What happens when someone types google.com into a web browser? Pt 1. DNS & ARP

I realized that I’ve been asked the question ‘What happens when you type <insert website> into a browser?‘ in a lot of interviews, and I’m not sure I’ve ever answered well. I always fumble my way through it and realize I’m thoroughly missing steps. I’m going to try and answer this from the perspective of interviewing for a Network Engineer/Admin position, so more networking focused than anything else. I’m also going to operate under the assumption this is IPv4 and there are no local caches, MAC table entries, etc. Surely I’ll miss some steps, these can probably be some ongoing write ups that get updated over time.

When someone enters google.com into a web browser the first thing from a networking perspective (besides OSI Layer 1) that needs to happen is IP address resolution. The computer needs to know what IP address the website has and this is found through a DNS query. The computer’s network stack will have a DNS client configuration that points to a known DNS server. Lets say for this example the computer has the server 8.8.8.8 configured for DNS. In this case, the computer will attempt to send a DNS query to the DNS server at IP address 8.8.8.8 over UDP port 53. The layer 4 protocol and port number are not a guarantee but currently more often than not UDP 53 is what will be used.

On both residential and enterprise networks we typically see RFC 1918 address space – ie. internal, non public space. In this example lets assume the PC has the internal IP address of 10.30.1.50/24. When the computer needs to reach an IP address that is not on its local subnet (10.30.1.0/24), it will send its traffic to whatever IP is assigned to its NIC’s Default Gateway (10.30.1.1). Because the IP address 8.8.8.8 does not fall into the IP range of the local subnet, the computer will try and send its DNS query to its default gateway at 10.30.1.1.

Moving from IP (layer 3) to Ethernet (layer 2), for a computer to forward datagrams and frames over an ethernet network it needs to know destination MAC addresses. In this scenario the PC needs to forward its DNS query to the router/layer 3 device that has the assigned IP 10.30.1.1. To find this MAC address the computer will send out what’s called an Address Resolution Protocol (ARP) request. The ARP request is a layer 2 broadcast that gets forwarded to every device in the layer 2 broadcast domain, such as a VLAN. The layer 2 ARP broadcast (ff:ff:ff:ff:ff:ff) is essentially asking every device ‘who has the IP address 10.30.1.1?’, and the only device that responds to the request is our router that allows access out to the public internet.

Once the router/default gateway responds to the ARP request the computer is then able to send out a DNS query to the public internet which routes the query to the nearest point of presence for 8.8.8.8. Public DNS servers like 8.8.8.8 or ISP provided DNS servers are typically called Recursive DNS Servers. If the Recursive DNS server knows what the public IP address is for ‘Google.com’ then it immediately responds back to the computer with the answer. If the recursive DNS server does not know then it will send a request to one of the Internet’s 13 Root Nameservers. The root nameserver will respond to the request with one of the Top Level Domain (TLD) Nameservers, depending on the end of the domain name – ie. .com, .net, etc. The TLD nameservers will then respond to the recursive server with the final Authoritative Nameserver that knows what IP address maps to the domain Google.com. The Authoritative Nameservers are DNS hosting providers such as GoDaddy. Once the recursive DNS server receives the IP address it then caches the information so that the DNS query process from the client is answered right away the next time.

Now that the computer has successfully received an answer for the DNS query, it now can start the process of requesting data from the server hosting Google.com.