When you type www.google.com in your browser, a cascade of network services springs into action before the first byte of web content reaches your screen. Your computer queries DNS servers to translate the name to an IP address. Earlier, DHCP assigned your computer its IP address, subnet mask, and default gateway. NTP synchronizes your system clock to ensure security certificates validate correctly.

These network services form the invisible infrastructure that makes user-facing applications possible. They're so reliable that we rarely think about them—until they fail, at which point everything else fails too. This page explores these foundational services, their protocols, architectures, and the engineering that keeps them running at global scale.

The Domain Name System (DNS) is arguably the most critical network service. It translates human-readable domain names (www.example.com) into IP addresses (93.184.216.34) that networks use for routing. Without DNS, you'd need to memorize IP addresses for every service you use.

DNS as a Distributed Database:

DNS is not a single server—it's a globally distributed, hierarchical database containing billions of records. This distribution serves multiple purposes:

• Scalability: No single server could handle the billions of queries per day
• Reliability: Failure of any server doesn't break the system
• Performance: Servers close to users provide faster responses
• Administration: Each organization manages its own portion of the namespace

DNS Record Types:

DNS stores various types of records, each serving different purposes:

A / AAAA: Address records mapping names to IPv4/IPv6 addresses CNAME: Canonical name, an alias to another name MX: Mail exchanger, where to deliver email for a domain TXT: Text records, used for SPF, DKIM, domain verification NS: Nameserver records, delegating authority to DNS servers SOA: Start of Authority, zone administration information SRV: Service location records for specific protocols PTR: Reverse DNS, mapping IP addresses to names

DNS Query Resolution:

A typical DNS query follows this path:

1. Application calls getaddrinfo() or similar
2. Stub resolver (in OS) checks local cache, /etc/hosts
3. Recursive resolver (usually ISP or 8.8.8.8) receives query
4. If not cached, recursive resolver queries root servers
5. Root refers to appropriate TLD server (.com, .org, etc.)
6. TLD refers to domain's authoritative nameserver
7. Authoritative server returns the answer
8. Each server caches the response based on TTL

DNS was designed in 1983 without security in mind. Anyone could forge responses, redirect traffic, or eavesdrop on queries. Modern extensions address these vulnerabilities.

DNS Attack Vectors:

Cache Poisoning: Attacker makes recursive resolver cache false records DNS Spoofing: Attacker responds to queries before legitimate server DNS Hijacking: Attacker compromises authoritative server or registrar DNS Tunneling: Encoding arbitrary data in DNS queries/responses DDoS Amplification: Using DNS to amplify attack traffic

Security Extensions:

DNSSEC Deep Dive:

DNSSEC adds cryptographic assurance that DNS responses haven't been modified. It works through a chain of trust:

1. Root zone is signed with root key (maintained by ICANN)
2. TLD zones (.com, .org) are signed, with parent-signed DS records
3. Authoritative zones sign their records, parent has DS record
4. Resolver validates signatures up the chain to root

If any signature is invalid, the resolver knows the data was tampered with.

Challenges:

• Key management complexity
• Larger response sizes (breaks some firewalls)
• Clock synchronization requirements
• Doesn't encrypt queries (just authenticates)

DoH vs DoT:

Both encrypt DNS queries, but differ in approach:

• DoT: Dedicated port (853), easy to identify and block
• DoH: Uses HTTPS port 443, indistinguishable from web traffic

Privacy advocates prefer DoH (harder to block); network administrators often prefer DoT (can be monitored for policy).

The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses and network configuration to devices when they connect to a network. Without DHCP, every device would need manual configuration—impractical in any modern network.

What DHCP Provides:

• IP Address: Unique address for the device
• Subnet Mask: Defines network/host portions
• Default Gateway: Router for external communication
• DNS Servers: For name resolution
• Lease Time: How long the configuration is valid
• Optional: Domain name, NTP servers, WINS servers, custom options

The DORA Process:

DHCP uses a four-step process (DORA):

DHCP Lease Management:

DHCP leases are temporary—devices must periodically renew:

• T1 (Renewal Timer): At 50% of lease, client requests renewal
• T2 (Rebinding Timer): At 87.5%, client broadcasts for any server
• Lease Expiry: If no response, client loses configuration

This ensures addresses are reclaimed when devices leave the network.

DHCP Server Architecture:

Pool Management:

• Define address ranges (pools) per subnet
• Track allocated vs. available addresses
• Handle reservations (fixed IP for MAC address)

Relay Agents:

• DHCP uses broadcast; routers don't forward broadcasts
• DHCP relay agents forward requests across subnets
• Central DHCP server can serve multiple VLANs

Failover:

• Primary/secondary server pairs
• Split or shared pool configurations
• Prevent address conflicts during failover

Network Time Protocol (NTP) synchronizes clocks across networks. This might seem mundane until you realize how many things break with incorrect time:

• TLS/SSL certificates: Expire based on time
• Kerberos authentication: Tickets have time limits (5-minute window)
• Logging: Forensics require correlated timestamps
• Distributed systems: Consensus algorithms need bounded clock skew
• Financial systems: Regulations require precise timestamps
• Databases: Conflict resolution often relies on timestamps

NTP Architecture:

NTP uses a hierarchical stratum model:

• Stratum 0: Reference clocks (GPS, atomic clocks)
• Stratum 1: Servers directly connected to stratum 0
• Stratum 2: Synchronized to stratum 1
• Stratum 3-15: Each level synchronized to level above
• Stratum 16: Unsynchronized (should never be used)

Lower stratum = more accurate.

NTP Algorithm:

NTP calculates time offset using round-trip measurements:

1. Client sends request with timestamp t1
2. Server receives at timestamp t2
3. Server sends response at timestamp t3
4. Client receives at timestamp t4

Clock Offset: θ = ((t2 - t1) + (t3 - t4)) / 2 Round-trip Delay: δ = (t4 - t1) - (t3 - t2)

NTP averages multiple samples and uses sophisticated algorithms to reject spurious measurements. Best-case accuracy is ~1ms on LANs, ~10ms on Internet.

NTP vs. Alternatives:

SNTP (Simple NTP): Simplified protocol for less demanding clients PTP (Precision Time Protocol): Sub-microsecond accuracy for specialized hardware Chrony: Modern NTP implementation favored by many Linux distributions

Enterprise networks depend on centralized authentication and directory services to manage users, computers, and access policies across thousands of devices.

LDAP (Lightweight Directory Access Protocol):

LDAP provides hierarchical directory services—essentially a specialized database optimized for reading and searching identity information:

• Distinguished Names (DN): Unique identifier like cn=John Doe,ou=Users,dc=example,dc=com
• Entries: Collections of attributes about an object
• Schema: Defines allowed attributes and object classes
• Referrals: Linking directories across organizations

LDAP is the foundation for Active Directory, OpenLDAP, and many identity systems.

Kerberos Deep Dive:

Kerberos is the dominant authentication protocol in enterprise environments:

Components:

• KDC (Key Distribution Center): Authentication server holding all keys
• TGS (Ticket Granting Service): Issues service tickets
• Tickets: Cryptographic proof of identity, time-limited

Authentication Flow:

1. Client requests TGT (Ticket Granting Ticket) from KDC
2. KDC verifies credentials, issues encrypted TGT
3. Client presents TGT to TGS for service ticket
4. Client presents service ticket to target server
5. Server validates ticket (no contact with KDC needed)

Benefits:

• Password never sent over network after initial auth
• Tickets enable Single Sign-On (SSO)
• Mutual authentication (server proves identity too)

Requirements:

• Synchronized clocks (±5 minutes default)
• Reliable network to KDC
• Secure initial key distribution

In dynamic environments—cloud, microservices, containers—static configuration of service locations is impractical. Service discovery mechanisms allow services to register their presence and clients to find available instances.

Service Discovery Patterns:

Client-Side Discovery:

• Client queries service registry directly
• Client chooses instance (load balancing in client)
• Examples: Netflix Eureka, Consul with client libraries

Server-Side Discovery:

• Client queries load balancer/proxy
• Proxy routes to available instance
• Examples: Kubernetes Services, AWS ELB with Target Groups

DNS-Based Discovery:

• Services registered as DNS records
• SRV records specify port and priority
• Works with existing infrastructure
• Examples: Consul DNS, Kubernetes CoreDNS

Kubernetes Service Discovery:

Kubernetes provides built-in service discovery:

Services: Stable IP/name for pod group

• Pods register automatically via label selection
• ClusterIP Services: internal load balancing
• NodePort/LoadBalancer: external access

CoreDNS: Cluster DNS server

• <service>.<namespace>.svc.cluster.local
• Automatic registration
• Pods can be discovered too with pod DNS

Endpoints/EndpointSlices: Backend tracking

• List of pod IPs behind a Service
• Updated as pods come and go

Health Checking:

Service discovery requires knowing which instances are healthy:

• Liveness: Is the process alive?
• Readiness: Is it ready to receive traffic?
• Health endpoints: Application-specific checks

Unhealthy instances are removed from discovery results.

Modern applications require dynamic configuration—settings that can change without redeployment. Configuration management services provide centralized, versioned, and secure configuration distribution.

Why Centralized Configuration:

• Consistency: All instances see the same configuration
• Dynamic Updates: Change settings without restarting services
• Audit Trail: Track who changed what, when
• Environment Separation: Different configs for dev/staging/prod
• Secrets Management: Securely store and distribute credentials

Configuration Service Types:

Secrets Management with Vault:

HashiCorp Vault exemplifies enterprise secrets management:

Secret Engines:

• KV: Static key-value secrets
• Database: Dynamic, time-limited database credentials
• PKI: Generate TLS certificates on demand
• AWS/GCP/Azure: Dynamic cloud credentials

Authentication Methods:

• AppRole for applications
• Kubernetes service account
• LDAP, OIDC, GitHub
• Cloud IAM integration

Policies:

• Fine-grained ACLs on secret paths
• Enforce separation of duties

Audit:

• Detailed audit log of all access
• Required for compliance

Dynamic Configuration Patterns:

• Poll-based: Application periodically checks for changes
• Push-based: Config service notifies on changes (watches)
• Sidecar pattern: Separate process manages config updates
• Hot-reload: Application reloads without restart

We've explored the foundational network services that infrastructure depends on—services that must work correctly for everything else to function.

What's Next:

With network services covered, the final page of this module explores Middleware—the software layer that sits between applications and the operating system, providing higher-level network abstractions like message queues, RPC frameworks, and API gateways. Middleware simplifies application development by handling common networking patterns.