What Happens When You Type a URL in Your Browser?

You type a URL, hit Enter, and a webpage loads instantly.
But behind that simple action lies a complex chain of events involving DNS, networking, routing, and security mechanisms.

This article explains about how exactly the request sent from your computer in your LAN reaches the server and how the response is visible on your screen.

1. User enters the URL in the browser.
2. Browser checks it's own cache for the IP address.
3. If not found, the OS DNS cache is checked.
4. If still not found, the DNS query is sent to a recursive DNS resolver.
5. The DNS resolver then checks its cache.
6. If not found, the DNS resolution process begins.

In the DNS resolution process :-

1. The DNS query reaches the DNS resolver and it checks its cache.
2. If not found, it queries the Root DNS server.
3. The Root DNS server points to the Top Level Domain(TLD) DNS server.
4. The TLD DNS server then points out to the Authoritative server, where the IP address of the domain is found.
5. The resolver caches the IP address and sends it back to the system.

• The system now has the destination IP address.
• It checks the routing table and decides to send the packet via the default gateway(router).

1. System needs the MAC address of the router (next hop).
2. It checks ARP cache.
3. If not found, it sends ARP broadcast.
4. Router replies with its MAC address.
5. System creates the packet :-

• Source IP = private IP
• Destination IP = server IP
• Destination MAC = router MAC

The packet is sent to the router.

1. Router receives the packet.
2. Router performs NAT (private IP to public IP).
3. Router performs PAT and then assigns a unique port.
4. Entry is stored in NAT/PAT table.
5. The packet travels through internet via multiple routers.
6. It Reaches the destination server.
7. Server processes the request and sends response back to public IP + port.
8. Router receives the response.
9. Router checks NAT/PAT table.
10. The router maps the public IP + port to the correct private IP + port.
11. Router checks ARP cache for internal device MAC.
12. If not found it then performs ARP.
13. Router sends the packet to the correct device.
14. Device receives the response.
15. Browser processes and then finally renders the webpage.

Although this entire flow happens within milliseconds, it exposes multiple points where attackers can intercept, manipulate, or redirect traffic.

Potential Attacks :-

1. DNS Spoofing

Attacker returns a fake IP instead of the real one.
During DNS resolution, the user thinks they are visiting real site. Actually redirected to malicious server.

2. ARP Poisoning

Attacker sends fake ARP responses to become “router” during the ARP resolution in local network. The traffic gets intercepted
attacker becomes man-in-the-middle.

3. Man-in-the-Middle (MITM)

Attacker intercepts communication between client and server. During the data transmission the data can be read or modified.

4. Port Scanning

Attacker scans open ports before attacking before connection. The
attacker finds services like Port 22 (SSH), Port 80 (HTTP), Port 443 (HTTPS).

This process is not just about how systems communicate, but where they can fail. Each step in the flow represents a potential attack surface, making it critical to understand, monitor, and defend these points effectively.

Comments

[Bhavin Sheth]

Super clean breakdown 👍 — once you actually trace DNS → ARP → NAT like this, you realize most “it just works” moments are full of attack surfaces. Learned this the hard way debugging a weird DNS cache issue 😅