Module 3 · Network Protocols Deep Dive 🔒

You can send packets. You can capture them. But if you want to understand a breach, design a secure protocol, or debug a production incident that spans machines — you need to know how the core internet protocols actually work. Not at the “TCP is reliable” level, but at the “how does the three-way handshake fail under packet loss?” level. That is what this module gives you.

We will go deeper into the five protocols that carry most security-relevant traffic on the modern internet: DNS, TLS, HTTP (and HTTP/2), SMB, and SSH. Each one has exploitable quirks a practitioner should understand.

DNS — more than name lookups

DNS resolves names to IPs. That single-line description is the beginner view. The practitioner view is that DNS is a distributed, cacheable, hierarchical, UDP-first, TCP-fallback protocol with multiple record types, and attackers use every one of those properties.

Record types you need to know:

• A — maps hostname → IPv4 address
• AAAA — maps hostname → IPv6 address
• CNAME — alias pointing to another name
• MX — mail server for a domain
• TXT — arbitrary text; used for SPF/DKIM/DMARC, domain verification, and attacker exfil
• NS — authoritative nameservers for a zone
• PTR — reverse lookup, IP → hostname
• CAA — which CAs may issue certs for this domain
• SOA — zone metadata (primary NS, contact, serial)

The resolution path — when a user types example.com into a browser:

1. Browser checks local cache
2. OS checks its cache (via stub resolver)
3. Query goes to configured recursive resolver (ISP, 8.8.8.8, 1.1.1.1)
4. Recursive resolver asks root servers (. → .com → example.com authoritative NS)
5. Authoritative NS returns the A record
6. Answer cached at every layer for the TTL

Security-relevant quirks of DNS:

• Cleartext by default — vanilla DNS (UDP port 53) is unencrypted. Anyone on-path sees every domain you look up
• Caching — a compromised cache (cache poisoning) corrupts every downstream user until TTL expires
• Subdomain takeover — dangling CNAME pointing at a deprovisioned S3 bucket or Heroku app lets an attacker claim that subdomain
• DNS tunnelling — attackers encode data into subdomain labels to smuggle it past firewalls
• Fast flux — malware C2 domains with very short TTLs, rotating IPs to evade blocking
• Punycode attacks — look-alike domains (аpple.com with Cyrillic ‘а’)

Modern privacy layers — DNS over HTTPS (DoH, port 443) and DNS over TLS (DoT, port 853) encrypt the query-response traffic. Great for user privacy, annoying for network defenders (they can no longer see which domains users are visiting). A live battleground.

TLS — what’s really happening

TLS 1.2 and TLS 1.3 are the modern standards. TLS 1.0 and 1.1 are deprecated. Everything below TLS 1.2 should be off in 2026. Here’s the essential handshake flow for TLS 1.3:

Client                                        Server
  |                                             |
  | ClientHello                                  |
  |   + supported ciphers, TLS versions,         |
  |   + key share (ephemeral public key),        |
  |   + SNI (server name indication)             |
  | ------------------------------------------>  |
  |                                              |
  |                              ServerHello     |
  |                              + chosen cipher |
  |                              + key share     |
  |                              + certificate   |
  |                              + "Finished"    |
  |  <-----------------------------------------  |
  |                                              |
  |  "Finished" (encrypted)                      |
  | ------------------------------------------>  |
  |                                              |
  |  === encrypted application data ===          |
  |  <------------------------------------------>|

Key security-relevant points: