HTTP, HTTPS, DNS, DHCP, SMTP, FTP, SSH, TCP, UDP. The actual rule-books devices use to talk to each other.
Protocols = agreed rules so devices from different vendors can talk. HTTP/HTTPS = web. DNS = nameβIP lookup. DHCP = auto-configures IPs on your network. SMTP/IMAP/POP3 = email (send/receive). FTP/SFTP = files. SSH = secure remote login. TCP = reliable but slower. UDP = fast but no guarantees. Every protocol sits at a layer from Chapter 4 and uses a port from Chapter 4's ports table.
6.1 What a Protocol Actually Is
A protocol is just a shared rule-book that lets two programs talk. Both sides agree on: how to start a conversation, what format messages take, what responses mean, how to end the conversation.
You follow protocols every day without thinking. When you ring someone, you don't just start shouting β you say "Hello?" and wait for them to say "Hello?" back. That opening handshake is a protocol. Network protocols are the same idea, just formalised into precise rules.
The internet has hundreds of protocols. You don't need to know all of them β just the eight or so that show up constantly in real networks and exam questions. We'll group them by what they do.
6.2 Web Protocols β HTTP & HTTPS
HTTP (HyperText Transfer Protocol) is the protocol your browser uses to talk to web servers. When you type a URL and hit enter, your browser builds an HTTP request: "GET /homepage". The server replies with HTML, CSS, images.
HTTPS (HTTP Secure) is HTTP running inside a TLS-encrypted tunnel. From the user's point of view it works identically to HTTP β the browser handles all the encryption invisibly. The difference is that an attacker sitting between you and the server sees only scrambled data instead of readable text.
HTTP
HTTPS
Port
80
443
Data on wire
Plain text (readable by anyone sniffing)
Encrypted with TLS
CIA pillars protected
None in transit
Confidentiality + Integrity (tampering detected)
Browser indicator
"Not Secure" warning
π padlock icon
Still used?
Increasingly rare; most browsers warn or block
Default for effectively the entire modern web
WHY HTTPS WON: Since the Snowden leaks in 2013 showed how widely governments were passively sniffing HTTP traffic, the whole industry moved to HTTPS-by-default. Free certificates via Let's Encrypt (2016) removed the cost barrier. Chrome flagging HTTP as "Not Secure" (2018) created social pressure. By 2026, running plain HTTP in production is considered negligent. Chapter 12 explains how TLS actually works.
TRAP: "HTTPS means the website is safe" β no. HTTPS means the connection is encrypted. A phishing site can absolutely use HTTPS (Let's Encrypt gives out certificates to anyone with a domain, including paypal-login.net). The padlock tells you nobody is intercepting your traffic; it does NOT tell you the site you're talking to is legitimate.
6.3 DNS β The Internet's Phonebook
DNS (Domain Name System) translates human-friendly names like instagram.com into machine-friendly IP addresses like 157.240.7.174. Without DNS, you'd have to memorise IP addresses for every site you visit.
DNS is so critical that it's worth understanding in depth β it's heavily examined, and DNS failures are a recurring real-world incident.
How a DNS lookup actually works
DNS is hierarchical: root β TLD β authoritative. Your resolver walks the chain on your behalf. Caching makes 99% of lookups instant.
Recursive vs iterative lookups
This distinction comes up in exams:
Recursive query β you ask one server "get me the answer" and it does all the work, asking other servers on your behalf. Your browser makes a recursive query to your local resolver.
Iterative query β each server answers only what it knows and points you to the next server. Your local resolver uses iterative queries when walking root β TLD β authoritative.
MEMORY HOOK:Recursive = the server Runs around for you. Iterative = the server just tells you the next Ingredient to go find yourself.
DNS caching β why DNS is usually instant
Doing the full recursive walk every time you visit a website would be painfully slow. Instead, DNS answers are cached at multiple levels:
Your browser caches recent lookups (seconds to minutes)
Your operating system caches (check with ipconfig /displaydns on Windows)
Your home router often caches
Your ISP's resolver caches aggressively
Each cache entry has a TTL (time-to-live) β how long it's allowed to be reused before checking again. TTLs range from seconds (for fast-changing records) to 24+ hours (for stable records).
The implication: when a website changes its IP (e.g., moving to a new server), the change isn't instantly visible to everyone. Old cached values keep being used until they expire. This is why DNS changes are usually scheduled days in advance.
DNS as a single point of failure
Because DNS is a prerequisite for almost everything else on the internet, DNS failures cascade. When DNS breaks, websites appear to be down even if the actual web servers are working fine β browsers can't resolve names to addresses.
Reminder β Dyn DNS attack, 2016: A DDoS attack on one DNS provider took down Twitter, Spotify, Reddit, Netflix, GitHub and dozens of others simultaneously. The websites themselves weren't attacked β just the DNS infrastructure that users needed to find them. Lesson: DNS is the weakest link in the "layered" design of the internet. That's why large sites use multiple DNS providers and why critical infrastructure treats DNS resilience as a top priority.
DNS attacks to know
Attack
What it does
CIA violated
DNS spoofing / cache poisoning
Attacker injects false records into a DNS cache. Users asking for google.com get sent to an attacker-controlled IP.
Integrity (the answer is false) + Confidentiality (if the user then logs in at the fake site)
DNS hijacking
Attacker compromises a DNS server or registrar and changes real records.
Integrity + Confidentiality
DNS DDoS
Flood DNS servers with requests, making legitimate lookups fail.
Availability
DNS tunneling
Attackers smuggle data out of a network by encoding it in DNS queries (since DNS is usually allowed through firewalls).
Confidentiality (used for data exfiltration)
THE DEFENCE:DNSSEC adds digital signatures to DNS responses so forgeries are detectable. DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries so your ISP (or an attacker) can't see or modify what you're looking up. Adoption is growing but still patchy.
# Do a full DNS lookup yourself and see the IPs: nslookup instagram.com
# See all the cached DNS on your machine: ipconfig /displaydns# Windows
# Flush the cache (useful if a site's IP has changed): ipconfig /flushdns# Windows
6.4 DHCP β Automatic IP Assignment
DHCP (Dynamic Host Configuration Protocol) is how your phone automatically gets an IP address when you join a Wi-Fi network. Without DHCP, you'd have to manually type in an IP, subnet mask, gateway, and DNS server every single time you connected to a new network.
The four-step handshake is sometimes called DORA:
Discover β new device broadcasts "is there a DHCP server here?"
Offer β DHCP server replies "I can give you 192.168.1.42"
Request β device says "yes please, I'll take it"
Acknowledge β server confirms and records the lease
The IP is leased for a set time (usually 24 hours on home networks, longer on offices). When the lease expires, the device renews it.
TRAP: If DHCP fails, Windows devices assign themselves an address in the 169.254.x.x range β called APIPA (Automatic Private IP Addressing) or link-local. Seeing a 169.254 address = DHCP is broken somewhere. This is an exam-favourite troubleshooting question.
Rogue DHCP servers β a real attack
If an attacker plugs a rogue DHCP server into a network, it may respond to DORA requests faster than the real one. The attacker can then hand out IPs that route through their own machine as the "gateway" β enabling a MITM attack. Defence: DHCP snooping on managed switches (only trusted ports are allowed to answer DHCP).
6.5 Email Protocols β SMTP, IMAP, POP3
Email uses different protocols for sending versus receiving.
Protocol
Port
Direction
What it does
SMTP
25 (or 587 with TLS)
Sending
Your email client pushes outgoing mail to your mail server. Servers also use SMTP to relay mail to other servers.
IMAP
143 (or 993 with TLS)
Receiving
Your client reads mail that stays on the server. Good for checking mail on multiple devices.
POP3
110 (or 995 with TLS)
Receiving
Your client downloads mail and typically deletes it from the server. One-device-only usage.
IMAP vs POP3: Almost everyone uses IMAP now because we check mail from phone + laptop + web simultaneously. POP3 made sense in the 1990s when you had one desktop that owned all your mail. Gmail, Outlook, and the built-in Mail app all use IMAP by default.
Email spoofing and the defences (SPF, DKIM, DMARC)
SMTP was designed in 1982 when the internet was a small, trust-based community. It has no built-in way to verify who actually sent a message. That's why email spoofing is trivial and why phishing works. Three protocols were bolted on later to help:
SPF (Sender Policy Framework) β domain owners publish a DNS record listing which IPs are allowed to send mail from that domain. Receiving servers check it.
DKIM (DomainKeys Identified Mail) β outgoing mail is cryptographically signed by the sending server. Receivers verify the signature matches.
DMARC β tells receivers what to do when SPF/DKIM fail (e.g., "reject it" or "send to spam"). Also gives domain owners reporting on spoofing attempts.
EXAM PATTERN: When a question asks "how can an organisation reduce phishing attacks impersonating their domain?", the answer is SPF + DKIM + DMARC properly configured. This is a real security control β the ACSC Essential Eight references it.
6.6 File Transfer Protocols β FTP, SFTP, FTPS
Protocol
Port
Encrypted?
Status
FTP
20 + 21
No (passwords sent in plaintext!)
Legacy β avoid
FTPS (FTP over SSL)
990
Yes (TLS wrapping)
OK but awkward
SFTP (SSH File Transfer)
22
Yes (runs inside SSH)
Current standard
TRAP: FTPS and SFTP are different things. FTPS = "FTP with TLS bolted on." SFTP = "a different protocol entirely that uses SSH." They're not interchangeable and require different servers. If an exam asks for "secure file transfer," SFTP is the usual correct answer.
Why plain FTP is dangerous: In 2008, a long-running scam tricked users into uploading documents to "partner FTP sites" that were really attackers' servers. Even without tricks, sniffing FTP passwords on unencrypted networks was a common attack β still is, on any legacy systems that haven't migrated. If you see port 21 open to the internet in a 2026 scenario, that's an audit finding.
6.7 SSH β Secure Remote Control
SSH (Secure Shell) lets you log into a computer over the network and control it as if you were sitting at the keyboard. Used by every system administrator on Earth for managing servers. Encrypted end-to-end.
Runs on port 22
Supports password auth or, better, key-based auth (public/private keypair) β you prove your identity by possessing the matching private key instead of typing a password
Also tunnels other protocols (SFTP, port forwarding, VPN-like usage)
SSH KEY AUTH = STRONG AUTHENTICATION: Password auth can be brute-forced; a 2048-bit key cannot (in any practical timeframe). Best practice: disable password login entirely on production servers, require keys. This is the difference between "someone's SSH server" getting compromised vs remaining secure for years.
6.8 TCP vs UDP β The Transport Layer Choice
Every application protocol above sits on top of either TCP or UDP. The choice matters because they have very different guarantees.
TCP
UDP
Reliable?
Yes β guarantees delivery and order
No β packets may be lost, reordered, or duplicated
Connection setup
3-way handshake (SYN, SYN-ACK, ACK)
None β just send
Acknowledgements
Yes β missing packets are retransmitted
No β sender doesn't know or care
Speed
Slower due to overhead
Faster β minimal overhead
Used for
Web (HTTP/S), email, FTP, SSH, anything where correctness matters more than speed
Live video/audio, gaming, DNS queries, VoIP β where speed matters more than perfection
Integrity check
Checksum + retransmission
Checksum only (weaker; no retransmission)
WHY STREAMING USES UDP: If your video call drops a packet, you want the app to just skip that 20ms of audio and move on β not pause the whole stream waiting for the missing chunk. UDP's "fire and forget" behaviour is the right trade-off. TCP would be worse for live media because the receiver would freeze while the sender retransmits.
TRAP: "TCP is better than UDP" β wrong, and a mark-killer. They're different tools. If a question asks "would you use TCP or UDP for X," the right answer depends on what X is. Reliability-critical = TCP. Latency-critical = UDP.
6.9 Quick Reference β The Ports Table, Expanded
Expanding the table from Chapter 4 with every protocol covered in this chapter:
Port
Protocol
Transport
Encrypted?
20, 21
FTP
TCP
No
22
SSH / SFTP
TCP
Yes
25
SMTP (server-to-server)
TCP
Often via STARTTLS
53
DNS
UDP (small queries) / TCP (large)
No (DoH/DoT encrypt)
67, 68
DHCP
UDP
No
80
HTTP
TCP
No
110
POP3
TCP
No (995 for POP3S)
143
IMAP
TCP
No (993 for IMAPS)
443
HTTPS
TCP
Yes (TLS)
587
SMTP (client submission)
TCP
Yes (TLS)
3389
RDP (Remote Desktop)
TCP
Yes but exploited often
EXAM PATTERN: If a firewall rule question asks "which ports would you block on internet-facing interfaces?", the obvious ones to block inbound are 23 (Telnet, legacy), 21 (FTP, legacy), 3389 (RDP brute-force target), 445 (SMB β WannaCry used this). Allowing only 80 (redirect to HTTPS) and 443 for a web server is a standard minimal setup.
6.10 Quiz Time
A user complains "the internet is down but Discord still works." What's most likely the problem?
DNS is failing. Discord maintains persistent connections to its servers (resolved and cached long ago), so it keeps working without needing new lookups. But the web browser needs fresh DNS lookups for every new site, and if DNS is down, nothing new resolves. Try ping 8.8.8.8 β if that works but ping google.com fails, DNS is confirmed as the culprit.
Why is HTTPS more expensive (computationally) than HTTP, and why is it worth it anyway?
HTTPS adds TLS encryption β the server must do cryptographic work for every connection (key exchange, encryption/decryption of each packet). On 1990s hardware this was significant; on modern hardware it's negligible (<1% overhead). The cost is worth it because HTTPS provides confidentiality (data not readable in transit) and integrity (tampering detected) β the two things HTTP completely lacks. The exam-grade answer: "The minor computational overhead is far outweighed by the security benefits of protecting data in transit from MITM and passive sniffing."
Why does a video call use UDP rather than TCP?
Video calls are latency-sensitive. If a single packet is lost, you'd rather the app skip forward and keep audio flowing than pause everything while TCP retransmits. Under TCP, lost packets mean delays that pile up, causing "underwater" audio. UDP fires packets without acknowledgement or retransmission, so a few lost packets just mean a tiny glitch that the brain smooths over. The trade-off is reliability for speed β the correct choice here.
An organisation wants to stop attackers from sending phishing emails that spoof their domain. What protocols help?
SPF + DKIM + DMARC, configured together in DNS. SPF lists which servers are allowed to send mail from the domain. DKIM cryptographically signs outgoing mail so forgeries are detectable. DMARC tells receiving servers what to do when SPF/DKIM fail (reject / quarantine / report).
These don't stop phishing in general (attackers can always register similar domains), but they stop this specific organisation's domain from being impersonated β a meaningful reduction in attack surface.