Port 90: DNSIX — Classified Labels on a Wire

Port 90 is assigned to DNSIX, the DoD Network Security for Information Exchange protocol. Its job: attach security classification labels to data packets so that networks carrying traffic at different clearance levels could enforce mandatory access controls automatically.

If you have never heard of DNSIX, that is by design. It was built for a world most people never see.

What DNSIX Does

DNSIX stands for Department of Defense Intelligence Information System Network Security for Information Exchange¹. The protocol generates security attribute tokens, small metadata tags that encode a packet's classification level, the originating user's clearance, and the compartments the data belongs to. These tokens travel alongside the data. Every system that touches the packet reads the token and decides whether to pass it forward, restrict it, or log it.

Port 90 specifically handles the Security Attribute Token Map, the mechanism that translates between security labels used by different systems on the network. When a packet moves from one classified enclave to another, the token map ensures the labels are understood on both sides.

The protocol operates on both TCP and UDP. Related DNSIX services occupy nearby ports: port 195 handles network-level audit logging, and port 196 handles session management audit redirection².

The History

DNSIX was developed by the U.S. Defense Intelligence Agency (DIA) as part of the broader effort to build multi-level secure (MLS) networks during the Cold War³. The problem it solved was concrete and urgent: the Department of Defense operated networks at different classification levels (Unclassified, Secret, Top Secret, and various compartmented levels above that). Data needed to flow between systems, but it could never flow up in classification without explicit authorization.

Unlike most protocols assigned to well-known ports, DNSIX was not defined through the IETF's RFC process. Its specifications were published as DoD standards (such as SDN.801), which means the full technical details live in military documentation rather than the open Internet standards archive.

Cisco routers supported DNSIX through the dnsix-nat command family, allowing network administrators to configure audit trails and security attribute processing on commercial routing hardware⁴. This was how the protocol reached practical deployment: embedded in the networking equipment that connected classified enclaves.

A notable detail in the IANA registry: the service is listed as "DNSIX Securit Attribute Token Map," with "Security" misspelled. That typo has persisted in the official record for decades⁵.

The Ghost of PointCast

Port 90 has an unlikely second life. In the mid-1990s, PointCast used this port for its push-technology screensaver service⁶.

PointCast launched in February 1996 and was, briefly, the future of the Internet. The application turned your idle computer screen into a live news feed, pulling headlines from CNN, the New York Times, and the Los Angeles Times directly to your desktop⁷. CNet named its founder, Christopher Hassett, newsmaker of the year. Over 1.7 million people downloaded the software. News Corporation offered $450 million to acquire the company⁸.

Then it all fell apart. PointCast's constant polling for fresh content consumed enormous bandwidth on corporate networks. IT departments started banning it. Nine out of ten users eventually turned it off. Hassett rejected News Corp's offer. By 1999, the company sold for roughly $7 million, and the PointCast network shut down in March 2000⁹.

The irony of port 90 carrying both classified military security tokens and a news-ticker screensaver is not lost on anyone who looks closely enough.

How to Check What Is Listening on Port 90

On most modern systems, nothing should be listening on port 90. If something is, you want to know about it.

macOS / Linux:

# Check for anything listening on port 90
sudo lsof -i :90

# Or using ss (Linux)
ss -tlnp | grep :90

Windows:

netstat -an | findstr :90

If you find an unexpected service on port 90, investigate. This port has no common modern use, so any listener warrants attention.

Why This Port Matters

Port 90 sits in the well-known port range (0 through 1023), the most restricted tier of the port system. These numbers are assigned by IANA and historically required root or administrator privileges to bind to. Getting a well-known port assigned to your protocol meant your protocol mattered to the infrastructure of the Internet, or in this case, to the infrastructure of national security.

DNSIX is a protocol most engineers will never encounter. It belongs to an era when the Internet's most critical security challenge was not phishing or ransomware but the physical and logical separation of classified information. The protocol's approach, tagging every packet with its classification and trusting the network to enforce the rules, was elegant in its directness.

Port 90 is quiet now. The classified networks that still need multi-level security have moved to newer systems. PointCast is a cautionary tale in business school case studies. But the port number remains assigned, a small monument to the idea that data should carry its own permissions with it wherever it goes.