SprintTZ Knowledge Share — Session 02: Sockets, NAT, DNS & The Sovereign Handshake

outletPart 1 — The Foundation

Sockets & Services — The Door and the Room

In Session 01, we mastered IP addressing and MAC tables. Now we move up the OSI stack: from the address to the service living at that address. This is where networking becomes practical — where engineers troubleshoot why a web server is unreachable or why SSH is hanging.

The Three-Part Analogy

businessThe Office Building

IP Address: The street address of the office building (e.g., 192.168.5.41). It identifies which machine. Port: The office number inside the building. It identifies which service on that machine. Socket: The physical person (the process) sitting at the desk in that office, actively listening and responding to visitors (packets).

In networking terms:

IP Address:      192.168.5.41  (Building street address)
Port:            22            (Office 22 — SSH)
Socket:          Process PID 4521 (Person sitting at desk)

When you connect to 192.168.5.41:22, you're calling:
"Building 192.168.5.41, Office 22. Answer the phone."

The office accepts or rejects your call.
If no one is home (port closed) → Connection refused.
If someone answers → You have a socket connection.

Port Numbers: The Global Convention

Ports are 16-bit numbers: 0 to 65,535. The first 1,024 (0–1023) are privileged and managed by IANA. The rest are ephemeral and first-come, first-serve.

Port Range	Name	Control	Allocation
0–1023	Well-Known Ports	IANA	Assigned by standard (HTTP, SSH, DNS)
1024–49151	Registered Ports	IANA	Named but not enforced (databases, custom apps)
49152–65535	Ephemeral/Dynamic	OS	Assigned temporarily to client connections

The Critical "Doors"

Port 20/21   FTP         → File Transfer (legacy, insecure)
Port 22      SSH         → Secure Shell (remote login, encrypted)
Port 23      Telnet      → Remote login (insecure, NEVER use)
Port 25      SMTP        → Send email (mail servers)
Port 53      DNS         → Domain name queries (recursive/auth)
Port 80      HTTP        → Web (unencrypted)
Port 110     POP3        → Receive email
Port 143     IMAP        → Receive email (better than POP3)
Port 443     HTTPS       → Web (encrypted with TLS)
Port 3306    MySQL       → Database (localhost only, usually)
Port 5060    SIP         → VoIP signalling (call control)
Port 5061    SIP-TLS     → VoIP encrypted
Port 8080    HTTP-Alt    → Web proxy/alt HTTP (not privileged)
Port 8443    HTTPS-Alt   → Alt HTTPS

Listening: The Server Side

A service listens on a port. On Linux/Windows, use these commands to see what's listening:

Linux:
  netstat -tuln          # Show listening TCP/UDP ports
  ss -tlnp               # More modern, shows process names
  lsof -i -P -n | grep LISTEN

Windows:
  netstat -ano           # Show all connections with PID
  netstat -ano | findstr LISTENING
  Get-NetTCPConnection -State Listen  # PowerShell

Example output:
Proto Local Address      State      PID    Program
TCP   0.0.0.0:22         LISTEN     1250   /usr/sbin/sshd
TCP   0.0.0.0:80         LISTEN     2891   /usr/sbin/nginx
TCP   0.0.0.0:443        LISTEN     2891   /usr/sbin/nginx
UDP   0.0.0.0:53         LISTEN     1045   /usr/sbin/named

Connection States: The Handshake

TCP (Transmission Control Protocol) is connection-oriented. It uses a three-way handshake before data flows. UDP skips this; it just sends.

TCP Three-Way Handshake:

Client                     Server
  |                          |
  |-----SYN (seq=1000)-----→ |
  |                     [listening on :80]
  |
  | ← SYN-ACK (seq=5000, ack=1001) ←
  |
  | -----ACK (seq=1001, ack=5001)---→
  |
  | ←→ [Connection Established] ←→
  |
  Data flows: GET / HTTP/1.1
  
TCP STATE progression on server:
  LISTEN → SYN_RECV → ESTABLISHED → FIN_WAIT → CLOSED

UDP: Fire-and-Forget

No handshake, no reliability, just speed. Used for DNS, VoIP, video streaming.

Client              Server
  |                  |
  | --UDP packet-→   |  [No handshake, just recv]
  |                  | [No ACK sent]
  | (hope it arrived)|

The Real-World Test: SSH into Your MX80

$ ssh -v admin@192.168.1.1
OpenSSH_8.2p1 Ubuntu 4ubuntu0.5...

# Verbose output shows:
# - DNS lookup of "admin"
# - TCP handshake to port 22
# - SSH banner exchange
# - Public key negotiation
# - Authentication
# - Session open

If port 22 is closed:
  ssh: connect to host 192.168.1.1 port 22: Connection refused

If timeout:
  ssh: connect to host 192.168.1.1 port 22: Operation timed out

The difference:
  - "Refused" = host up, port closed, explicit rejection
  - "Timeout" = host unreachable or firewall silently drops

The Socket Truth: A socket is the agreement between two applications to exchange data. It's not just a port number — it's the state machine, the buffers, the acknowledgements. When a web server accepts your connection, it creates a NEW socket for you. The port is reused for the next client.

shieldPart 2 — The Translation

NAT & The Private Illusion — The Extension Analogy

Public IP addresses are expensive. A single class C (/24) costs money and administrative overhead. NAT (Network Address Translation) solves this by hiding 254 internal devices behind one public IP. This is the cornerstone of every private network, every home router, every corporate firewall.

The Phone Extension Analogy (Revisited and Deepened)

phoneThe Corporation

Public IP (The Pilot Number): Sprint UG's main switchboard number: +256 701 123 456. It appears on business cards. The world calls this number. Private IPs (The Extensions): Internal extensions: 101 (David), 102 (Irene), 103 (Ibrahim), 104 (Msabi). Your laptop inside the network talks to servers using extension numbers, but nobody outside knows they exist. NAT Gateway (The Receptionist / PBX): The system that translates incoming calls: "Call +256 701 123 456" becomes "Route to extension 101." Outgoing calls: "Call from extension 102" becomes "Call from +256 701 123 456." The caller sees only the public number.

The DNS Resolution + Routing Problem

Before NAT existed, networking was simpler but wasteful: every device needed a globally-routable IP. NAT solved this, but it created a paradox:

Inside network (Private):
168.1.100  (laptop)
168.1.1    (gateway/firewall)

Outside world (Public):
248.25.100 (Sprint UG Public IP)

When Dennis (192.168.1.100) requests www.google.com:
His laptop sends: SRC 192.168.1.100:54321 → DST 8.8.8.8:80
Gateway intercepts this
Gateway rewrites: SRC 197.248.25.100:54321 → DST 8.8.8.8:80
Google sees the request from 197.248.25.100
Google replies: SRC 8.8.8.8:80 → DST 197.248.25.100:54321
Gateway intercepts the reply
Gateway rewrites: DST 192.168.1.100:54321
Dennis receives his response

Dennis is invisible to Google. Perfect.

NAT Makes Inbound Connections Tricky

This is the asymmetry:

OUTBOUND (Dennis initiates):
  ✓ Works transparently. NAT learns the mapping.

INBOUND (Someone tries to reach Dennis):
  ✗ Gateway has no idea which extension to route to.
  
  Inbound visitor: "I want to reach 197.248.25.100:8888"
  Gateway: "OK, but nobody inside asked for this. Drop it."

Solution: Port Forwarding.
  Gateway rules: "Incoming port 8888 → forward to 192.168.1.100:8888"

The NAT Table (This is What MikroTik Shows)

On MikroTik RouterOS, you can see the NAT translations in real-time:

[admin@MikroTik] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN      SRC-ADDRESS     DST-ADDRESS  PROTOCOL ORIG.DST.PORT ORIG.SRC.PORT ACTION
 0 D srcnat    192.168.1.100    0.0.0.0/0    tcp      0              54321        masquerade
 1 D srcnat    192.168.1.101    0.0.0.0/0    tcp      0              54322        masquerade
 2   dstnat    0.0.0.0/0        197.248.25.100 tcp     8888           0            to-addresses=192.168.1.100

Rule 0: "If traffic comes from 192.168.1.100, change its source to 197.248.25.100"
Rule 1: "If traffic comes from 192.168.1.101, change its source to 197.248.25.100"
Rule 2: "If traffic arrives at 197.248.25.100:8888, forward it to 192.168.1.100:8888"

Each active connection creates a dynamic entry (marked D).

Types of NAT

Type	Also Called	Behavior	Real-World Use
Source NAT	SNAT, Masquerade	Rewrite src IP on outbound traffic	Home routers, corporate outbound
Destination NAT	DNAT, Port Forwarding	Rewrite dst IP/port on inbound traffic	Expose internal server to internet
Bidirectional NAT	NAT64, NPTv6	Rewrite both directions (IPv4↔IPv6)	IPv6 migration, dual-stack networks
Static NAT	1:1 NAT	Fixed private:public IP mapping	Dedicated servers, fixed hosts

Private IP Ranges (Reserved by RFC 1918)

0.0.0/8         10.0.0.0 — 10.255.255.255   (16.7 million hosts)
16.0.0/12      172.16.0.0 — 172.31.255.255 (1.0 million hosts)
168.0.0/16     192.168.0.0 — 192.168.255.255 (65,536 hosts)

Additionally (loopback and link-local):
0.0.0/8        127.0.0.1 (localhost)
254.0.0/16     Link-local (APIPA, fallback)
0.0.0/4        Multicast (224.0.0.0 — 239.255.255.255)
0.0.0/4        Reserved for future use

How NAT Works Inside the Machine: The Extension Operator

Now we descend into the actual mechanics. NAT doesn't happen magically. The gateway (whether a MikroTik router, Linux box with iptables, or a Juniper device) is a packet interceptor and rewriter. It's the switchboard operator who knows the extension mapping.

The Internal State Machine

When Dennis (192.168.1.100) initiates a request to Google, the gateway does NOT just rewrite the packet and forget it. It creates a connection state entry that holds the mapping. This is critical:

Dennis initiates: 192.168.1.100:54321 → 8.8.8.8:53 (DNS query)

Gateway kernel intercepts (Netfilter in Linux, FastPath in MikroTik):
  1. Packet arrives on internal interface (ge-0/0/0.1)
  2. Check: Is this packet from an internal network? YES
  3. Check: Do we have a NAT rule for this? YES → masquerade
  4. Action: Rewrite packet
     BEFORE: SRC 192.168.1.100:54321 / DST 8.8.8.8:53
     AFTER:  SRC 197.248.25.100:54321 / DST 8.8.8.8:53
  5. Record the mapping: CREATE STATE ENTRY
     Private: 192.168.1.100:54321 ↔ Public: 197.248.25.100:54321
     Destination: 8.8.8.8:53
     State: NEW (connection just started)
     Timeout: 30 seconds (UDP timeout, then auto-delete)
  6. Forward packet to external interface (ge-0/0/0.0)
  7. Send to 8.8.8.8

Google's DNS server replies: 8.8.8.8:53 → 197.248.25.100:54321

Gateway kernel intercepts return traffic:
  1. Packet arrives on external interface (ge-0/0/0.0)
  2. Check: Is this destined for our public IP? YES
  3. Check: Do we have a state entry for 197.248.25.100:54321? YES
  4. Lookup mapping: 197.248.25.100:54321 maps to 192.168.1.100:54321
  5. Action: Reverse-rewrite packet
     BEFORE: SRC 8.8.8.8:53 / DST 197.248.25.100:54321
     AFTER:  SRC 8.8.8.8:53 / DST 192.168.1.100:54321
  6. Forward packet to internal interface (ge-0/0/0.1)
  7. Deliver to Dennis

Dennis receives DNS response. Perfect.

The Connection Tracking Table: The Receptionist's Ledger

The gateway maintains a table of ALL active NAT translations. This is the heart of the system. On MikroTik, you see it here:

[admin@MikroTik] > /ip firewall connection tracking print
Flags: E - expected, S - seen reply, A - assured 
 #    PROTOCOL  SRC-ADDRESS             SRC.PORT  DST-ADDRESS         DST.PORT  TIMEOUT
 0 SA  tcp      192.168.1.100           54321     8.8.8.8             80        1h5m
 1 SA  tcp      192.168.1.101           43210     142.251.41.14       443       55m10s
 2 SA  udp      192.168.1.50            5060      203.0.113.10        5060      9s
 3  A  tcp      192.168.1.100           27015     103.21.244.0        27015     25m
 4      tcp      192.168.1.102           51234     1.1.1.1             53        3m40s

Flags explained:
  S = Server has seen a reply (bidirectional, established)
  A = Assured (both sides active, likely to continue)
  E = Expected (helper rule for protocols like FTP that need data channels)

Each line is ONE open connection.
The gateway will NOT delete this entry until TIMEOUT expires or the connection explicitly closes (FIN packet).

Real-time example: 4 concurrent TCP connections from extension 192.168.1.100:
  54321 → Google (web)
  8822 → AWS (SSH)
  12001 → internal DB
  Each has its own state entry. Each is independent.

The Port Mapping: How Ephemeral Ports Work

Dennis's laptop asks the OS for a port to use for outbound DNS. The OS hands it port 54321 (ephemeral, chosen from the available range). But once it goes through NAT, it remains 54321 on the public side (in this case). This is called hairpin NAT or port preservation.

Outbound: Dennis picks ephemeral port

192.168.1.100 (Dennis's laptop) picks port 54321 (OS chooses first available)
  OUTBOUND PACKET: [SRC 192.168.1.100:54321] [DST 8.8.8.8:53]
  NAT Rule: masquerade (one-to-one port preservation)
  AFTER NAT: [SRC 197.248.25.100:54321] [DST 8.8.8.8:53]

Google replies to 197.248.25.100:54321
  Gateway sees this, reverse-NATed to 192.168.1.100:54321
  Route back to Dennis

═══════════════════════════════════════════════════════

BUT: What if TWO devices try to use port 54321?

192.168.1.100 (Dennis): [SRC 192.168.1.100:54321] → 8.8.8.8:53
192.168.1.101 (Irene):  [SRC 192.168.1.101:54321] → 8.8.8.8:53

FIRST PACKET (Dennis):
  NAT Rule: masquerade
  AFTER:    [SRC 197.248.25.100:54321] → 8.8.8.8:53
  STATE ENTRY: 192.168.1.100:54321 ↔ 197.248.25.100:54321

SECOND PACKET (Irene):
  NAT Rule: masquerade
  TRY:      [SRC 197.248.25.100:54321] → 8.8.8.8:53
  PROBLEM: Port 54321 already taken! State collision.
  SOLUTION: NAT port multiplexing
  ACTUAL:   [SRC 197.248.25.100:54322] → 8.8.8.8:53
  STATE ENTRY: 192.168.1.101:54321 ↔ 197.248.25.100:54322

Gateway allocated an ALTERNATE port on the public side. Irene's reply comes back to 54322, which the gateway maps back to 192.168.1.101:54321.

This is why you can have thousands of internal devices all being translated by one public IP.
Each unique combination of (internal_ip, internal_port, destination_ip, destination_port) gets a unique public port.

Inbound (Port Forwarding): The Rules That Break Symmetry

Outbound works by accident (because the internal device initiates, creating a state entry). Inbound requires explicit rules. This is the asymmetry that trips up engineers.

Scenario: You want to expose a web server inside (192.168.1.50:80) to the internet.

Rule required: Destination NAT (DNAT)
  [admin@MikroTik] > /ip firewall nat add \
    chain=dstnat \
    dst-address=197.248.25.100 \
    dst-port=80 \
    protocol=tcp \
    action=dst-nat \
    to-addresses=192.168.1.50 \
    to-ports=80

What this means:
  "All packets coming TO 197.248.25.100:80 (TCP) → rewrite dest to 192.168.1.50:80"

When external client connects:

EXTERNAL CLIENT: [SRC 203.0.113.5:45321] → [DST 197.248.25.100:80]
  Arrives at gateway WAN interface

Gateway kernel checks:
  1. Is this inbound? YES
  2. Check DSTNAT rules: Does dst 197.248.25.100:80 match? YES
  3. Rewrite: [SRC 203.0.113.5:45321] → [DST 192.168.1.50:80]
  4. Create state entry:
     External: 203.0.113.5:45321 (untranslated)
     Internal: 192.168.1.50:80
     Direction: Inbound
     Timeout: 10 minutes (TCP timeout)
  5. Forward to internal interface
  6. Deliver to 192.168.1.50 (the real server)

Internal server replies: [SRC 192.168.1.50:80] → [SRC 203.0.113.5:45321]
  Gateway intercepts return:
  Checks state entry: found
  Reverse-rewrites: [SRC 197.248.25.100:80] → [SRC 203.0.113.5:45321]
  Forward to external client

External client receives reply from 197.248.25.100:80 (correct).
They never see 192.168.1.50. Perfect.

The Cost: Connection State Explosion

Every active connection consumes memory in the gateway. This is a real bottleneck on high-traffic networks.

[admin@MikroTik] > /ip firewall connection tracking print stats

Connection tracking enabled: yes
Connection count: 12847 (out of 262144 max)
  ↑ Currently tracking 12,847 live connections
  Can handle up to 262,144 before saturation

Connection table size: 262144 entries
Timeout check interval: 10 seconds
TCP established timeout: 1d (1 day, tunable)
TCP transient timeout: 10m
UDP timeout: 10s
GRE timeout: 10m

On a gateway handling 50,000 clients:
  1 connection per client = 50,000 entries
  10 connections per client (browser tabs, email, VoIP) = 500,000 entries
  → OVERFLOW warnings, dropped packets

Solution: Increase connection limits, tune timeouts, or scale to HA (High Availability) setup.

The Real-World Analogy: The PBX Switchboard

A telephone switchboard in 1970 is the perfect model for NAT:

Sprint UG office: +256 701 123 456 (public number)

Receptionist (Gateway/PBX):
  Extension 101 (David, 192.168.1.100)
  Extension 102 (Irene, 192.168.1.101)
  Extension 103 (Ibrahim, 192.168.1.103)

David calls external: "I'm David, extension 101"
  Receptionist: "I'll route this as coming from +256 701 123 456"
  External party: "I'm calling +256 701 123 456, who is this?"
  Receptionist: "Don't know—I'll just route replies back to extension 101"
  State entry created: 101 ↔ 123456 (David's call)

Irene calls the same external number:
  Receptionist: "I'll route this as coming from +256 701 123 456"
  PROBLEM: Two calls "from" the same number!
  Receptionist: "I'll add a 'caller ID marker' (ephemeral port 54322)"
  External party: "I'm calling +256 701 123 456 extension 2—is that right?"
  Receptionist: "Yes, that's Irene (102). Route replies to her."
  State entry created: 102 ↔ 123456-ext2 (Irene's call)

Someone calls in: "I want extension 101 (David)"
  Receptionist: "Nobody called me asking for someone. I don't know which extension."
  Caller: "But I saw +256 701 123 456 in the directory!"
  Receptionist: "That's the switchboard, not David directly. You need to ask me first."
  Solution: "System administrator set up a rule: calls for 'David line' → extension 101"
  "This rule is permanent (port forwarding), not temporary like outbound calls."

Every state entry is temporary (except port-forwarding rules).
When a call ends, the receptionist forgets the mapping.
This is brilliant design—zero configuration for outbound, manual configuration for inbound.

NAT is Stateful Firewalling: The gateway is not just translating addresses; it's maintaining a full state machine for every connection. This is why NAT can be a security feature (it hides internal IPs) AND a scaling challenge (state table limits). Modern gateways can track millions of connections, but at 10 Gbps, a single large connection can become the bottleneck.

Why NAT Breaks Some Technologies

NAT was designed for client-server: clients initiate, servers listen outside. But some protocols expect bidirectional openness:

Broken by NAT:
  - P2P file sharing (BitTorrent, Syncthing)
  - VoIP without ALG (Application Layer Gateway)
  - Online gaming (unless port-forwarded)
  - Certain IoT protocols
  - IPv6 (which doesn't need NAT, but...)

Solution: UPnP (Universal Plug and Play)
  Devices ask the gateway: "Please forward port X to me."
  Gateway: "OK, done."
  
  Or: Manual port forwarding (more secure)
  Or: VPN tunnel (remote access without port forwarding)

The NAT Principle: One public IP, many private IPs. Gateway is the translator. Outbound works seamlessly; inbound needs explicit rules. This is why a computer at 192.168.1.100 can browse the internet, but a remote server cannot initiate a connection to it without port forwarding.

directoryPart 3 — The Resolver

Recursive DNS — The Phonebook Director

DNS is the second pillar of the internet. It translates names (google.com) to addresses (142.251.41.14). Without DNS, you must memorize IP addresses — humans can't scale that. DNS makes the internet usable.

The Confused Roles (and Why Engineering Fails Here)

Most junior engineers confuse "DNS" with "Router." They are completely different:

Role	Device/Service	Port	Question It Answers
Router	MX80, CCR2116, EdgeRouter	varies	"Where do I send packets destined for 192.168.3.0/24?"
Firewall	pfSense, MikroTik filter	varies	"Is this packet allowed by policy?"
DNS Server	Bind9, Unbound, DJBDNS	53 (TCP/UDP)	"What IP address is google.com?"
DHCP Server	ISC-DHCP, Mikrotik DHCP	67/68 (UDP)	"What IP can I assign to this new laptop?"

The Two Types of DNS Servers

contactsThe Phonebook Analogy

Authoritative DNS: You own sprint-tech.codeandcore.dev. You published this domain at a registrar (GoDaddy, Route53). YOU are the authoritative server — you are the one who says "sprint-tech.codeandcore.dev = 197.248.25.100." Recursive DNS: Your laptop uses 8.8.8.8 (Google's public DNS). When you type google.com, your laptop asks 8.8.8.8: "What is google.com?" Google's server doesn't own google.com; they are just researchers. They go ask the authoritative servers for you, cache the answer, and give it back. They are the librarian; you are the customer asking, "Where is the book on dogs?"

The Query Path (Full Recursion)

Engineer types: google.com
Laptop → Recursive resolver (8.8.8.8)
  "Who is google.com?" (Recursive query)

Recursive resolver → Root nameserver
  "Who is google.com?" (Delegated query)
  Root: "Ask the .com TLD server (b.gtld-servers.net)"

Recursive resolver → .com TLD server
  "Who is google.com?" (Authoritative for .com)
  TLD: "Ask ns1.google.com"

Recursive resolver → ns1.google.com (Authoritative)
  "Who is google.com?"
  Authoritative: "That's 142.251.41.14"

Recursive resolver → Laptop
  "google.com is 142.251.41.14"

Laptop → google.com (142.251.41.14)
  GET / HTTP/1.1

The Root Servers (The Foundation)

Thirteen root servers (a–m) are operated globally. They are the apex of trust. When you ask a recursive resolver, it uses at least one root server to bootstrap the query.

Root nameservers (13 globally distributed locations):
a.root-servers.net  (operator: VeriSign)
b.root-servers.net  (operator: USC-ISI)
c.root-servers.net  (operator: Cogent)
... (d through m)

Each root has anycast replicas in multiple countries (200+ replicas globally).
When your resolver asks a.root-servers.net, it gets the geographically closest one.

Caching: The Performance Layer

Without caching, DNS would be catastrophically slow. Every query would require a full recursion. Instead, results are cached at multiple levels:

TTL (Time-To-Live): How long a result is cached (in seconds)

Level 1: Authoritative servers cache
  TTL=3600  → Cached for 1 hour

Level 2: Recursive resolver cache (ISP, 8.8.8.8)
  TTL=3600  → Cached for 1 hour
  Usually longer to reduce root server load

Level 3: Operating system resolver cache
  Windows: ipconfig /displaydns
  Linux:   systemd-resolve --statistics

Level 4: Browser cache
  Chrome keeps its own DNS cache

The journey (with caching):
  1st query: laptop → recursive → root → TLD → auth = 150ms
  2nd query (same minute): laptop → cached = <5ms

MikroTik DNS Cache

On MikroTik, you can see (and manage) the DNS cache:

[admin@MikroTik] > /ip dns cache print
 #  ADDRESS                 RRTYPE  TTL  EXP-TTL
 0  google.com              A       3600 3427
 1  google.com              AAAA    (?)  ---
 2  ns1.google.com          A       86400 82156
 3  github.com              A       300  87
 ...

Address         = The query (domain)
RRTYPE          = Record type (A=IPv4, AAAA=IPv6, MX=mail, NS=nameserver)
TTL             = Original TTL from authoritative server
EXP-TTL         = Seconds remaining

Flush specific entry:
  /ip dns cache flush [find address=google.com]

Flush all:
  /ip dns cache flush all

DNS Record Types (The Essential Five)

Type	Purpose	Example	Held By
A	IPv4 address	google.com → 142.251.41.14	Authoritative
AAAA	IPv6 address	google.com → 2607:f8b0:4004:80c::200e	Authoritative
CNAME	Canonical name (alias)	www.google.com → google.com	Authoritative
MX	Mail server	google.com → aspmx.l.google.com	Authoritative
NS	Nameserver authority	google.com → ns1.google.com	Parent zone (.com)

DNS Failure = Blindness

A critical diagnostic lesson:

Scenario: "I can ping 8.8.8.8 but I cannot reach google.com"

What works:
  PING 8.8.8.8         ✓ (IP routing, L3, L4 ICMP)

What fails:
  PING google.com      ✗ (DNS resolution fails)
  NSLOOKUP google.com  → "Unknown host"

Diagnosis:
  - Is DNS configured? (ipconfig /all, cat /etc/resolv.conf)
  - Can you reach the DNS server? (ping 8.8.8.8 — should be yes)
  - Is the DNS server working? (can it reach roots?)
  - Is the domain published? (nslookup -type=A google.com @ns1.google.com)

The internet is alive, but your humans are blind.

DNS as a System: It's not one server; it's a distributed, hierarchical, cached system. Authoritative servers are edited rarely. Recursive servers query often. TTLs balance freshness and caching. One DNS failure can break everything above it.

handshakePart 4 — Integration

The Sovereign Handshake — Putting It Together

Sockets. NAT. DNS. These aren't separate—they work in concert on every request. This is where theory becomes craft. You see the MX80 and MikroTik CCR2116 in front of you. Now you understand what they actually do.

The Complete Journey: Dennis Opens google.com

Environment: Dennis sits at 192.168.1.100 (private). Gateway 192.168.1.1 translates. Public IP: 197.248.25.100. Default DNS: 8.8.8.8. Let's trace one HTTP request end-to-end.

━━ LAYER 7: APPLICATION ━━
Dennis types: google.com
Browser: "I need to fetch this."

Browser checks: Do I have google.com cached?
  No. → Ask the OS resolver.

━━ LAYER 5: SESSION ━━
OS Resolver: "Do I have google.com cached?"
  No (or TTL expired). → Go recursive.

OS sends: DNS query (UDP 53)
  SRC: 192.168.1.100:50001
  DST: 8.8.8.8:53
  QUERY: "What is the IPv4 (A) record for google.com?"

━━ LAYER 3: NETWORK ━━
Router (192.168.1.1) sees the packet.
  SRC 192.168.1.100 is internal. → Check NAT rules.
  Rule: "Outbound traffic from internal → Masquerade as 197.248.25.100"
  Gateway rewrites:
    SRC: 192.168.1.100:50001  →  SRC: 197.248.25.100:50001
    DST: 8.8.8.8:53  →  DST: 8.8.8.8:53
  
  Gateway forwards to 8.8.8.8.

8.8.8.8 DNS receives:
  SRC: 197.248.25.100:50001
  QUERY: "google.com A record"
  
  (Google's DNS queries roots, TLD servers, gets answer)
  
8.8.8.8 replies:
  SRC: 8.8.8.8:53
  DST: 197.248.25.100:50001
  ANSWER: "google.com = 142.251.41.14"

Gateway (192.168.1.1) receives reply.
  Checks NAT table: "Who asked 8.8.8.8:53?"
    Found: 192.168.1.100:50001 asked for 197.248.25.100:50001
  Gateway rewrites:
    DST: 197.248.25.100:50001  →  DST: 192.168.1.100:50001
  
  Gateway forwards to 192.168.1.100.

Dennis's OS receives:
  "google.com = 142.251.41.14"

Browser caches this. TTL: 300 seconds.

━━ NOW: LAYER 4 + 7: TCP + HTTP ━━
Browser: "Now I connect to 142.251.41.14:443 (HTTPS)"

TCP handshake:
  Dennis sends: SYN (seq=1000)
    SRC: 192.168.1.100:54321
    DST: 142.251.41.14:443

Gateway NAT:
    Rewrites:
    SRC: 192.168.1.100:54321  →  SRC: 197.248.25.100:54321
    DST: 142.251.41.14:443  →  DST: 142.251.41.14:443
  
  Gateway forwards to internet.

Google (142.251.41.14) receives:
  SRC: 197.248.25.100:54321
  Google sees Dennis as 197.248.25.100, a public IP.
  Google: "I'll respond to this."

Google sends: SYN-ACK
  SRC: 142.251.41.14:443
  DST: 197.248.25.100:54321
  [ACK flag, seq=5000, ack=1001]

Gateway receives:
  Checks NAT table: "Who initiated 142.251.41.14:443?"
    Found: 192.168.1.100:54321 initiated as 197.248.25.100:54321
  Gateway rewrites:
    DST: 197.248.25.100:54321  →  DST: 192.168.1.100:54321
  
  Gateway forwards to Dennis.

Dennis receives:
  SYN-ACK from 142.251.41.14:443
  Connection is established (3-way handshake complete).

Dennis sends: HTTP GET request:
  POST DATA (encrypted with TLS):
  "GET / HTTP/1.1\r\nHost: google.com\r\n..."

TLS/SSL encrypts this. Google's server responds.

Response travels backward through the same chain:
  Google → Gateway (rewrites dst) → Dennis

Browser receives: HTML of google.com
Renders. User sees: "Google homepage"

═════════════════════════════════════════
Total time: ~100ms for first request.
Sessions cached 300s.
Next request to google.com (within 300s): <20ms

The MikroTik View: Real Commands

Standing in front of a MikroTik CCR2116, here's what you'd see:

[admin@MikroTik] > /ip firewall nat print # CHAIN SRC-ADDRESS DST-ADDRESS PROTO ORIG.DST.PORT ACTION 0 D srcnat 192.168.1.0/24 0.0.0.0/0 masquerade (All outbound from 192.168.1.x masquerades as public IP) [admin@MikroTik] > /ip dns cache print # ADDRESS RRTYPE TTL 0 google.com A 271 (expires in 271s) 1 142.251.41.14.in-addr.arpa PTR --- 2 googleapis.com A 600 ... [admin@MikroTik] > /ip firewall connection print # PROTOCOL SRC-ADDRESS:SRC-PORT DST-ADDRESS:DST-PORT 0 tcp 192.168.1.100:54321 142.251.41.14:443 [ESTABLISHED] 1 udp 192.168.1.100:50001 8.8.8.8:53 [ESTABLISHED] 2 tcp 192.168.1.105:80 192.168.1.100:38291 [ESTABLISHED] ... [admin@MikroTik] > /ip firewall connection tracking print stats Connection tracking enabled: yes Connection count: 247 (out of 8192 max) Connection timeout: 30d UDP timeout: 10s GRE timeout: 30m

The Diagnostic Question (The Real Test)

An engineer comes to you and says:

"I can ping 8.8.8.8 but I cannot open google.com."

This statement reveals:
  ✓ L1 (physical) is up: cable connected
  ✓ L2 (MAC) is up: device is on the network
  ✓ L3 (routing) is up: packets reach 8.8.8.8
  ✓ L4 (ICMP echo) works: Google responds to ping
  ✗ L5-7 is broken: DNS or application layer

Next questions:
  1. nslookup google.com  → Does DNS work?
  2. nslookup google.com 8.8.8.8  → Is the recursive resolver reachable?
  3. tracert 8.8.8.8  → Is the path clear?
  4. netstat -ano | grep 53  → Is a DNS process listening?
  5. /ip dns print  → Is MikroTik DNS configured?
  6. /ip dns cache print | grep google.com  → Is it cached?

The answer is almost always:
  - DNS is not configured (missing /ip dns server setting)
  - DNS server is down (process crashed)
  - DNS is blocked by firewall rule
  - DNS cache is poisoned (wrong answer cached)

Putting It in Practice: The MX80 Configuration

On a Juniper MX80, you'd configure DNS for the control plane like this:

admin@MX80# show system name-server
name-server 8.8.8.8;
name-server 8.8.4.4;

admin@MX80# show security nat source
rule admin-to-internet {
    match {
        source-address 192.168.1.0/24;
        destination-address 0.0.0.0/0;
    }
    then {
        source-nat {
            interface;
        }
    }
}

admin@MX80# show security nat destination
rule external-http {
    match {
        destination-address 197.248.25.100;
        destination-port 80;
    }
    then {
        destination-nat {
            to {
                address 192.168.1.50;
                port 80;
            }
        }
    }
}

admin@MX80# show interfaces lo0
unit 0 {
    family inet {
        address 127.0.0.1/32;
    }
}

When configured, the MX80:
1. Resolves names using 8.8.8.8 and 8.8.4.4
2. Masquerades internal traffic outbound
3. Forwards external traffic on port 80 to 192.168.1.50
4. All routing decisions are logged and traceable

The Sovereign Principle: Full Stack Awareness

A world-class network engineer understands the entire stack, not just IP routing. You now know:

L1: Physical cable, SFP modules, light/voltage
L2: MAC addresses, switches, VLAN tagging, STP
L3: IP addresses, subnets, routing (BGP, OSPF)
L4: TCP/UDP, ports, state machines, NAT
L5: Session management, auth, tunnel setup
L6: TLS encryption, compression
L7: HTTP, DNS, SSH, SMTP — the applications

And you know:
  - Sockets live in L4 and are implemented in L5+
  - NAT operates at L3-L4, rewriting addresses and ports
  - DNS is L7 but depends on L3-L4 routing
  - A failure at any layer cascades upward

When Dennis cannot reach google.com, you know:
  Start L1 (cable plugged?), work L2 (MAC reachable?), 
  check L3 (route exists?), verify L4 (port open?), 
  test L5-L7 (DNS working? TLS valid?)

This is the difference between a technician (who restarts services) 
and an engineer (who understands why).

The Checksum: One public IP hides 254 extensions. One DNS query traverses 13 root servers. One socket connection requires 5 layers of handshakes. Every part must work. This is the Sovereign Handshake — the orchestration that makes the internet real.