DNS Lookup Tool
Query A, MX, TXT, CNAME, and other DNS record types for any domain.
Open toolHome › Tools › Network & DNS › Port Checker
Check whether a TCP port is open, closed, or filtered on any hostname or IP address.
Enter a host and port, then run the check.
<p>Port Checker sends a TCP connection attempt from our server to a hostname or IP address on the port you specify, then reports one of three states: open, closed, or filtered. Each state means something distinct. Open means a service accepted the TCP handshake. Closed means the host responded with a TCP RST packet: the port is network-reachable but nothing is listening on it. Filtered means no response arrived before the timeout period ended: a firewall, cloud security group, or network ACL is silently dropping the packets before they reach the host.</p><p>The test originates from our server, not your browser, so the result shows public internet reachability from an external vantage point. It tells you what any user on the open internet would see when attempting to connect, which is different from what your local machine, corporate VPN, or internal network allows. Developers verify deployed services are reachable before pointing DNS at a new server. Sysadmins confirm a firewall rule change took effect. DevOps engineers isolate network faults: if Port Checker reports "filtered" and application logs show connection timeouts, the problem is a firewall rule, not the application.</p><h3>How to check a port</h3><ol><li>Enter the hostname (for example, <code>api.example.com</code>) or IPv4 address in the host field. Subdomains are supported; the tool resolves the hostname to an IP before testing.</li><li>Enter any port number from 1 to 65535, or click one of the common-port quick-select buttons: HTTP (80), HTTPS (443), SSH (22), FTP (21), MySQL (3306), SMTP (25 and 587), or HTTP-alt (8080).</li><li>Click <strong>Check port</strong>. The test runs from our server and returns a result in 2 to 10 seconds. Filtered ports take longer because the tool waits for the TCP timeout.</li><li>Read the result: <strong>Open</strong> (service is accepting connections), <strong>Closed</strong> (host reachable, nothing listening), or <strong>Filtered</strong> (firewall or ACL blocking the packet).</li></ol><h3>What open, closed, and filtered actually mean</h3><p>The three states map directly to what happens at the TCP layer:</p><ul><li><strong>Open:</strong> Our server sent a SYN packet. The remote host replied with SYN-ACK. A service is running and accepting connections on that port. The tool immediately sends RST to close the connection without completing a full session.</li><li><strong>Closed:</strong> Our server sent a SYN packet. The remote host replied with RST. The host is reachable at the network level, but no process is bound to that port. This is the expected state for ports your server is not using, and it is different from blocked: the host is responding, just rejecting the connection.</li><li><strong>Filtered:</strong> Our server sent a SYN packet. No response arrived before the timeout. A firewall, security group, or network ACL is dropping the packets silently rather than sending RST. Filtered ports take longer to test because there is no negative response to receive: the tool has to wait for the TCP connection to time out, typically 3 to 10 seconds.</li></ul><h3>Technical details</h3><p>The check runs from a fixed server IP address. This affects results in two cases: if the target applies source-IP allowlisting (permitting only specific IPs), our connection attempt will be blocked even if other IPs can connect freely; if the target applies geo-IP filtering, results may differ from what users in other regions see. The tool is an external public-internet connectivity check, not a test of local or VPN-internal reachability.</p><p>Private and loopback IP ranges are blocked from testing: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8. Sending TCP probes from our server to RFC 1918 addresses would always time out and report "filtered," which gives no useful information and probes addresses in address space the requester may not own.</p>
Closed means the host replied with a TCP RST packet. The host is network-reachable and the port is accessible, but nothing is listening there. The response is immediate. Filtered means no response arrived at all within the timeout. A firewall, security group, or ACL is silently dropping packets before they reach the host. Filtered ports take 3 to 10 seconds to test because the tool has to wait for the connection attempt to time out.
Three causes cover most cases. First, the service may bind to 127.0.0.1 (localhost) instead of 0.0.0.0 (all interfaces): check the bind address in the service configuration. Second, a host-level firewall (iptables, ufw, Windows Firewall) may be blocking the port independently of the service. Third, a cloud security group or network ACL for the instance may not allow the port, even if the OS-level firewall does. All three produce "filtered" on an external check.
A closed port responds immediately with a TCP RST, so the result is instant. A filtered port sends no response, so the tool has to wait for the TCP connection attempt to time out before it can declare the result. TCP timeouts are typically 3 to 10 seconds depending on network conditions, and there is no faster way to distinguish a firewall drop from a slow response.
The TCP test runs from our server. Results show what the public internet sees from that server's IP address. If your target host uses source-IP allowlisting or geo-IP filtering, results may differ from what specific users on other IPs or in other countries would see. For testing local network visibility, use netcat or nmap from your own machine.
No. RFC 1918 private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback (127.0.0.0/8) are blocked. These addresses are not routable from our server, so a test would always time out and return "filtered," giving no useful result.
Functionally similar, but the vantage point is different. nmap and netcat run from your local machine and test what your network can reach. Port Checker runs from our server and tests public internet reachability. For verifying that a port is open to the world, use Port Checker. For diagnosing what you can reach from inside your own network or VPN, use command-line tools from your own machine.
Yes. No account required, no rate limit for normal diagnostic use, no charge for any number of lookups.
Open another DNS or network check in one click.
Query A, MX, TXT, CNAME, and other DNS record types for any domain.
Open toolCheck TLS certificate validity, expiry, issuer, and chain completeness.
Open toolCheck if a website is online or down from an external server.
Open toolView registrar, creation date, expiry, and nameservers for any domain.
Open tool