Port 436: DNA-CML — A Fossil From the Protocol Wars

What This Port Does

Port 436 is officially assigned to DNA-CML (Digital Network Architecture - Configuration Management Listener) for both TCP and UDP protocols.¹ DNA-CML was part of DECnet, Digital Equipment Corporation's proprietary networking protocol suite.

In DECnet networks, DNA-CML served as the management listener application—the component that handled remote network configuration and control commands. When administrators needed to manage DECnet nodes remotely, they connected to the CML application running on port 436.²

You will almost certainly never encounter this protocol in use today.

The Digital Network Architecture

DECnet and its Digital Network Architecture (DNA) were developed by Digital Equipment Corporation (DEC) in the early 1970s, with the first release in 1975.³ At the time, DEC was one of the largest computer companies in the world, and DECnet connected their PDP-11 minicomputers in research labs, universities, and corporations.

The protocol evolved through several phases:

• Phase I (1974-1975): Point-to-point connections between two PDP-11s
• Phase IV (1982): Support for up to 255 nodes, Ethernet support, hierarchical routing
• Phase V (1987): Integration with OSI standards, attempting to bridge proprietary and open systems⁴

DNA was a complete layered network architecture, initially built with four layers and later evolved into a seven-layer OSI-compliant protocol.⁵ It had its own addressing scheme, routing protocols, and application layer—an entirely parallel universe to the TCP/IP stack we use today.

Why This Port Matters

Port 436 sits in the well-known ports range (0-1023), the block reserved for fundamental Internet services and assigned only through IETF review.⁶ The fact that DNA-CML has a well-known port reservation tells you something important: in the 1970s and 1980s, nobody knew which networking protocol would win.

TCP/IP, DECnet, IBM's SNA, Novell's IPX/SPX, AppleTalk—they all competed for dominance. IANA assigned well-known ports to all of them because the future was uncertain. The Internet could have been built on DECnet instead of TCP/IP.

TCP/IP won. DEC was acquired by Compaq in 1998, which was then acquired by HP. DECnet faded into history. But port 436 remains, a reserved number in the official IANA registry, a permanent reminder of a road not taken.

The Genuine Strangeness

Every time you look at the IANA port registry, you're looking at an archaeological record. Ports like 436 are fossils—evidence of extinct network protocols that once carried real traffic, real work, real connections between real computers.

Somewhere in the well-known ports range, there are reservations for protocols nobody has used in decades. They persist because removing them would serve no purpose, and because they do no harm. The Internet's addressing system has room for ghosts.

Port 436 specifically shows you something else: even configuration management—the boring, unglamorous work of administering networks—needed its own protocol, its own port, its own place in the architecture. Every successful network needs a way to manage itself. DECnet had DNA-CML on port 436. We have SNMP on port 161, SSH on port 22, HTTPS APIs on port 443.

The questions don't change. The protocols that answer them do.

Security Considerations

DNA-CML traffic should not exist on modern networks. If you observe traffic on port 436:

• It's likely misconfigured software using the port for unrelated purposes
• It could be port scanning or network reconnaissance
• Some historical sources mention trojan/malware activity on this port, though this reflects opportunistic use of an obscure port rather than any specific vulnerability in DNA-CML itself⁷

Use standard firewall rules to block port 436 unless you somehow have a legitimate DECnet deployment (you don't).

How to Check What's Listening

On Linux or macOS:

sudo lsof -i :436
sudo netstat -tulpn | grep :436

On Windows:

netstat -ano | findstr :436

If something is listening on port 436 on a modern system, investigate immediately. It's not DECnet.

Related Ports

Other ports assigned to legacy or historical protocols from the protocol wars:

• Port 102: ISO-TSAP (OSI networking)
• Port 213: IPX (Novell NetWare)
• Port 201-202: AppleTalk
• Port 497: Retrospect (backup protocol from the Mac classic era)

Each one a ghost, each one a reminder that the Internet's current form was never inevitable.