Networking & Protocols Cheat Sheet

Networking questions in interviews almost always come back to a few fundamentals - the difference between TCP and UDP, what actually happens during a handshake, how a URL turns into bytes on a wire, and where things sit in the layer model. Learn the moving parts below well enough to draw the handshake and the DNS path on a whiteboard, and you will handle most follow-ups.

TCP

Connection-oriented, reliable, ordered. Uses a 3-way handshake, sequence numbers, acknowledgements, retransmission, and flow + congestion control. Higher overhead and latency. Used by HTTP/1.1 and HTTP/2, SSH, SMTP, and most request-response traffic.

UDP

Connectionless, unreliable, unordered. No handshake, no retransmit, no congestion control by default. Minimal overhead and lower latency. Used by DNS, DHCP, real-time video and voice, gaming, and QUIC (which builds reliability on top in user space).

Pick TCP when

You need every byte delivered in order - file transfer, APIs, databases.

Pick UDP when

Timeliness beats completeness - live media, telemetry, or you build your own reliability layer.

Connection setup is three segments. The client sends SYN with an initial sequence number. The server replies SYN-ACK, acknowledging the client's sequence and sending its own. The client sends ACK and the connection is established. Teardown is the 4-way 'FIN' handshake - each side independently sends a FIN and waits for an ACK, because TCP connections are full-duplex and each direction is closed separately. The side that closes first enters TIME_WAIT (roughly twice the maximum segment lifetime) so late-arriving packets do not corrupt a new connection on the same port pair.

TLS 1.3 cut the handshake to a single round trip. The client sends ClientHello with its supported cipher suites plus a key share (an ephemeral Diffie-Hellman public key) - it guesses the group the server will pick. The server replies with ServerHello, its own key share, the certificate, and a Finished message, all encrypted after the key exchange. Both sides now derive the shared session keys. TLS 1.3 dropped RSA key exchange and static keys in favor of forward-secret ephemeral Diffie-Hellman, and it supports 0-RTT resumption where a returning client can send data in its first flight. Remember - TLS sits above TCP, so the TCP handshake completes first, then TLS negotiates on top.

HTTP/1.1

Text protocol over TCP. One request in flight per connection (pipelining was never reliable), so browsers open many parallel connections. Suffers from head-of-line blocking at the HTTP layer. Keep-alive connections by default.

HTTP/2

Binary framing over a single TCP connection. Multiplexes many streams concurrently, adds header compression (HPACK) and server push. Fixes HTTP-layer head-of-line blocking but is still vulnerable to TCP-layer head-of-line blocking - one lost packet stalls all streams.

HTTP/3 (QUIC)

Runs over QUIC, which runs over UDP. Each stream is independent, so a lost packet only stalls its own stream - this removes TCP head-of-line blocking. TLS 1.3 is built in, and connection setup and encryption are combined into fewer round trips. Connections survive IP changes via a connection ID (useful for mobile).

200 OK

Success. Response body is the result.

201 Created

Resource created, typically after a POST.

204 No Content

Success with no body - common for DELETE.

301 vs 302

301 is a permanent redirect (cacheable, update bookmarks); 302 is temporary.

304 Not Modified

Cached copy is still valid - used with ETag / If-None-Match.

400 Bad Request

Malformed request the client must fix.

401 vs 403

401 means not authenticated (who are you?); 403 means authenticated but not authorized (you cannot do this).

404 Not Found

Resource does not exist at this URL.

409 Conflict

State conflict, e.g. a version mismatch on update.

429 Too Many Requests

Rate limited. Respect the 'Retry-After' header.

500 vs 502/503/504

500 is a generic server error; 502 bad gateway (bad upstream response); 503 service unavailable (overloaded or down); 504 gateway timeout (upstream too slow).

Turning a name into an address walks a hierarchy. The client (the stub resolver) asks its configured recursive resolver. If the answer is not cached, the resolver queries a root name server, which points it to the right TLD server (for example the '.com' servers). The TLD server points to the domain's authoritative name server, which returns the actual record. The recursive resolver caches the answer for its TTL and returns it to the client. Record types you should know: A (name to IPv4), AAAA (name to IPv6), CNAME (alias from one name to another), MX (mail exchange servers, with priorities), and TXT (arbitrary text, used for SPF, DKIM, and domain verification).

OSI model

Seven layers: Physical, Data Link, Network, Transport, Session, Presentation, Application.

TCP/IP model

Four layers: Link, Internet, Transport, Application. It collapses OSI's top three into one Application layer and the bottom two into Link.

Layer 3 (Network / Internet)

IP, ICMP, routing. Addresses are IP addresses; the unit is a packet.

Layer 4 (Transport)

TCP and UDP. Adds ports; the unit is a segment (TCP) or datagram (UDP).

Layer 7 (Application)

HTTP, DNS, SSH, SMTP. Where your code usually lives.

22

SSH (and SCP / SFTP).

25 / 587 / 465

SMTP mail - 25 server-to-server, 587 submission with STARTTLS, 465 implicit TLS.

53

DNS (UDP for queries, TCP for large responses and zone transfers).

80

HTTP.

443

HTTPS (HTTP over TLS), and HTTP/3 over QUIC/UDP.

3306 / 5432

MySQL / PostgreSQL.

6379 / 27017

Redis / MongoDB.

• ·TLS runs on top of TCP, so 'HTTPS handshake' is really the TCP handshake followed by the TLS handshake - do not conflate them.
• ·HTTP/2 fixes application-layer head-of-line blocking but not TCP-layer; only HTTP/3 over QUIC fixes both.
• ·A CNAME cannot coexist with other records on the same name and cannot be used at the zone apex (the bare domain) - that is why DNS providers offer ALIAS / ANAME records.
• ·TIME_WAIT exhaustion on a busy client making many short-lived connections is a real production failure mode, not a trick question.
• ·401 is authentication, 403 is authorization - mixing these up is the single most common HTTP-status mistake.
• ·DNS uses UDP by default but falls back to TCP for responses larger than the UDP limit and for zone transfers.
• ·A 'reliable' protocol (TCP) does not mean secure - reliability is about delivery, encryption is TLS's job.