English
SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk
SOCKS5 operates at a crucial OSI Layer 5 boundary, intercepting application-layer routing requests before they trigger Layer 4 transport logic. During the initial phase, after authentication, the client sends a CONNECT request parameterized with a specific Address Type (ATYP). This seemingly minor byte structure dictates the DNS resolution boundary. Whether the client transmits a resolved IPv4/IPv6 address or a raw domain name drastically alters the network architecture, privacy profile, and diagnostic approach of the entire system. Understanding the low-level C memory structs and kernel networking behaviors involved is non-negotiable for engineers building robust proxy infrastructure.
1. Source Code Analysis: SOCKS5 Byte Structures in C/Rust
RFC 1928 strictly defines the binary protocol. In a high-performance C implementation or a Rust tokio state machine, the SOCKS5 request is mapped directly to a packed memory struct. Let's look at the memory layout:
#pragma pack(push, 1)
struct socks5_req {
uint8_t ver; // Protocol version: 0x05
uint8_t cmd; // Command: 0x01 (CONNECT), 0x02 (BIND), 0x03 (UDP ASSOCIATE)
uint8_t rsv; // Reserved: 0x00
uint8_t atyp; // Address Type: 0x01 (IPv4), 0x03 (Domain), 0x04 (IPv6)
// Variable length destination address and 2-byte port follow
};
#pragma pack(pop)
When atyp == 0x01, the payload consists of a fixed 4-byte IPv4 address. When atyp == 0x03, the first byte of the address payload is the uint8_t string length, followed by the un-null-terminated ASCII domain name. This design avoids string parsing overhead and allows zero-copy buffer framing.
2. Visualizing the DNS Resolution Boundary
The choice of ATYP fundamentally shifts the load of the Name Service Switch (NSS) and getaddrinfo() system calls from the client's OS to the proxy server's OS.
sequenceDiagram
participant Client OS (getaddrinfo)
participant Client App (SOCKS State Machine)
participant Local DNS (UDP 53)
participant Proxy Server
participant Upstream DNS
participant Target Server
rect rgb(255, 240, 240)
Note over Client OS (getaddrinfo),Target Server: Scenario A: ATYP=0x01 (IPv4) - Local DNS Leak
Client App (SOCKS State Machine)->>Client OS (getaddrinfo): resolve(example.com)
Client OS (getaddrinfo)->>Local DNS (UDP 53): DNS Query A Record
Local DNS (UDP 53)-->>Client OS (getaddrinfo): 93.184.216.34
Client App (SOCKS State Machine)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x01 + IP + Port]
Proxy Server->>Target Server: TCP SYN to 93.184.216.34
end
rect rgb(240, 255, 240)
Note over Client OS (getaddrinfo),Target Server: Scenario B: ATYP=0x03 (Domain Name) - Secure Delegation
Client App (SOCKS State Machine)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x03 + Length + example.com + Port]
Proxy Server->>Proxy Server: getaddrinfo(example.com)
Proxy Server->>Upstream DNS: Secure DNS Query (DoH/DoT)
Upstream DNS-->>Proxy Server: 93.184.216.34
Proxy Server->>Target Server: TCP SYN to 93.184.216.34
end
3. Post-Mortem: The Infamous DNS Leak
In production security environments, an incorrect ATYP configuration leads to severe privacy compromises known as "DNS Leaks." An engineer might deploy a system-wide proxy using iptables or tun2socks, assuming all traffic is encrypted. However, if the client application executes getaddrinfo() directly, it relies on the local /etc/resolv.conf infrastructure. The domain queries will traverse the local network in plaintext over UDP port 53 before the TCP proxy connection is even initiated, exposing the SNI/domain intent to local network sniffers and ISPs.
To architect a leak-proof boundary, modern networking stacks use a local transparent DNS forwarder that intercepts port 53 traffic, packages the requested domain, and tunnels it through the proxy using ATYP=0x03, ensuring the local OS routing table never sees the real destination IP.
4. Advanced Tooling: eBPF for DNS Interception
To programmatically guarantee that no DNS leaks occur, platform engineers utilize eBPF (XDP or tc hooks) to monitor outgoing UDP packets on port 53.
#include <uapi/linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/udp.h>
// eBPF XDP hook to drop and log unproxied DNS queries
SEC("xdp_dns_monitor")
int drop_unproxied_dns(struct xdp_md *ctx) {
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
if ((void *)(eth + 1) > data_end) return XDP_PASS;
if (eth->h_proto == bpf_htons(ETH_P_IP)) {
struct iphdr *ip = (void *)(eth + 1);
if ((void *)(ip + 1) > data_end) return XDP_PASS;
if (ip->protocol == IPPROTO_UDP) {
struct udphdr *udp = (void *)ip + (ip->ihl * 4);
if ((void *)(udp + 1) > data_end) return XDP_PASS;
// Intercept outgoing port 53
if (udp->dest == bpf_htons(53)) {
bpf_trace_printk("DNS Leak detected! Dropping packet.\n");
return XDP_DROP;
}
}
}
return XDP_PASS;
}
Loading this XDP program at the network interface ensures that any application failing to use ATYP=0x03 correctly will experience a DNS resolution failure, failing closed rather than failing open to a leak.
5. State Machine Implementations in Rust
Writing a proxy client in Rust using tokio requires careful handling of the async I/O state transitions. The state machine must transition from Handshake to Auth, then to Request, dynamically sizing the read buffer based on the ATYP byte. A malicious or misconfigured server might send a massive domain length in the response BND.ADDR. Robust Rust implementations strictly bound the buffer allocations using the protocol's 255-byte maximum domain length to prevent memory-exhaustion DDoS attacks.
FAQ
Does ATYP=0x03 make the client completely anonymous?
No. While it eliminates local DNS leaks, the proxy server retains full visibility of the plaintext domain name in the CONNECT payload. True anonymity requires onion routing (like Tor) or obfuscation layers, combined with Encrypted Client Hello (ECH) to prevent SNI leakage during the subsequent TLS handshake.
References
Chinese
SOCKS5 代理原理:协议字节、DNS 解析边界与泄漏风险
Open as a full pageSOCKS5 协议工作在 OSI 模型的第 5 层关键边界,在应用层路由请求触发 Layer 4 传输逻辑之前对其进行拦截处理。在认证完成后的初始阶段,客户端会发送一个参数化目标地址类型(ATYP)的 CONNECT 请求。这个看似不起眼的字节结构却死死卡住了 DNS 解析的边界。客户端传输的究竟是一个已经解析完毕的 IPv4/IPv6 地址,还是一个原始域名,将彻底改变整个系统的网络拓扑架构、隐私暴露面以及故障诊断路径。深刻理解底层的 C 语言内存结构和内核网络行为,是工程师构建坚不可摧的代理基础架构的必修课。
一、源码深度剖析:C/Rust 中的 SOCKS5 字节结构
RFC 1928 严谨地定义了该二进制协议。在高性能的 C 语言实现或是 Rust 的 tokio 异步状态机中,SOCKS5 请求被直接映射为内存中紧凑排列的结构体。让我们直视它的内存布局:
#pragma pack(push, 1)
struct socks5_req {
uint8_t ver; // 协议版本: 0x05
uint8_t cmd; // 指令: 0x01 (CONNECT), 0x02 (BIND), 0x03 (UDP ASSOCIATE)
uint8_t rsv; // 保留字段: 0x00
uint8_t atyp; // 地址类型: 0x01 (IPv4), 0x03 (域名), 0x04 (IPv6)
// 紧随其后的是变长的目标地址以及 2 字节的网络序端口号
};
#pragma pack(pop)
当 atyp == 0x01 时,载荷包含固定长度的 4 字节 IPv4 地址。当 atyp == 0x03 时,地址载荷的第一个字节是一个 uint8_t 的长度值,紧接着是没有 null 结尾符的 ASCII 域名字符串。这种硬核的底层设计完全规避了高层语言的字符串解析开销,并允许进行零拷贝(zero-copy)的缓冲区内存成帧处理。
二、图解 DNS 解析边界
ATYP 的选择将名称服务开关(NSS)和 getaddrinfo() 系统调用的负载从客户端的操作系统彻底转移到了代理服务器的操作系统上。
sequenceDiagram
participant Client OS (getaddrinfo)
participant Client App (SOCKS 状态机)
participant Local DNS (UDP 53)
participant Proxy Server as 远端代理服务器
participant Upstream DNS as 上游安全 DNS
participant Target Server as 目标服务器
rect rgb(255, 240, 240)
Note over Client OS (getaddrinfo),Target Server: 场景 A:ATYP=0x01 (IPv4) - 本地高危 DNS 泄漏
Client App (SOCKS 状态机)->>Client OS (getaddrinfo): resolve(example.com)
Client OS (getaddrinfo)->>Local DNS (UDP 53): 触发本地 DNS A 记录查询
Local DNS (UDP 53)-->>Client OS (getaddrinfo): 93.184.216.34
Client App (SOCKS 状态机)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x01 + 裸 IP + 端口]
Proxy Server->>Target Server: 向 93.184.216.34 发起 TCP SYN
end
rect rgb(240, 255, 240)
Note over Client OS (getaddrinfo),Target Server: 场景 B:ATYP=0x03 (域名) - 协议层安全委托
Client App (SOCKS 状态机)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x03 + 长度 + example.com + 端口]
Proxy Server->>Proxy Server: 代理服务端调用 getaddrinfo(example.com)
Proxy Server->>Upstream DNS: 加密 DNS 查询 (DoH/DoT)
Upstream DNS-->>Proxy Server: 93.184.216.34
Proxy Server->>Target Server: 向 93.184.216.34 发起 TCP SYN
end
三、故障复盘:臭名昭著的 DNS 泄漏
在生产级安全环境中,错误的 ATYP 配置会导致被称为“DNS 泄漏”(DNS Leaks)的严重隐私灾难。一名工程师可能使用 iptables 或 tun2socks 部署了全局系统代理,并自认为所有流量都已进入加密隧道。然而,如果客户端应用程序擅自直接执行了 getaddrinfo(),它就会走本地的 /etc/resolv.conf 基础设施。目标域名将会在代理 TCP 连接尚未建立之前,就通过 UDP 53 端口以明文形式在本地网络裸奔,使得 SNI/域名意图对本地网络的嗅探者和 ISP(网络运营商)一览无余。
为了在架构上根除泄漏,现代网络栈会部署一个本地透明 DNS 转发器,拦截所有 53 端口的 UDP 流量,将截获的域名打包,并强制使用 ATYP=0x03 通过 SOCKS5 隧道送出,从而确保本地操作系统的路由表永远接触不到真实的物理目标 IP。
四、高阶诊断工具:使用 eBPF 拦截 DNS
为了在内核编程级别保证绝对不发生 DNS 泄漏,平台级工程师会使用 eBPF(XDP 或 tc 挂载点)对出站的 UDP 53 端口数据包进行探火(monitoring)或阻断。
#include <uapi/linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/udp.h>
// eBPF XDP hook 用于丢弃并记录未经代理的裸奔 DNS 查询
SEC("xdp_dns_monitor")
int drop_unproxied_dns(struct xdp_md *ctx) {
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
if ((void *)(eth + 1) > data_end) return XDP_PASS;
if (eth->h_proto == bpf_htons(ETH_P_IP)) {
struct iphdr *ip = (void *)(eth + 1);
if ((void *)(ip + 1) > data_end) return XDP_PASS;
if (ip->protocol == IPPROTO_UDP) {
struct udphdr *udp = (void *)ip + (ip->ihl * 4);
if ((void *)(udp + 1) > data_end) return XDP_PASS;
// 暴力拦截出站的 53 端口流量
if (udp->dest == bpf_htons(53)) {
bpf_trace_printk("DNS 泄漏告警! 数据包已被强制丢弃。\n");
return XDP_DROP;
}
}
}
return XDP_PASS;
}
将此 XDP 程序加载到网卡接口上,可以确保任何未能正确调用 ATYP=0x03 的不合规应用都会立刻遭遇 DNS 解析瘫痪,从而实现“宁可阻断服务,绝不泄漏隐私”的 Fail-Closed 安全原则。
五、Rust 异步状态机的防御性编程
在 Rust 环境下使用 tokio 编写代理客户端时,处理异步 I/O 状态转换需要极为苛刻的内存纪律。状态机必须从 Handshake 推进到 Auth,再到 Request,并根据 ATYP 字节动态调整读缓冲区的大小。一个恶意或被攻陷的代理服务端可能会在响应的 BND.ADDR 字段中发送一个极其荒谬的巨大域名长度。健壮的 Rust 底层实现会利用协议定义的最大 255 字节域名长度限制,严格约束内存分配,以彻底阻断内存耗尽型(OOM)DDoS 攻击。
FAQ
使用了 ATYP=0x03 就绝对匿名了吗?
完全不是。虽然它封锁了本地 DNS 泄漏的口子,但是代理服务器本身在 CONNECT 载荷中依然能获得明文的域名。要实现真正的防追踪匿名,必须叠加洋葱路由(如 Tor)或混淆传输层,并配合 ECH(Encrypted Client Hello)来防止随后 TLS 握手中可能发生的 SNI 泄漏。
参考资料
SOCKS5 operates at a crucial OSI Layer 5 boundary, intercepting application-layer routing requests before they trigger Layer 4 transport logic. During the initial phase, after authentication, the client sends a CONNECT request parameterized with a specific Address Type (ATYP). This seemingly minor byte structure dictates the DNS resolution boundary. Whether the client transmits a resolved IPv4/IPv6 address or a raw domain name drastically alters the network architecture, privacy profile, and diagnostic approach of the entire system. Understanding the low-level C memory structs and kernel networking behaviors involved is non-negotiable for engineers building robust proxy infrastructure.
1. Source Code Analysis: SOCKS5 Byte Structures in C/Rust
RFC 1928 strictly defines the binary protocol. In a high-performance C implementation or a Rust tokio state machine, the SOCKS5 request is mapped directly to a packed memory struct. Let’s look at the memory layout:
#pragma pack(push, 1)
struct socks5_req {
uint8_t ver; // Protocol version: 0x05
uint8_t cmd; // Command: 0x01 (CONNECT), 0x02 (BIND), 0x03 (UDP ASSOCIATE)
uint8_t rsv; // Reserved: 0x00
uint8_t atyp; // Address Type: 0x01 (IPv4), 0x03 (Domain), 0x04 (IPv6)
// Variable length destination address and 2-byte port follow
};
#pragma pack(pop)
When atyp == 0x01, the payload consists of a fixed 4-byte IPv4 address. When atyp == 0x03, the first byte of the address payload is the uint8_t string length, followed by the un-null-terminated ASCII domain name. This design avoids string parsing overhead and allows zero-copy buffer framing.
2. Visualizing the DNS Resolution Boundary
The choice of ATYP fundamentally shifts the load of the Name Service Switch (NSS) and getaddrinfo() system calls from the client’s OS to the proxy server’s OS.
sequenceDiagram
participant Client OS (getaddrinfo)
participant Client App (SOCKS State Machine)
participant Local DNS (UDP 53)
participant Proxy Server
participant Upstream DNS
participant Target Server
rect rgb(255, 240, 240)
Note over Client OS (getaddrinfo),Target Server: Scenario A: ATYP=0x01 (IPv4) - Local DNS Leak
Client App (SOCKS State Machine)->>Client OS (getaddrinfo): resolve(example.com)
Client OS (getaddrinfo)->>Local DNS (UDP 53): DNS Query A Record
Local DNS (UDP 53)-->>Client OS (getaddrinfo): 93.184.216.34
Client App (SOCKS State Machine)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x01 + IP + Port]
Proxy Server->>Target Server: TCP SYN to 93.184.216.34
end
rect rgb(240, 255, 240)
Note over Client OS (getaddrinfo),Target Server: Scenario B: ATYP=0x03 (Domain Name) - Secure Delegation
Client App (SOCKS State Machine)->>Proxy Server: CONNECT [0x05 0x01 0x00 0x03 + Length + example.com + Port]
Proxy Server->>Proxy Server: getaddrinfo(example.com)
Proxy Server->>Upstream DNS: Secure DNS Query (DoH/DoT)
Upstream DNS-->>Proxy Server: 93.184.216.34
Proxy Server->>Target Server: TCP SYN to 93.184.216.34
end
3. Post-Mortem: The Infamous DNS Leak
In production security environments, an incorrect ATYP configuration leads to severe privacy compromises known as “DNS Leaks.” An engineer might deploy a system-wide proxy using iptables or tun2socks, assuming all traffic is encrypted. However, if the client application executes getaddrinfo() directly, it relies on the local /etc/resolv.conf infrastructure. The domain queries will traverse the local network in plaintext over UDP port 53 before the TCP proxy connection is even initiated, exposing the SNI/domain intent to local network sniffers and ISPs.
To architect a leak-proof boundary, modern networking stacks use a local transparent DNS forwarder that intercepts port 53 traffic, packages the requested domain, and tunnels it through the proxy using ATYP=0x03, ensuring the local OS routing table never sees the real destination IP.
4. Advanced Tooling: eBPF for DNS Interception
To programmatically guarantee that no DNS leaks occur, platform engineers utilize eBPF (XDP or tc hooks) to monitor outgoing UDP packets on port 53.
#include <uapi/linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/udp.h>
// eBPF XDP hook to drop and log unproxied DNS queries
SEC("xdp_dns_monitor")
int drop_unproxied_dns(struct xdp_md *ctx) {
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
struct ethhdr *eth = data;
if ((void *)(eth + 1) > data_end) return XDP_PASS;
if (eth->h_proto == bpf_htons(ETH_P_IP)) {
struct iphdr *ip = (void *)(eth + 1);
if ((void *)(ip + 1) > data_end) return XDP_PASS;
if (ip->protocol == IPPROTO_UDP) {
struct udphdr *udp = (void *)ip + (ip->ihl * 4);
if ((void *)(udp + 1) > data_end) return XDP_PASS;
// Intercept outgoing port 53
if (udp->dest == bpf_htons(53)) {
bpf_trace_printk("DNS Leak detected! Dropping packet.\n");
return XDP_DROP;
}
}
}
return XDP_PASS;
}
Loading this XDP program at the network interface ensures that any application failing to use ATYP=0x03 correctly will experience a DNS resolution failure, failing closed rather than failing open to a leak.
5. State Machine Implementations in Rust
Writing a proxy client in Rust using tokio requires careful handling of the async I/O state transitions. The state machine must transition from Handshake to Auth, then to Request, dynamically sizing the read buffer based on the ATYP byte. A malicious or misconfigured server might send a massive domain length in the response BND.ADDR. Robust Rust implementations strictly bound the buffer allocations using the protocol’s 255-byte maximum domain length to prevent memory-exhaustion DDoS attacks.
FAQ
Does ATYP=0x03 make the client completely anonymous?
No. While it eliminates local DNS leaks, the proxy server retains full visibility of the plaintext domain name in the CONNECT payload. True anonymity requires onion routing (like Tor) or obfuscation layers, combined with Encrypted Client Hello (ECH) to prevent SNI leakage during the subsequent TLS handshake.
References
Search questions
FAQ
Who is this article for?
This article is for readers who want a professional-level guide to SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk. It takes about 13 min and focuses on SOCKS5, DNS, Protocol Bytes, Python.
What should I read next?
The recommended next step is Reverse Proxy Load Balancing: Queues, Health Checks, and a Reproducible Scheduler, so the article connects into a longer learning route instead of ending as an isolated note.
Does this article include runnable code or companion resources?
Yes. Use the run notes, resource cards, and download links on the page to reproduce the example or inspect the companion files.
How does this article fit into the larger site?
It is connected to the article context block, learning routes, resources, and project timeline so readers can move from concept to implementation.
Article context
Network Fundamentals
A reproducible route through DNS, TCP, TLS, HTTP/3, proxy tunnels, load balancing, and shared caches with code and figures.
Your next step
Continue: Reverse Proxy Load Balancing: Queues, Health Checks, and a Reproducible SchedulerDecode safe SOCKS5 CONNECT bytes and compare local-DNS and proxy-side hostname resolution boundaries.
Download share card Open share center
Companion resources
Network Fundamentals / GUIDE
Network Fundamentals Lab README
Setup, no-privilege safety boundary, ten Python experiments, and three C examples.
Network Fundamentals / DATASET
SOCKS5 DNS boundary CSV
Stores ATYP, destination bytes, request length, and modeled local DNS counts.
Network Fundamentals / ARCHIVE
Network fundamentals full lab bundle
Bundles Python/C source, fixed scenarios, ten result CSVs, and protocol/proxy figures.
Project timeline
Published posts
- DNS Resolution Explained: Build a TTL Cache and Packet Parser in Python A runnable DNS guide covering resolution paths, response headers, TTL cache latency, and deterministic Python/C experiments.
- CIDR, Longest Prefix Match, and MTU: Calculate IP Routing Step by Step Calculate CIDR ranges, longest-prefix route choice, and MTU/MSS payload segmentation with runnable Python and C examples.
- TCP Reliability and Congestion Window: A Runnable Sequence Number Experiment Track TCP sequence numbers, cumulative ACKs, loss, retransmission, and congestion-window changes with safe local experiments.
- HTTPS and TLS 1.3 Handshake: Keys, Certificates, and RTT in Practice Understand TLS 1.3 message flights, certificate authentication, ephemeral key agreement, and handshake latency with a safe teaching model.
- HTTP/2, HTTP/3, and CDN Caching: Read Page Speed from a Waterfall A deterministic browser-waterfall model for HTTP/2, HTTP/3, QUIC streams, and CDN cache hits or misses.
- Forward Proxy vs Reverse Proxy: Connection Paths, Trust Boundaries, and Latency A reproducible guide to forward proxies, reverse proxies, tunnels, TLS boundaries, and latency segments.
- HTTP CONNECT and HTTPS Proxy Tunnels: TLS Boundaries and Handshake Latency An RFC-based explanation of CONNECT tunnels, encrypted HTTPS payloads, and modeled first-request latency.
- SOCKS5 Proxy Explained: Protocol Bytes, DNS Resolution Boundaries, and Leakage Risk Decode safe SOCKS5 CONNECT bytes and compare local-DNS and proxy-side hostname resolution boundaries.
- Reverse Proxy Load Balancing: Queues, Health Checks, and a Reproducible Scheduler Compare round robin and load-aware queue selection while reasoning about health checks and retry boundaries.
- Proxy Cache Revalidation: Cache-Control, ETag, and Observable Correctness Use an RFC 9111 shared-cache model to calculate MISS, HIT, and 304 revalidation latency and correctness boundaries.
Published resources
- Network Fundamentals Lab README Setup, no-privilege safety boundary, ten Python experiments, and three C examples.
- Network fundamentals full lab bundle Bundles Python/C source, fixed scenarios, ten result CSVs, and protocol/proxy figures.
- DNS TTL results CSV HIT/MISS state, expiry, and latency for four fixed lookups.
- CIDR and MTU results CSV Longest-prefix route and 3600-byte payload segmentation results.
- TCP cwnd events CSV Per-round ACK, window, and deterministic retransmission events.
- TLS 1.3 flight results CSV Message direction, timing, and teaching shared value in a fixed RTT model.
- HTTP/CDN waterfall results CSV Phase timing for HTTP/2 and HTTP/3 in cold and warm cache models.
- Proxy path latency results CSV Phase timing for direct access, forward-proxy tunneling, and reverse-proxy cache paths.
- CONNECT/TLS timeline CSV Records CONNECT authority, tunnel establishment, and the encrypted HTTPS-request boundary.
- SOCKS5 DNS boundary CSV Stores ATYP, destination bytes, request length, and modeled local DNS counts.
- Proxy load-balancing queue CSV Compares backend selection and queue waiting for round robin and least queue.
- Proxy cache revalidation CSV Records MISS, HIT, 304 revalidation, object age, and response latency.
- Network request path visualizer Adjust TTL, prefixes, loss, handshake RTT, and cache paths in the browser.
- Network fundamentals topic share card A 1200x630 SVG card for the DNS, TLS, HTTP/3, proxy tunnel, and caching topic hub.
Next notes
- Add IPv6 and QUIC observation notes
- Review caching and protocol benefits with real-user metrics