Every time you load a page, a request travels through a dozen layers of infrastructure — from your keyboard to a data center and back, in under 100ms. This is a bottom-up map of how it works, from raw bits on a wire all the way up through DNS, TLS, and HTTP.
7 layers. Each passes data to the one above or below.
| Layer | Name | What it does | Examples |
|---|---|---|---|
| 7 | Application | User-facing app interface | HTTP, DNS, FTP, SMTP |
| 6 | Presentation | Encoding, encryption, compression | TLS, JPEG, ASCII |
| 5 | Session | Opens/manages sessions between hosts | NetBIOS, RPC |
| 4 | Transport | End-to-end delivery, ports, reliability | TCP, UDP |
| 3 | Network | Logical addressing and routing | IP, ICMP, ARP |
| 2 | Data Link | Physical addressing on local network | Ethernet, MAC addresses |
| 1 | Physical | Raw bits over a medium | Cables, radio waves, fiber |
Layers 3, 4, and 7 matter most. Layer-4 firewalls filter on ports. Layer-7 WAFs inspect HTTP content.
| TCP/IP Layer | OSI Layers |
|---|---|
| Application | 5, 6, 7 |
| Transport | 4 |
| Internet | 3 |
| Network Access | 1, 2 |
Data going down the stack gets encapsulated — each layer wraps it with a header. Going back up, each layer strips its header off.
TCP — connection-oriented. Three-way handshake before data flows: 1. SYN — client initiates 2. SYN-ACK — server acknowledges 3. ACK — client confirms, connection established
Guarantees delivery, ordering, and error checking. Lost packets retransmit. Used by HTTP, SSH, FTP, SMTP.
UDP — connectionless. No handshake, no delivery guarantee, no ordering. Fast. Used by DNS, DHCP, streaming, VoIP, gaming.
TCP doesn't assume the network is reliable. The sender maintains a congestion window — a limit on unacknowledged bytes in flight.
Modern Linux uses CUBIC; older systems use New Reno.
IPv4: 32-bit addresses in dotted decimal (192.168.1.10). Two parts:
- Network portion — which network
- Host portion — which device on that network
The subnet mask defines the boundary.
/24 (255.255.255.0) = 24 bits for network, 8 bits for hosts.
| CIDR | Subnet Mask | Usable Hosts |
|---|---|---|
| /24 | 255.255.255.0 | 254 |
| /25 | 255.255.255.128 | 126 |
| /26 | 255.255.255.192 | 62 |
| /30 | 255.255.255.252 | 2 |
Each subnet reserves the network address (all host bits 0) and broadcast address (all host bits 1).
Private ranges (not routable on the public internet):
| Range | CIDR |
|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 |
Network Address Translation lets multiple devices share one public IP. The router maintains a translation table mapping internal ip:port pairs to the external address. Outbound traffic gets the public IP; responses get translated back.
Automatically assigns IP addresses to devices. Uses UDP ports 67 (server) and 68 (client).
DORA process: 1. Discover — client broadcasts looking for a server 2. Offer — server offers an IP lease 3. Request — client requests the offered IP 4. Acknowledge — server confirms the lease
Resolves an IP address to a MAC address on the local network.
Device wants to reach 192.168.1.5 → broadcasts asking who owns that IP → owner responds with its MAC → pairing gets cached in the ARP table.
arp -a
No authentication — any device can claim any IP. This enables ARP spoofing, where an attacker poisons nearby ARP caches to intercept traffic.
Handles error reporting and diagnostics at the network layer. Not used for data transfer.
ping — ICMP Echo Requests, measures reachability and RTTtraceroute — increments TTL to map each hop to a destinationOften rate-limited or blocked at firewalls.
DNS (Domain Name System) maps human-readable domain names to IP addresses. It's a hierarchical, distributed database. No single server holds all the answers.
.com (130M+ domains).When you register example.com: registrar → notifies Verisign → Verisign adds an NS record to the .com zone → your domain becomes resolvable.
Root (.)
└── TLD (.com, .org, .io)
└── Domain (google.com)
└── Subdomain (mail.google.com)
.com). They know which nameservers are authoritative for each domain.When you query mail.google.com:
8.8.8.8.com TLD nameservers.com TLD → gets Google's authoritative nameserversmail.google.comRecursive resolvers do the legwork on your behalf. Authoritative servers answer with actual records — no forwarding.
Google returns multiple A records (IPv4) and AAAA records (IPv6). Browsers often race both in parallel using Happy Eyeballs, connecting on whichever responds first.
Every DNS record has a TTL (Time to Live) in seconds. Resolvers cache results until TTL expires, then re-query. Lower TTL before a migration for faster propagation; higher TTL reduces load on nameservers.
| Record | Purpose |
|---|---|
| A | Domain → IPv4 address |
| AAAA | Domain → IPv6 address |
| CNAME | Alias from one name to another |
| MX | Mail server for the domain (with priority) |
| TXT | Arbitrary text — SPF, DKIM, domain verification |
| NS | Authoritative nameservers for the domain |
| PTR | Reverse lookup: IP → domain name |
| SOA | Zone metadata — primary NS, admin email, serial, refresh intervals |
| SRV | Service location — host, port, priority, weight |
| CAA | Which CAs are allowed to issue certs for the domain |
Standard queries use UDP port 53 — fast, low overhead. TCP port 53 is used for: - Responses larger than 512 bytes (common with DNSSEC) - Zone transfers (AXFR) between nameservers
Adds cryptographic signatures to DNS records so resolvers can verify a record actually came from the legitimate zone owner.
Prevents cache poisoning but doesn't encrypt queries — that's DNS over HTTPS/TLS.
Standard DNS is plaintext. Anyone on the path (ISP, router) can see every domain you query.
Both encrypt the query. The destination IP is still visible.
Cache poisoning — inject a forged record into a resolver's cache so victims get directed to an attacker-controlled IP. DNSSEC prevents it; randomized source ports and bailiwick rules reduce exposure.
DNS hijacking — compromise a registrar account or nameserver to change authoritative records. Registry locks and 2FA on registrar accounts help.
DNS amplification — send spoofed queries with the victim's IP as source. Resolver sends large responses to the victim. Used in DDoS.
DNS tunneling — encode data inside DNS queries and responses to exfiltrate data or tunnel C2 traffic through firewalls that allow DNS.
dig google.com # basic A record lookup
dig google.com MX # query specific record type
dig @8.8.8.8 google.com # query a specific resolver
dig +trace google.com # follow the full resolution chain
dig -x 8.8.8.8 # reverse lookup (PTR)
nslookup google.com # simpler alternative to dig
whois google.com # registrar and registration info
HTTPS requires a TLS handshake over the TCP connection:
TLS 1.3 completes this in one round trip. TLS 1.2 takes two.
The browser sends a GET request through the encrypted tunnel:
GET / HTTP/2
Host: www.google.com
User-Agent: ...
Accept: text/html
Accept-Encoding: gzip, br
Cookie: ...
HTTP/2 multiplexes multiple requests over a single TCP connection. HTTP/3 runs over QUIC (UDP) to eliminate TCP head-of-line blocking entirely.
If the browser has a cached copy and received an ETag previously, it sends an If-None-Match header. The server responds 304 Not Modified with no body, and the browser serves the cached version.
The server's response includes headers like Strict-Transport-Security (HSTS), which tells the browser to enforce HTTPS-only for future visits without waiting for a redirect.
Visiting https://example.com:
example.com to an IP| Step | What happens |
|---|---|
| 0ms | Enter pressed |
| ~1ms | HSTS checked |
| ~5ms | DNS resolved (cache hit) or ~50–100ms (full resolution) |
| ~6ms | ARP resolves gateway MAC |
| ~15ms | TCP connection established |
| ~25ms | TLS handshake complete (TLS 1.3) |
| ~30ms | HTTP GET sent |
| ~70ms | First byte received (TTFB) |
| ~100ms+ | Page renders |