Port 3689: DAAP — The Port That Shared Your Music Library with the World

What Runs on Port 3689

Port 3689 carries DAAP — the Digital Audio Access Protocol. Apple created DAAP to power the music sharing feature in iTunes, where your library would appear in a neighbor's sidebar over the local network. When you clicked "Share my library," your machine started listening on TCP port 3689.

DAAP is essentially HTTP with a custom binary content type. The server sends a catalog of your music, and clients stream requested tracks. Discovery happens through Bonjour (Apple's implementation of Zeroconf mDNS) — your iTunes would announce itself, other iTunes instances would find it, and suddenly their sidebars had a new entry: "Kirk's Music."

The Six Weeks iTunes Was a Global Jukebox

Apple shipped iTunes 4.0 in April 2003. The sharing feature was intended for local networks only. But DAAP had no enforcement mechanism for this — it was just HTTP, and HTTP doesn't check whether you're on the same subnet.

Within days, people discovered you could connect to any DAAP server anywhere on the Internet if you knew its IP address. Directories of public iTunes libraries appeared online. Anyone could browse anyone's collection. Briefly, the entire installed base of iTunes was one enormous shared music library, with no authentication, no accounts, no friction.

Six weeks later, Apple shipped iTunes 4.0.1. The open sharing was gone. Beginning with iTunes 4.2, Apple added authentication that only permitted other iTunes clients to connect — no third-party software, no cross-Internet access.

The window closed. But people had seen what was possible.

The Reverse Engineering

Apple never published the DAAP specification. They didn't need to — they controlled the only clients and servers. But the open source community had watched those six weeks and wanted that back.

Within months, developers had reverse-engineered DAAP to a working degree. The first major open source server was mt-daapd (also called Firefly Media Server), which let a Linux box appear as an iTunes music share on the local network. Your router, your NAS, your headless server — any of them could be an iTunes library.

mt-daapd was eventually forked and rewritten as forked-daapd, which became OwnTone — still actively maintained today. OwnTone handles DAAP for iTunes/Music.app compatibility, MPD for command-line clients, AirPlay for wireless speakers, Spotify integration, and Chromecast. Port 3689 is still in the config file.¹

Why iTunes Dropped It (And Why Port 3689 Outlasted iTunes)

Apple discontinued iTunes in 2019, splitting its functions into Music, Podcasts, and TV on macOS Catalina. Music.app inherited some of the DAAP sharing behavior, though Apple's own enthusiasm for it had cooled as iCloud and Apple Music made local network sharing feel like a previous era.

But the port didn't retire. Self-hosted media server software kept the protocol alive because DAAP still works — it's simple, well-understood (if unofficially), and compatible with a lot of client software. If you run Plex, Jellyfin, or OwnTone on your home network today, some of your clients may be speaking DAAP on port 3689.

Security Considerations

DAAP is a local-network protocol running unauthenticated by default in most open source implementations. A few things worth knowing:

Don't expose port 3689 to the Internet. The protocol wasn't designed for it (despite the 2003 adventure). No TLS, minimal authentication. If you're running OwnTone or a similar server, your firewall should be blocking this port from external access.

The authentication Apple added was proprietary and locked. Third-party clients had to work around it. The open source ecosystem largely side-stepped Apple's auth entirely, which means most DAAP deployments in the wild have weaker access controls than Apple's own client/server pairs.

Checking What's on Port 3689

If you're curious whether something is running on this port locally:

# macOS/Linux — check if the port is open on your machine
lsof -i :3689

# Linux alternative
ss -tlnp | grep 3689

# Check if a specific host has it open
nmap -p 3689 192.168.1.1

# See if Bonjour is advertising a DAAP service
dns-sd -B _daap._tcp local

If you see something listening, it's almost certainly an iTunes-compatible media server — OwnTone, Plex (older versions), or a similar self-hosted music application.

The Registered Port Range

Port 3689 sits in the registered ports range (1024–49151). These ports are assigned by IANA for specific services but don't require root/administrator privileges to bind. Any software can use them, though IANA tracks the assignments to reduce conflicts.

DAAP's registration reflects the era: Apple was significant enough to claim a port number for a proprietary, undocumented protocol, and the ecosystem around it grew large enough that the port stuck around long after the original application faded.

Related Ports

• 5353 — mDNS/Bonjour, used to advertise and discover DAAP services on the local network
• 3390 — sometimes used by alternative media sharing protocols
• 8096 / 8920 — Jellyfin, a modern self-hosted media server that doesn't use DAAP