Port 195 lives in the well-known port range, officially assigned by IANA, reserved for a protocol most people have never heard of: DNSIX Network Level Module Audit (service name: dn6-nlm-aud).1
It's a fossil from the Cold War era of networking, when the Department of Defense was building its own infrastructure for handling classified information.
What DNSIX Was
DNSIX stands for Department of Defense Intelligence Information System Network Security for Information Exchange.2 It was a framework designed by the Defense Intelligence Agency to embed security attributes directly into network packets — think classification levels (TOP SECRET, SECRET, etc.) baked into the data itself.3
The idea was elegant: tag every packet with who could see it and what level of clearance it required. The network would enforce security policy at the packet level. Multi-level security for a multi-domain world.
Port 195 specifically handled Network Level Module Audit functions — monitoring and logging security events at the network layer.4 It operated on both TCP and UDP, sending audit messages to designated hosts for analysis.5
The Reality
DNSIX never became widespread. The Department of Defense had its own networking requirements, its own security models, its own vision of how information should flow. But the commercial Internet went a different direction. SSL/TLS won. VPNs won. Application-layer security won.
DNSIX remains relevant in specialized government infrastructure — legacy systems, highly regulated environments, places where attribute-based security policies still matter.6 But for the vast majority of the Internet, port 195 sits empty.
The Well-Known Port Range
Port 195 falls in the System Ports range (0-1023), also called well-known ports.7 These ports require formal IETF review for assignment. They were meant for fundamental protocols — the ones everyone would use.
Some of those assignments turned out to be correct. Port 80 for HTTP. Port 443 for HTTPS. Port 22 for SSH. These are the ports the Internet runs on.
Others, like port 195, represent roads not taken. Protocols that solved real problems but only for specific communities. Experiments that worked but didn't scale. Ideas that made sense in 1990 but were obsolete by 2000.
Related Ports
DNSIX claimed several ports in the well-known range:
- Port 90: DNSIX Security Attribute Token Map
- Port 195: DNSIX Network Level Module Audit (this port)
- Port 196: DNSIX Session Management Module Audit Redirect8
All of them officially assigned. All of them rarely encountered.
Checking Port 195
If you want to see if anything is listening on port 195:
Linux/Mac:
Windows:
Unless you're on a DoD network or running legacy government systems, you'll probably find nothing. That's normal. Most well-known ports aren't actually in use on most machines.
Why This Matters
Port 195 is a reminder that the IANA registry is a record of ambition, not just deployment. Every assignment represents someone who thought they were building something important enough to claim a well-known port.
Some of those bets paid off. Some didn't.
But the ports remain, officially assigned, reserved in the registry, waiting. Because you never know when a protocol might come back. And because the Internet has room for experiments that don't pan out.
Port 195 is a ghost port. But it's an honest ghost — officially assigned, clearly documented, and still there if anyone needs it.
Frequently Asked Questions
Was this page helpful?