Module 5 of 21 · Foundations

MAC addresses, IP addresses, ports, and domain names

16 min read 3 outcomes Diagram + port explorer + quiz

By the end of this module you will be able to:

  • Explain what DNS hostnames, IP addresses, MAC addresses, and port numbers each identify
  • Describe where each identifier operates and how they work together in a single request
  • Explain how ARP and IPv6 Neighbor Discovery bridge network-layer addresses to link-layer delivery on the local segment

Real-world incident · October 21, 2016

100,000 hacked cameras took down Twitter, Reddit, Netflix, and Amazon.

In October 2016, a botnet called Mirai infected roughly 100,000 IoT devices (security cameras, baby monitors, home routers) using default passwords. The botnet launched a massive DDoS attack against Dyn, a company that provided DNS services for Twitter, Reddit, Netflix, Amazon, PayPal, Spotify, and thousands more.

The web servers for all those sites were still running. Their IP addresses were still reachable. But users could not get past the first step of any request: resolving the hostname. When Dyn's DNS servers went down, browsers could not translate "twitter.com" into an IP address. No IP address means no TCP connection. No TCP connection means no website.

The attack exposed DNS as a critical single point of failure. It also demonstrated why understanding the four network identifiers matters: the target was not the websites themselves but the naming system that makes them reachable.

All these websites used different servers in different locations. How did one attack take them all down at the same time?

Identifiers answer different scope questions

A URL, domain name, DNS answer, IP address, MAC address, port, and socket do not identify the same thing.

Identifiers answer different scope questions Six progressively-indented rows show the scope of each common network identifier, broadest at the top. Row 1 URL (user intent) carries the example https://api.example.com/orders?id=42. Row 2 Domain name (human-readable namespace). Row 3 IP address (routed reachability, emphasised) with the example 203.0.113.42. Row 4 MAC address (local link delivery). Row 5 Port (service on the host). Row 6 Socket (specific conversation tuple). The indentation makes the narrowing scope visible: every row is contained inside the row above it. IDENTIFIER SCOPES, BROADEST AT THE TOP SCOPE 1 · RFC 3986 URL USER INTENT https://api.example.com/orders?id=42 SCOPE 2 · RFC 1034 / 1035 Domain name HUMAN-READABLE NAMESPACE api.example.com → resolver looks up SCOPE 3 · RFC 791 / RFC 8200 IP address ROUTED REACHABILITY 203.0.113.42 (IPv4) or 2001:db8::1 SCOPE 4 · IEEE 802 MAC address LOCAL LINK DELIVERY aa:bb:cc:dd:ee:ff on the LAN segment SCOPE 5 · RFC 9293 §3.1 Port SERVICE ON THE HOST TCP/443 = HTTPS server process SCOPE 6 · RFC 9293 §3.4 Socket SPECIFIC CONVERSATION (src IP, src port, dst IP, dst port) built by ransfordsnotes.com

An identifier is only useful at its scope. Do not ask one identifier to answer a question from another scope.

Some identifiers stay end to end; others change at every hop

Link identifiers are local. IP and transport identifiers are usually end to end unless a middle function changes them.

Some identifiers stay end-to-end; others change at every hop Four columns walk the same packet through Client, Local switch, Router with NAT, and Server. Each column shows the MAC, IP, and port values present at that hop, with a small REWRITTEN or UNCHANGED tag next to each. MAC addresses are REWRITTEN at every hop. IPs are unchanged through the switch but REWRITTEN by the NAT router. Ports are unchanged through the switch but REWRITTEN by NAT and then by the server-side socket. The Source row at the bottom of each card cites the authoritative document for that hop's transformation. HOP 1 Client MAC AA:01 UNCHANGED IP 10.0.0.5 UNCHANGED PORT 53144 UNCHANGED SOURCE RFC 791 HOP 2 Local switch MAC BB:02 REWRITTEN IP 10.0.0.5 UNCHANGED PORT 53144 UNCHANGED SOURCE IEEE 802 HOP 3 Router (NAT) MAC CC:03 REWRITTEN IP 198.51.100.7 REWRITTEN PORT 62000 REWRITTEN SOURCE RFC 3022 HOP 4 Server MAC DD:04 REWRITTEN IP 203.0.113.40 REWRITTEN PORT 443 REWRITTEN SOURCE RFC 791 built by ransfordsnotes.com

MAC addresses change at every link. IP addresses survive end-to-end unless a NAT rewrites them. Ports survive unless port-translation is in play.

5.1 Four identifiers, four jobs

Every network request uses four types of identifier. Each one operates at a different layer and has a different scope. Confusing them leads to troubleshooting in the wrong place.

DNS hostname (Layer 7).A human-readable name like "www.example.com". Its job is to give people something memorable instead of a number. DNS translates it into an IP address before anything else can happen. Scope: global. Changes when: the domain owner updates the DNS record.

IP address (Layer 3). A numeric address like 93.184.216.34 (IPv4) or 2606:2800:21f:cb07::1 (IPv6). Its job is end-to-end routing: getting the packet from your machine to the destination, across however many routers sit in between. Scope: end-to-end (stays the same through every router). Changes when: the device moves to a different network or the DHCP lease renews.

MAC address (Layer 2). A 48-bit link-layer address like DC:A6:32:12:34:56. The first three bytes often identify the organisation that registered the address block, but modern clients can use locally administered randomised addresses for privacy. Its job is local delivery: getting the frame from one device to the next device on the same network segment. Scope: local segment only. Changes at: every router hop (as you learned in Module 2).

Port number (Layer 4). A 16-bit number from 0 to 65,535. Its job is multiplexing: allowing one device to run many services at the same IP address. Your laptop might have connections to port 443 (HTTPS), port 22 (SSH), and port 53 (DNS) all running simultaneously. Scope: per-host.

The diagram below shows where each identifier lives in the request path. Notice that DNS resolves first (hostname to IP), then ARP for IPv4 or Neighbor Discovery for IPv6 resolves the next-hop link address on the local segment, then TCP connects (IP:port pair creates a socket).

Of the four identifiers, DNS is the first to act in any request. Understanding exactly how it resolves a name sets up everything that follows.

5.2 How DNS resolution works

When you type "www.example.com" in a browser, your operating system needs to find the IP address. Here is the sequence:

1. The OS checks its local DNS cache. If a recent query already resolved this name, the cached answer is used immediately.
2. If the cache is empty, the OS sends a recursive queryto a configured DNS resolver (your ISP's resolver, Google's 8.8.8.8, or Cloudflare's 1.1.1.1).
3. The resolver performs iterative queriesacross the DNS hierarchy. It asks a root server, which points to the .com TLD servers. Then it asks the .com servers, which point to example.com's authoritative nameservers. Then it asks those nameservers for the actual IP address.
4. The authoritative server returns the A record (IPv4 address) or AAAA record (IPv6 address).
5. The resolver caches the answer (respecting the TTL, Time to Live, set by the domain owner) and returns it to your OS.
6. Your browser connects to the returned IP address.

The key distinction: your OS makes a recursive query (asking the resolver to do all the work). The resolver then makes iterative queries (following referrals step by step through the hierarchy).

Common misconception

DNS is just a phone book that maps names to IP addresses.

DNS also handles email routing (MX records), load balancing (round-robin, geo-aware responses), CDN routing (directing users to the nearest edge server), security policy (SPF, DKIM, DMARC records in TXT), service discovery (SRV records), and domain ownership verification. It is one of the most heavily used protocols on the internet.

DNS returns an IP address, so it is worth being precise about what that address actually represents and why not all of them are reachable.

5.3 IP addresses: public, private, and running out

IPv4 uses 32-bit addresses (4.3 billion possible). IPv6 uses 128-bit addresses (3.4 x 10^38 possible, or roughly 340 undecillion).

Private address ranges (RFC 1918) are reserved for internal networks and are not routable on the public internet. If you have ever seen 192.168.1.x on your home router, that is RFC 1918 at work. The three ranges are:

10.0.0.0/8 (16.7 million addresses), 172.16.0.0/12 (1 million addresses), and 192.168.0.0/16 (65,536 addresses).

IANA's central pool of IPv4 addresses ran out on February 3, 2011. Regional registries exhausted their allocations between 2011 and 2015. Today, NAT (Network Address Translation) lets many devices share one public IP by rewriting addresses at the network edge. NAT solved the address shortage but broke the internet's original end-to-end design. Peer-to-peer applications, VoIP, and online gaming now need complex NAT traversal workarounds (STUN, TURN, ICE protocols).

Common misconception

IP addresses identify devices.

IP addresses identify network interfaces. A laptop connected to both Wi-Fi and Ethernet has two different IP addresses. A router has a different IP on each of its interfaces. A phone switching from Wi-Fi to cellular gets a completely different IP. If you need to identify a device regardless of which network it is on, you need something else (a certificate, a user account, or device management).

The IP address gets the packet to the right network. MAC addresses then handle the final hop on the local segment, and ARP is the bridge between the two.

5.4 MAC addresses, ARP, and IPv6 Neighbor Discovery

MAC addresses are 48-bit identifiers assigned to network interface cards. They look like DC:A6:32:12:34:56, where the first three bytes (DC:A6:32) are the OUI (Organizationally Unique Identifier), assigned by the IEEE to identify the manufacturer.

When your laptop sends a packet to a server on a different network, it already knows the server's IP address (from DNS). But to send the Ethernet frame to the local router, it needs the router's MAC address. That is where ARP comes in.

ARP (Address Resolution Protocol, RFC 826)works like this: your laptop broadcasts an ARP request to every device on the local segment saying "Who has IP 192.168.1.1? Tell me your MAC address." The broadcast uses the special MAC address FF:FF:FF:FF:FF:FF, which every device on the segment receives. Only the router (which owns that IP) replies, sending its MAC address back as a unicast frame directly to your laptop. Your laptop caches this mapping and uses it for subsequent frames.

IPv6 does not use ARP. It uses Neighbor Discovery, defined in RFC 4861, carried in ICMPv6 messages. Neighbor Discovery lets nodes find routers, resolve IPv6 addresses to link-layer addresses, detect duplicate addresses, and test whether a neighbour is still reachable. The purpose is similar to ARP for local delivery, but the protocol is different and also carries router-advertisement behaviour.

Common misconception

MAC addresses are permanent and cannot be changed.

MAC addresses can be changed in software on most operating systems. Apple documents private Wi-Fi addresses that identify each network with a different Wi-Fi address, and Android documents MAC randomisation as enabled by default in Android 10 for client mode. MAC-based access control such as Wi-Fi MAC filtering is weak because attackers can observe a legitimate MAC and clone it. Use 802.1X with certificates for real network access control.

With routing and local delivery handled, the final identifier tells the destination host which process should receive the data.

5.5 Port numbers and sockets

Port numbers let one device run multiple services on the same IP address. RFC 6335 divides the 65,536 possible ports into three ranges:

System ports (0-1,023): assigned by IANA for well-known services. SSH is 22, DNS is 53, HTTP is 80, HTTPS is 443. On most operating systems, binding to these ports requires elevated privileges.

Registered ports (1,024-49,151): assigned by IANA on request for specific applications. MySQL is 3306, PostgreSQL is 5432, RDP is 3389.

Ephemeral ports (49,152-65,535): used by the operating system for outbound connections. When your browser connects to a web server on port 443, your OS picks a random ephemeral port (like 52,847) as the source port. Each connection gets a different ephemeral port.

A socket is the combination of an IP address and a port number (e.g., 93.184.216.34:443). A TCP connection is uniquely identified by a 4-tuple: source IP, source port, destination IP, destination port. That is how your browser can have dozens of connections to the same server: each uses a different source port, creating a unique 4-tuple.

Try the port and protocol explorer below to look up common services and their port numbers.

Each identifier now has a clear job. The next step is watching all four operate together in a single request from first keystroke to response.

5.6 How all four identifiers work together

When you type https://www.example.com in a browser, all four identifiers come into play in sequence:

1. DNS hostname resolves to IP address. The browser asks DNS for the A record of www.example.com. DNS returns 93.184.216.34.

2. IP determines the next hop. Local resolution finds the link address.The OS sees that 93.184.216.34 is not on the local subnet. Traffic must go through the default gateway (for example, 192.168.1.1). For IPv4, the OS checks its ARP cache for the gateway's MAC. If missing, it sends an ARP broadcast. For IPv6, Neighbor Discovery performs the equivalent local link resolution using ICMPv6.

3. TCP connects using IP:port. The OS opens a TCP connection to 93.184.216.34:443. It picks ephemeral source port 52,847. The 4-tuple (192.168.1.50:52847, 93.184.216.34:443) uniquely identifies this connection.

4. TLS may use the hostname again.In many TLS deployments, the browser sends the hostname "www.example.com" in the SNI (Server Name Indication) extension so the server can pick the correct certificate. Encrypted Client Hello, standardised in RFC 9849, can hide the real client hello and SNI where it is deployed.

5. HTTP sends the request. The browser sendsGET / HTTP/1.1 with Host: www.example.com. The server returns the page.

Four identifiers, four layers, one request. DNS gives you the IP. ARP gives you the MAC or IPv6 link-layer neighbour. Ports give you the process. The hostname often comes back around in TLS for certificate selection, with ECH changing what passive observers can see.

5.7 Check your understanding

A packet crosses three routers on its way to a web server. Which identifier changes at every hop?

During the Dyn DDoS attack in 2016, websites like Twitter and Netflix became unreachable. Their web servers were still running. What was actually targeted?

Your laptop has the IP address 192.168.1.50 on Wi-Fi and 10.0.0.12 on Ethernet. How many IP addresses does your laptop have?

Why do modern phones randomize their MAC address when connecting to Wi-Fi?

Core distinctions

  • Four identifiers, four layers: DNS hostname (L7, global), IP address (L3, end-to-end), MAC address (L2, local segment), port number (L4, per-host).
  • DNS resolves hostnames to IPs. ARP resolves IPv4 next hops to MACs on the local segment; IPv6 uses Neighbor Discovery. Ports multiplex multiple services on one IP.
  • IP addresses identify interfaces, not devices. MAC addresses can be spoofed. DNS does far more than name resolution. Port 80 is convention, not law.
  • Attacking DNS (like the 2016 Dyn DDoS) can take down thousands of sites at once because it is the first step in every request.

Standards and sources cited in this module

  1. RFC 1034/1035, Domain Names: Concepts and Implementation

    DNS hierarchy, query types, record formats

    Defines DNS architecture and resolution process. Referenced in Section 5.2.

  2. RFC 9499, DNS Terminology (BCP 219)

    Published March 2024

    Current authoritative glossary for DNS terms. Referenced for accuracy.

  3. RFC 1918, Address Allocation for Private Internets

    Section 3, Private Address Space

    Defines the three private IP ranges (10/8, 172.16/12, 192.168/16). Referenced in Section 5.3.

  4. RFC 826, An Ethernet Address Resolution Protocol

    Full specification

    Defines ARP. Referenced in Section 5.4.

  5. RFC 4861, Neighbor Discovery for IP version 6

    Section 3, Protocol Overview

    Defines IPv6 Neighbor Discovery, including address resolution, router discovery, and neighbour reachability. Referenced in Section 5.4.

  6. RFC 6335, Internet Assigned Numbers Authority (IANA) Procedures for Port Numbers

    Section 6, Port Number Ranges

    Defines system, registered, and ephemeral port ranges. Referenced in Section 5.5.

  7. Dyn analysis summary of the 21 October 2016 attack

    Dyn incident analysis

    Real-world demonstration of DNS as a single point of failure. Used as the opening case study.

  8. Apple Support, Use private Wi-Fi addresses on Apple devices

    Privacy behaviour for Wi-Fi addresses

    Documents current Apple behaviour for per-network private Wi-Fi addresses. Referenced in Section 5.4.

  9. Android Open Source Project, Implement MAC randomization

    MAC randomization behaviour

    Documents Android MAC randomisation behaviour and default enablement. Referenced in Section 5.4.

  10. RFC 9849, TLS Encrypted Client Hello

    Abstract and protocol overview

    Defines ECH, which changes the assumption that passive capture can always see the real SNI value. Referenced in Section 5.6.

  11. CompTIA Network+ N10-009 Exam Objectives

    Domain 1.0 (Objectives 1.1, 1.4, 1.5) and Domain 4.0 (Security)

    Tests DNS, IP, MAC, port knowledge, plus security implications of each identifier.

Identifiers give devices their names and addresses. Module 6 explains how subnetting divides those addresses into local and remote, and why getting the mask wrong can silently break everything.

Module 5 of 21 in Foundations