DNP3 Port Number Explained: TCP/UDP 20000, Secure Port 19999, and Firewall Configuration

DNP3 runs over IP networks using TCP or UDP port 20000. This port number is the standard for communication between SCADA masters and field devices (RTUs, IEDs) in electric utilities, water systems, and oil and gas pipelines.

The IANA also registered port 19999 for DNP3 Secure (DNP3 over TLS), though it is rarely used in practice — most deployments apply DNP3 Secure Authentication (DNP3-SA v5/v6) on top of the standard port 20000.

This guide covers everything about DNP3 port numbers — from the IANA registration to practical firewall rules you can copy and paste.

1. TCP/UDP Port 20000 — The Standard DNP3 Port

TCP/UDP port 20000 is the default and official port for DNP3 over IP networks. It is defined in IEEE 1815-2012 (the DNP3 standard) and registered with IANA.

Every DNP3 outstation — whether it is an RTU at a substation, an IED in a protection relay, or a remote pump controller — listens on TCP port 20000 by default. The SCADA master (typically at the control center) initiates the TCP connection to this port.

On port 20000, DNP3 traffic is unencrypted by default. The raw DNP3 frames travel in plain text, making them readable by anyone with network access and a packet capture tool like Wireshark.

2. IANA Registration Details

Field	Value
Service Name	dnp
Port Number	20000
Transport Protocol	TCP and UDP
Description	DNP — Distributed Network Protocol
Reference	IEEE 1815-2012
Assignment	IANA registered

IANA also registered:

Service Name	Port	Transport	Description
dnp	20000	TCP, UDP	DNP3 standard
dnp-sec	19999	TCP, UDP	DNP3 Secure (TLS)

3. TCP vs UDP for DNP3

DNP3 can use either TCP or UDP on port 20000. Each has different use cases:

Feature	TCP (port 20000)	UDP (port 20000)
Reliability	Guaranteed delivery, ordered	No delivery guarantee
Connection	Session-based (3-way handshake)	Connectionless
Overhead	Higher (headers, ACKs)	Lower
Use case	Point-to-point master-outstation	Broadcast, multicast, one-way networks
Deployment share	95%+ of real-world DNP3 installations	Rare — mainly specialized applications
Packet loss handling	TCP retransmits	DNP3 application layer detects missing data

TCP is the default choice for nearly all modern DNP3 deployments. UDP is used occasionally for broadcasting a master’s messages to multiple outstations simultaneously, or in specific one-way telemetry applications.

4. How DNP3 Uses Port 20000

DNP3 over IP follows a client-server architecture:

Role	TCP Behavior	Port
Outstation (RTU, IED)	TCP Server — listens on port 20000	20000
Master (SCADA control center)	TCP Client — connects to the outstation’s port 20000	Ephemeral source port (e.g., 49152–65535)

The outstation always listens. The master always initiates the connection. This is the opposite of many engineers’ intuition — the control center (master) is the one making outgoing connections, not accepting them.

This design has a practical benefit: outstations can sit behind firewalls that block all inbound traffic except from the master’s IP. It is easier to secure a network where field devices only accept connections from known control centers.

5. DNP3 Connection Sequence

For DNP3 over TCP on port 20000:

Step	Direction	What Happens
1	Master → Outstation	TCP SYN to port 20000
2	Outstation → Master	TCP SYN-ACK
3	Master → Outstation	TCP ACK — TCP connection established
4	Master → Outstation	Link Layer Reset (optional)
5	Master → Outstation	Integrity Poll — Read function for Class 0, 1, 2, 3 data
6	Outstation → Master	Response — all static data + buffered events
7	Master → Outstation	Periodic class polls (usually Class 1, 2, 3 for events)
8	Outstation → Master	Unsolicited Responses — spontaneous events (if enabled)
9	Master → Outstation	Confirm — acknowledge unsolicited responses
…	Both	Keep-alive, time sync, control commands

The key DNP3 function codes on port 20000:

Function Code	Name	Purpose
0x01	Read	Request static or event data
0x02	Write	Write to outstation
0x03	Select	Select a control point (step 1 of SBO)
0x04	Operate	Operate a selected control point (step 2 of SBO)
0x05	Direct Operate	Operate without select
0x0D	Cold Restart	Restart the outstation
0x14	Enable Unsolicited	Enable unsolicited responses
0x17	Delay Measurement	Measure round-trip delay
0x18	Record Current Time	Time synchronization
0x81	Response	Master’s response
0x82	Unsolicited Response	Outstation-initiated event report

6. Multiple Masters and Multiple Outstations

DNP3 over TCP supports multiple simultaneous connections on port 20000:

Scenario	Port 20000 Behavior
One master, one outstation	Single TCP connection on port 20000
Dual redundant masters	Both connect to the outstation on port 20000 — outstation supports both
One master, many outstations	Master opens separate TCP connections to each outstation’s port 20000
Multi-drop on one outstation	Rare — some outstations accept 4–8 concurrent master connections

Most modern RTUs support 4 to 8 concurrent master connections on port 20000. This is important for redundancy (primary + backup control center) and for engineering access during commissioning.

7. DNP3 Secure Port 19999

IANA registered port 19999 (dnp-sec) for DNP3 Secure over TLS. This was intended as the secure equivalent of port 20000, similar to how IEC 104 has port 2404 (unsecured) and 19998 (TLS).

The Reality

Port 19999 is rarely used in production. Most DNP3 security deployments take one of two approaches:

1. DNP3 Secure Authentication (DNP3-SA) — application-layer security on port 20000, not a separate port
2. VPN tunneling — encrypting all DNP3 traffic through IPsec or OpenVPN, preserving port 20000

DNP3 over TLS on port 19999 is defined but has limited vendor support. IEEE 1815-2012 and the newer IEC 62351-3 provide the framework, but adoption is low compared to DNP3-SA.

8. DNP3 Secure Authentication (DNP3-SA)

DNP3-SA adds cryptographic authentication to DNP3 without requiring a different port. It runs on top of the standard port 20000.

Feature	How It Works
Transport	Same port 20000 (TCP or serial)
Authentication	Challenge-response using HMAC-SHA256
Key management	Pre-shared keys (v5) or certificate-based (v6)
Scope	Per-message authentication for critical operations (controls, config changes)
Overhead	Adds authentication tags to DNP3 frames

DNP3-SA does not encrypt — it only authenticates. Data is still readable in Wireshark. For confidentiality, combine DNP3-SA with VPN or use DNP3 over TLS (port 19999).

For full details, see: DNP3 Secure Authentication (DNP3-SA)

9. Firewall Rules for DNP3 Port 20000

Linux iptables

bash

# Allow DNP3 from SCADA master (10.1.1.10) to outstation (10.2.1.100)
iptables -A INPUT -p tcp -s 10.1.1.10 --dport 20000 -j ACCEPT

# Block all other DNP3 traffic
iptables -A INPUT -p tcp --dport 20000 -j DROP

# Also allow UDP if needed
iptables -A INPUT -p udp -s 10.1.1.10 --dport 20000 -j ACCEPT

Ubuntu UFW

bash

# Allow DNP3 TCP
sudo ufw allow 20000/tcp

# Allow DNP3 only from a specific master subnet
sudo ufw allow from 10.1.1.0/24 to any port 20000 proto tcp

Windows Firewall (PowerShell)

powershell

# Allow inbound DNP3 from SCADA master
New-NetFirewallRule -DisplayName "DNP3" -Direction Inbound -Protocol TCP -LocalPort 20000 -RemoteAddress 10.1.1.10 -Action Allow

# Block all other DNP3 traffic
New-NetFirewallRule -DisplayName "DNP3 Block" -Direction Inbound -Protocol TCP -LocalPort 20000 -Action Block

Cisco IOS ACL

access-list 101 permit tcp host 10.1.1.10 host 10.2.1.100 eq 20000
access-list 101 permit udp host 10.1.1.10 host 10.2.1.100 eq 20000
access-list 101 deny tcp any host 10.2.1.100 eq 20000

Key Rules

• Never expose port 20000 to the internet without VPN or strict IP restrictions
• Restrict access to known SCADA master IP addresses only
• Log all connection attempts for security monitoring
• For cellular/public-network DNP3, always use VPN or DNP3-SA

10. Wireshark Capture and Display Filters

Capture Filter (before starting capture)

tcp port 20000 or udp port 20000

For DNP3 over TLS:

tcp port 19999

Display Filters

Filter	What It Shows
dnp3	All DNP3 traffic
tcp.port == 20000	All traffic on port 20000 (including TCP handshake)
tcp.srcport == 20000	Traffic coming from the outstation
tcp.dstport == 20000	Traffic going to the outstation
dnp3.al.func == 0x01	Read requests
dnp3.al.func == 0x82	Unsolicited Responses
dnp3.al.func == 0x04	Operate commands (control)
dnp3.src == 1	Traffic from DNP3 address 1
dnp3.dst == 10	Traffic to DNP3 address 10

Decoding DNP3 on a Non-Standard Port

If your system uses a custom port (e.g., 20001 or 20002), Wireshark will not decode DNP3 automatically. Fix:

1. Edit → Preferences → Protocols → DNP 3.0 → change the TCP/UDP port
2. Or right-click a packet → Decode As → TCP port → DNP 3.0

11. Testing DNP3 Port Connectivity

Before configuring DNP3 communication, verify that port 20000 is reachable.

From the SCADA Master

bash

# Test if outstation port 20000 is open
nc -zv 10.2.1.100 20000

# Or using telnet
telnet 10.2.1.100 20000

# Or using PowerShell
Test-NetConnection -ComputerName 10.2.1.100 -Port 20000

On the Outstation

bash

# Linux — verify DNP3 is listening
ss -tlnp | grep 20000

# Expected output:
# LISTEN  0  128  0.0.0.0:20000  0.0.0.0:*  users:(("dnp3_outstation",pid=1234,fd=3))

# Windows
netstat -an | findstr :20000

Common Results

Result	Meaning	Fix
Connection succeeded	Port is open and DNP3 outstation is running	OK
Connection refused	Port is not open — outstation service not running	Start the DNP3 service on the RTU
Connection timed out	Firewall is blocking the port	Check firewall rules on the outstation and network devices
Host unreachable	Network path is broken	Check IP addresses, routing, and physical connectivity

12. DNP3 Port vs Other SCADA Protocol Ports

Protocol	Default Port	Transport	Secure Port	Application
DNP3	20000	TCP/UDP	19999 (TLS)	Utility SCADA (North America, Australia)
Modbus TCP	502	TCP	802 (Modbus Security)	Industrial automation
IEC 60870-5-104	2404	TCP	19998 (TLS)	Power SCADA (Europe, Asia)
IEC 61850 MMS	102	TCP	3782 (TLS)	Substation automation
OPC UA	4840	TCP	Same port (app-layer TLS)	IIoT, data integration
EtherNet/IP (CIP)	44818	TCP	2221 (TLS)	Industrial control
EtherNet/IP I/O	2222	UDP	—	Real-time I/O
BACnet/IP	47808	UDP	47808 (same, with BACnet/SC)	Building automation

DNP3’s port 20000 is in the User Ports range (1024–49151), unlike Modbus (502) which is in the System Ports range (0–1023). This means DNP3 services can be started by any user on Linux/Unix without root privileges.

13. Common Port-Related Problems and Fixes

Problem	Symptom	Fix
Wrong port configured	TCP connection refused	Verify both master and outstation use port 20000 (some devices default to 20001)
Firewall blocking port 20000	Connection timeout	Add firewall rule to allow TCP 20000 from the master IP
Outstation not listening	Connection refused	Restart the DNP3 service. Check RTU configuration.
Master connecting to wrong IP	No response	Verify the outstation IP address in the master configuration
Wrong DNP3 address	TCP connects, but no data	Verify DNP3 master address and outstation address match on both sides
Multiple masters not supported	Second master cannot connect	Check outstation max concurrent connections setting (often 1 by default)
TCP keep-alive missing	Master does not detect broken link	Enable TCP keep-alive on the master. Without it, a dropped connection may not be detected until the next poll timeout.
Port 20000 exposed to internet	Unauthorized scan attempts in logs	Block external access. Use VPN or DNP3-SA. Restrict to control center IP.
NAT breaking DNP3	Intermittent connection drops	Avoid NAT for DNP3. Use direct routing or VPN.
Wireshark shows TCP but not DNP3	Non-standard port	Configure Wireshark Preferences → Protocols → DNP 3.0 → set port

14. Security Best Practices for DNP3 Port 20000

Do

• Use DNP3-SA (Secure Authentication) for critical controls and configuration changes
• Restrict port 20000 access by source IP address (master station IP only)
• Place DNP3 devices on a dedicated SCADA VLAN isolated from IT networks
• Log all connection attempts — both successful and failed
• Use VPN for DNP3 over public networks (cellular, internet)
• Enable TCP keep-alive on the master to detect broken connections
• Use IDS/IPS with DNP3 protocol awareness (Claroty, Nozomi, Dragos)
• For remote outstations on cellular, add SIM-based access restrictions (private APN)

Do Not

• Expose port 20000 to the internet — ever
• Use DNP3 without DNP3-SA or VPN on untrusted networks
• Rely on “security by obscurity” (changing to a non-standard port does not add security)
• Allow DNP3 traffic to pass through corporate IT networks without segmentation
• Trust default DNP3 addresses — configure unique addresses per outstation

For Utility Environments

• Follow NERC CIP requirements for port 20000 access control (CIP-005, CIP-007)
• Implement Electronic Security Perimeter (ESP) boundaries around DNP3 networks
• Use jump servers in a DMZ for engineering access to outstations
• Document all port 20000 paths in the BES Cyber System inventory

Summary

DNP3 uses TCP or UDP port 20000 by default. This is the IANA-registered port for communication between SCADA masters and outstations (RTUs, IEDs) in electric utilities, water systems, and pipelines.

The key things to remember:

• Port 20000 is IANA registered as dnp (TCP and UDP)
• The outstation is always the TCP server (listens on port 20000). The master is always the TCP client (connects to port 20000).
• TCP is used in 95%+ of deployments. UDP is rare, mainly for broadcast applications.
• Port 19999 is registered for DNP3 over TLS (dnp-sec) but rarely used — DNP3-SA on port 20000 is more common
• Multiple masters can connect to one outstation on port 20000 (typically 4–8 concurrent)
• Never expose port 20000 to the internet — use VPN or DNP3-SA
• Use tcp port 20000 as a Wireshark capture filter. Use dnp3 as a display filter.
• Test connectivity with nc -zv or Test-NetConnection before configuring DNP3 parameters

For DNP3 protocol fundamentals, see: DNP3 Protocol Guide

For DNP3 security details, see: DNP3 Secure Authentication (DNP3-SA)

For Wireshark analysis, see: Wireshark for DNP3: How to Capture, Filter, and Troubleshoot

For frame-level analysis, use the free: Online DNP3 Frame Decoder