What is going on at background when connect to any website ?

Orhan Öztaş
5 min readMar 6


That’s right. You got it right. I’m gonna explain what is going on at background when connect this Medium website. If you eager about Cyber Security or Network Administration fields you have to learn how it works web. This article can be little long. Prepare your coffee and be ready for real geek show.

Okey. We have a local network at our home. We will connect to orhanoztasbir.medim.com website for magnificent informations about cybersecurity.

First of all, we assume that there are 2 computers and a router in our home network. Their names are Pc1,Pc2 and Router. I start by pressing the button of my pc1 computer and turning it on. PC1 will make a broadcast and shout “I need an IP address” to the entire local network. After that, the DHCP server on the Router will assign an ip to my PC1 computer.

Suppose the ip address from the router is Let’s assume that the DNS resolution of the router is My computer named Pc1 has an IP address of and my computer named Pc2 has an IP address of

In the local network, devices use MAC addresses when talking to each other and these values are kept in the ARP table. These devices keep and communicate with ARP tables on their operating systems to recognize each other. The devices write this information to the ARP table, which corresponds to which IP address and which MAC address.

Arp Table Example

Our computer named PC1 connects to the internet with the DNS resolution information, Subnet Mask and Gateway IP obtained from the Router.

Now we have our weapons so that we can open our browser and go to orhanoztasbir.medium.com.

Our operating system will first try to find the ip address of medium.com by looking at its own host file. You can find your own host file at c:\Windows\System32\Drivers\etc\hosts location. Can find at Linux OS etc/hosts location.

Windows host flle example

If there is the address of the medium.com website we are looking for in the host file, it will be able to reach it without the need for any extra resources. But if it couldn’t find it in this hosts file, it will need dns resolution.

It will find the ip address of medium.com by asking the dns address given by the router. How works DNS protocol ?

  • DNS recursor — The recursor can be thought of as a librarian who is asked to go find a particular book somewhere in a library. The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query.
  • Root nameserver — The root server is the first step in translating (resolving) human readable host names into IP addresses. It can be thought of like an index in a library that points to different racks of books — typically it serves as a reference to other more specific locations.
  • TLD nameserver — The top level domain server (TLD) can be thought of as a specific rack of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname (In example.com, the TLD server is “com”).
  • Authoritative nameserver — This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request.

After getting the dns record from the DNS server, we learn that medium.com now has the x.x.x.x ip address. DNS attack can also be made by the attackers by manipulating the IP addresses corresponding to the records of the DNS server.

Our pc1 is now ready for a direct connection to medium.com. First of all, a TCP packet passing through the Router (Gateway) will travel to the ip address of our website. But before that, the client will need a Privet IP address as it only has a Local IP address. It will convert the local IP address to the Privet IP address by applying the Router NAT process.

NAT process example

After performing NAT to our address for sending the TCP packet, we will send this packet to Medium.com in the following format.

A 3 Way Handshake will then occur. This process means that the parties know each other for a reliable connection.This process is basically done with syn, syn-ack, ack packages.

After completing the 3-way handshake with medium.com’s port 80, we will go to the website using the http protocol.

The http protocol works with request and response logic. After the sent request reaches the other party, it passes through the cyber security measures of the server and reaches the web server and your request is answered.

After website return 200 code, you are now at orhanoztasbir.medium.com

I would like to get a result by researching the web server working logic of Medium.com, but I did not prefer this because it could damage this site.



Orhan Öztaş

Blue Team Member. I am writing articles for helping you about cyber security.