Server scans SMTP, IMAP, and POP3, and Game Server checks multiplayer hosting ports. You can also enter up to 20 custom port numbers. For comprehensive audits covering all 65,535 TCP ports, a local tool like nmap is the way to go.

Port Scanner

Scan open TCP and UDP ports on any IP address or domain. Audit cloud infrastructure, find exposed services, check IoT devices, map your attack surface, or verify game server connectivity — all from outside your network.

“If it's open, it's exposed. If it's exposed, it's a target. Know your ports.”

Written by Ishan Karunaratne · Last reviewed: March 11, 2026

What Is an Open Port Scanner?

An open port scanner (also called a port checker or port forwarding tester) probes specific TCP or UDP ports on a remote host to determine whether services are reachable from the internet. Every network service binds to a port number — web servers listen on 80 and 443, SSH on 22, databases on ports like 3306 or 5432. Knowing which ports are exposed is the first step in both network troubleshooting and security hardening.

This tool scans from our external infrastructure, so results show how your target appears to the public internet — accounting for firewalls, NAT, cloud security groups, and ISP-level filtering. Use it to verify port forwarding on your router, check that your firewall rules are working, or test whether a service is accessible after deployment. Unlike netstat or ss which show local listening sockets, this tests actual reachability from outside your network.

Choose from purpose-built scan presets for common scenarios — web stack verification, cloud infrastructure auditing, attack surface assessment, IoT device scanning, DevOps exposure checks, database exposure, mail server validation, and game server connectivity — or enter custom port numbers. Both TCP and UDP protocols are supported.

What Is the Difference Between TCP and UDP Scanning?

This tool supports both TCP and UDP scanning, which work fundamentally differently due to the nature of each protocol:

TCP Scan (Default)

Attempts a full three-way handshake (SYN → SYN-ACK → ACK) with each port. Produces definitive results:

Open — Handshake completed, service listening
Closed — Host sent RST, no service
Filtered — No response, firewall dropping packets

UDP Scan

Sends a datagram and waits for a response. UDP is connectionless, so results are less definitive:

Open — Service replied with data
Closed — ICMP port-unreachable received
Open|Filtered — No response — ambiguous

Use TCP for most diagnostics — it's faster and more reliable. Switch to UDP when testing services that use it: DNS (53), NTP (123), SNMP (161), game servers (many use UDP), WireGuard (51820), or SIP (5060).

How Can You Audit Cloud Infrastructure Ports?

After provisioning a server on AWS, GCP, or Azure, the first thing to verify is which ports are actually reachable from outside. Cloud providers use security groups, network ACLs, and firewall rules that default to restrictive — but misconfigurations are the leading cause of cloud data breaches.

The Cloud Infra Audit preset checks the ports most commonly misconfigured in cloud deployments:

22SSH

Restrict to your IP only

3306MySQL

Should be in private subnet

6379Redis

No auth by default — RCE risk

9200Elasticsearch

Exposes all indexed data

27017MongoDB

Mass ransom attacks on open DBs

6443K8s API

Cluster takeover if exposed

10250Kubelet

Node compromise via API

8080HTTP Alt

Admin panels, debug endpoints

9090Prometheus

Metrics data leak

If any of these show as open on your cloud instance, review your security group rules immediately. Databases and caches should never be publicly accessible — use private subnets, VPC peering, or SSH tunnels instead.

What Is an Attack Surface Assessment?

The Attack Surface preset targets the ports most commonly exploited in real-world attacks. These are the same ports that automated scanners, botnets, and penetration testers probe first:

•SMB (445) — The protocol behind EternalBlue, WannaCry, and NotPetya. Should never be exposed to the internet. If open, it indicates a severe misconfiguration.
•RDP (3389) — A top target for brute-force and credential stuffing attacks. BlueKeep (CVE-2019-0708) allowed remote code execution without authentication. Always use a VPN or jump host.
•Telnet (23) — Transmits credentials in plaintext. Still found on IoT devices, industrial systems, and legacy network equipment. The Mirai botnet spread primarily via default Telnet credentials.
•Memcached (11211) — Used in the largest DDoS amplification attacks ever recorded (1.3 Tbps against GitHub in 2018). Should never face the public internet.

Run the Attack Surface scan against your own infrastructure regularly, and use the website reputation checker to verify your domain is not flagged by security vendors. If any of these ports appear as open unexpectedly, treat it as a security incident and investigate immediately.

What Ports Do IoT and Embedded Devices Use?

IoT devices — cameras, routers, smart home hubs, industrial controllers — are among the most targeted endpoints on the internet. The Mirai botnet and its variants have compromised millions of devices by scanning for default credentials on exposed management ports.

The IoT & Embedded preset checks the ports most commonly left open on these devices:

•Telnet (23) — Still the default remote access method on many IP cameras, routers, and embedded Linux devices. Credentials are transmitted in plaintext and factory defaults are widely known.
•MQTT (1883) — The standard IoT messaging protocol. Many brokers run without authentication, allowing anyone to subscribe to sensor data or publish commands to connected devices.
•RTSP (554) — IP cameras stream video over RTSP. Exposed cameras with default or no credentials are indexed by search engines like Shodan and Censys.
•UPnP (1900) & Modbus (502) — UPnP can automatically punch holes in your firewall. Modbus, used in industrial control systems, has zero built-in authentication — any internet exposure is critical.

If you manage IoT devices or have smart home equipment, find your public IP address and scan it with this preset. Any open port is a potential entry point — these devices rarely receive security patches.

What DevOps and CI/CD Ports Are Commonly Exposed?

Container orchestration platforms, CI/CD pipelines, and monitoring tools are powerful — and catastrophic when accidentally exposed to the internet. The DevOps Exposed preset targets the management ports that should only be reachable from internal networks.

2375Docker API

Unauthenticated Docker API gives full container control — mount host filesystem, execute arbitrary commands, deploy cryptominers. The single most dangerous port to expose.

8080Jenkins

Jenkins with anonymous access enabled allows arbitrary code execution via Groovy script console. Often found with default credentials or no auth.

2379etcd

Kubernetes stores all cluster secrets (including TLS certs and service account tokens) in etcd. Public exposure means full cluster compromise.

10250Kubelet

The Kubelet API allows executing commands inside pods. If exposed without authentication, attackers can access any running container on the node.

These ports should never appear as open on a public scan. If any do, your CI/CD pipeline or container platform is directly accessible from the internet — restrict access with firewall rules or private networking immediately.

What Ports Does Windows Active Directory Use?

Active Directory is the backbone of enterprise Windows networks — and the primary target in most corporate breaches. The Windows Domain preset checks the ports that AD domain controllers and member servers expose:

•Kerberos (88) — AD authentication protocol. Exposed Kerberos enables Kerberoasting attacks where attackers request service tickets and crack them offline to obtain service account passwords.
•LDAP (389) & LDAPS (636) — Directory queries can enumerate every user, group, and computer in the domain. Exposed LDAP is a goldmine for credential harvesting and reconnaissance.
•SMB (445) & MS-RPC (135) — Used for file sharing, group policy, and remote management. Attackers use these for NTLM relay attacks, lateral movement, and ransomware deployment (WannaCry, NotPetya).
•WinRM (5985) — PowerShell remoting over HTTP. With valid credentials, attackers can execute arbitrary commands on any domain machine. A key tool in lateral movement and living-off-the-land attacks.

AD ports should never be reachable from the public internet. If you're running a domain controller, these ports should only be accessible within your corporate network or via VPN. Any external exposure is a critical finding.

Which Database Ports Are Commonly Exposed?

Publicly exposed databases are one of the most common causes of data breaches. The Database Exposure preset scans the default ports for every major database engine to ensure none are directly reachable from the internet.

3306MySQL

Brute-force and SQL injection pivot

5432PostgreSQL

pg_hba.conf misconfig common

1433MSSQL

xp_cmdshell enables OS command execution

6379Redis

No auth by default — write cron for RCE

27017MongoDB

Ransom attacks on unauth'd instances

9200Elasticsearch

Full index data readable without auth

Databases belong in private subnets with no public IP. Access should go through SSH tunnels, bastion hosts, or VPN connections. Even password-protected databases are vulnerable to brute-force attacks and protocol-level exploits when exposed directly.

What Are Common Remote Access Ports?

The Remote Access preset checks protocols used for remote server management and VPN connectivity. Some of these are expected to be open (SSH, VPN endpoints), while others should be locked down or replaced with secure alternatives.

•SSH (22) — The standard for secure remote access. Expected to be open on servers, but should use key-based authentication and be restricted by source IP where possible.
•RDP (3389) & VNC (5900) — Graphical remote desktop protocols. Both are frequent brute-force targets and should be behind a VPN or zero-trust access proxy rather than directly exposed.
•OpenVPN (1194) & WireGuard (51820) — VPN tunnel endpoints. These are expected to be open if you run a VPN server. WireGuard uses UDP and won't respond to probes unless the client presents a valid public key, so it may show as filtered even when running.

What Ports Do Mail Servers Use?

Running your own mail server requires specific ports to be open for delivery and client access. The Mail Server preset verifies the full set:

25SMTP

Server-to-server delivery. Must be open to receive email from the internet.

587Submission

Client sends mail via STARTTLS. Your email app connects here.

465SMTPS

SMTP over implicit TLS. Used by some clients as an alternative to 587.

993IMAPS

IMAP over TLS. Clients sync and manage mailboxes here.

995POP3S

POP3 over TLS. Download-and-delete mail access.

143IMAP

Unencrypted IMAP. Should redirect to IMAPS (993).

Port 25 must be open for your server to receive email, but many cloud providers block outbound port 25 by default to prevent spam. If you can't send email, check that your provider hasn't restricted it. Use the DNS Inspector to verify your MX, SPF, DKIM, and DMARC records are correctly configured alongside your mail server ports.

What Ports Does the Web Stack Use?

The Web Stack preset covers the ports used by web servers, reverse proxies, and application frameworks. On a production server, you typically want only ports 80 and 443 open — everything else should be internal.

•HTTP (80) & HTTPS (443) — Your public-facing web ports. Port 80 should redirect to 443. If neither is open, your website isn't reachable.
•8080 & 8443 — Common alternate ports for reverse proxies, Tomcat, API gateways, and admin panels. If these are open in production, verify they're intentional and not leaking internal services.
•Dev ports (3000, 5173, 8000) — Development server ports for Node.js, Vite, and Django. These should never be open in production. If they appear as open, a dev server may be running on a public machine.

How Do Port Forwarding and Firewalls Work?

For a port to appear as open from the internet, every layer between the scanner and the service must allow the traffic. Understanding these layers helps diagnose why a port might show as filtered even when your service is running:

•ISP-Level Blocking — Many residential ISPs block incoming connections on common server ports (25, 80, 443) to prevent customers from running servers. This cannot be bypassed without changing to a business-class connection or using non-standard ports.
•Router NAT / Port Forwarding — If your server is behind a NAT router, you must configure port forwarding to map the external port to your internal server IP and port. Without this, incoming connections stop at the router.
•Cloud Security Groups / ACLs — Cloud providers (AWS, GCP, Azure) require explicit inbound rules in security groups or network ACLs. Even if your server's firewall allows the port, the cloud-level rules must also permit it.
•Host Firewall — Software firewalls on the server itself (iptables, nftables, ufw, Windows Firewall) are the final gate. The service must be running and the firewall must allow inbound connections on the target port.

This tool tests the entire chain from outside. If a port shows as filtered, work through each layer from the outermost (ISP) inward to find where packets are being dropped.

What Ports Do Game Servers Use?

Hosting a game server requires the correct ports to be open and forwarded. Each game uses specific port numbers that players connect to. Some games use TCP, others use UDP, and many use both — switch between protocols using the dropdown to verify each:

25565Minecraft Java

Default Java Edition server port (TCP). The most popular game server port on the internet.

19132Minecraft Bedrock

Bedrock Edition uses UDP. Switch to UDP scanning to verify this port.

27015Source Engine

Counter-Strike 2, TF2, Garry's Mod. Uses both TCP and UDP — test both protocols.

30120FiveM

FiveM multiplayer framework for GTA V roleplay servers (TCP + UDP).

When setting up a game server, configure port forwarding on your router, open the port in your firewall, then use this tool to verify it's accessible. If the port shows as open, players on the internet can connect to your server.

What Do Different Port States Mean?

Every port scan result falls into one of these categories. Understanding the difference is essential for interpreting results correctly:

Open

A service is actively listening and accepting connections. For TCP, the handshake completed. For UDP, the service responded with data. This is expected for services you intentionally expose.

Closed

The host is reachable but no service is listening. TCP sends a RST. For UDP, the host returned an ICMP port-unreachable. The firewall allows traffic but nothing is bound to the port.

Filtered

No response received (TCP). A firewall or network device is silently dropping packets. The actual state cannot be determined from outside. This is the preferred state for unused ports — reveals nothing to attackers.

Open|Filtered

UDP-specific. No response received, which could mean the port is open (service didn't reply) or filtered (firewall dropped it). UDP is inherently ambiguous without application-layer probes.

A well-secured server should show only intentionally exposed ports as open, with everything else filtered. Use the IP Location tool to check the security profile of IPs connecting to your services, and the Propagation Checker to verify your DNS points to the correct server before running port scans. To investigate other domains hosted on the same server, use the find domains on an IP tool.

Need this in code?

Every check this tool runs is also available via the port scan API with examples in cURL, JavaScript, Python, PHP, Ruby, and Java.

API docs

Built and maintained alongside this tool. Free, no signup required.

IP geolocation lookupGeo, ASN, and threat intel for the target host.IP threat intelligence APIScore every connecting IP for VPN, proxy, Tor, and datacenter origin.Blacklist checkerIs the target IP on any major DNSBL?HTTP security headersAudit the security posture of any open web service.