What Happens After You Type a URL? DNS, TLS, HTTP, and Rendering
You press Enter on https://shop.example/products/42. A moment later, a product page appears. That small action crosses naming, transport security, HTTP, edge infrastructure, application code, data storage, and the browser renderer. If the page is slow or wrong, “the website is down” is not a diagnosis—you need to identify the stage that failed.
This guide is for web developers who know HTTP requests but have not followed a navigation end to end. We will keep one URL for the whole journey, expect an HTTP 200 product page, intentionally route it to an old origin through stale DNS, and use browser and command-line evidence to recover. The core model is name → connect → request → compute → render → measure.
The navigation has six jobs
A URL is an instruction, not an IP address. The browser first parses https://shop.example/products/42 into a scheme (https), authority (shop.example), and path (/products/42). It may satisfy the navigation from an HTTP cache or let a Service Worker intercept it; otherwise, it needs a network route to an origin that can answer for that hostname.
The network path then performs six jobs. Name: resolve the hostname. Connect: establish a transport path. Secure: authenticate the server and derive encryption keys. Request: send HTTP semantics to the selected origin. Compute: let CDN, load balancer, application, cache, and database produce a representation. Render: parse the returned bytes into pixels and discover more resources.
These jobs can overlap or disappear on a warm navigation. DNS answers, TLS sessions, HTTP responses, and connections may already be cached or reusable. The sequence is therefore a mental model, not a guarantee that every navigation creates every exchange from scratch.
Quick reference
- Subject:
https://shop.example/products/42in a fresh browser tab. - Expected success: HTTP 200, product HTML, and a visible product heading.
- Intentional failure: DNS still points to an old origin returning stale content.
- Cold navigation pays more setup work; warm navigation can reuse caches and connections.
- Measure the actual browser timeline before assigning blame to a stage.
Remember this
A navigation is six separate jobs—name, connect, secure, request, compute, render—and a warm browser may reuse or skip several of them.
DNS turns the hostname into a route
Domain Name System (DNS) maps names to records. For our URL, the browser ultimately needs an address record (A for IPv4 or AAAA for IPv6), possibly after following a CNAME alias. It checks available caches first: browser, operating system, and recursive resolver. On a miss, the recursive resolver follows the DNS hierarchy toward an authoritative name server and returns a record with a TTL that controls how long that answer may be cached.
The resolver answer is not necessarily the application server. It often points to a CDN or edge load balancer selected by geography, health, or traffic policy. DNS chooses a destination address; it does not prove that the destination is healthy, that its TLS certificate matches, or that /products/42 exists.
This distinction explains the failure we will create later. If shop.example changes from old origin 192.0.2.10 to new origin 198.51.100.20, resolvers may legally keep the old answer until its TTL expires. Deploying the new server and changing DNS are separate operations with separate clocks.
Quick reference
- Browser/OS/resolver caches can answer without contacting authoritative servers.
- A/AAAA map to addresses; CNAME aliases one name to another name.
- TTL bounds cache reuse; changing a record does not flush every resolver instantly.
- NXDOMAIN means the requested name does not exist—not that the web app returned 404.
- DNSSEC can authenticate DNS data; HTTPS/TLS still authenticates the web endpoint.
Remember this
DNS returns a cacheable destination record, not a healthy webpage; TTL is why a correct record change can coexist with stale clients.
The browser establishes a secure connection
With an address selected, the browser needs a transport. A common HTTP/2 path establishes a TCP connection using the three-way handshake, then performs a TLS handshake. TLS authenticates the server certificate for shop.example, negotiates protocol parameters (including HTTP/2 through ALPN when supported), and derives keys that protect confidentiality and integrity before application data flows.
HTTP/3 changes the lower layers: it runs over QUIC, which uses UDP and incorporates the TLS 1.3 handshake into the transport. So “every HTTPS request does DNS → TCP → TLS” is not universally true. The stable idea is: resolve a destination, establish an authenticated encrypted transport, then exchange HTTP semantics over the negotiated protocol.
A certificate error stops the navigation before the application sees GET /products/42. Common causes are an expired certificate, a hostname missing from the certificate, an untrusted issuer, or the client clock being wrong. Retrying application code cannot repair a failed identity check.
Quick reference
- HTTP/1.1 and HTTP/2 commonly use TCP + TLS; HTTP/3 uses QUIC over UDP.
- TLS verifies endpoint identity and encrypts bytes; it does not authorize the user.
- SNI tells a shared endpoint which hostname certificate to present.
- ALPN negotiates the application protocol, such as
h2orhttp/1.1. - Connection and TLS session reuse reduce setup work on later requests.
Remember this
HTTPS requires an authenticated encrypted transport: usually TCP + TLS for HTTP/2, or QUIC with integrated TLS for HTTP/3.
HTTP carries intent through the origin path
Once the secure transport exists, the browser sends an HTTP request expressing intent: method GET, target /products/42, authority shop.example, and headers describing accepted representations, cookies, cache validators, and browser policy. RFC 9110 defines those semantics independently of whether the bytes travel over HTTP/1.1, HTTP/2, or HTTP/3.
The public address may terminate at a CDN. A fresh cached response can end the path there. On a miss, the request travels through a load balancer or reverse proxy to the application. The app validates the route, authenticates any session, loads product 42 from a cache or database, and returns a status, headers, and representation. A 200 means the server fulfilled the request; a 304 tells the browser to reuse its cached representation; a 404 is an application-level answer and is completely different from DNS NXDOMAIN.
Security boundaries accumulate along this path. TLS protects the hop to the terminating edge, while cookies and authorization determine user identity. The CDN or proxy must forward only trusted headers, and the app must authorize access to object 42 rather than assuming that possession of the URL is permission.
Quick reference
- HTTP method + target + headers express intent; status + headers + content answer it.
- CDN hit avoids origin work; CDN miss continues to proxy, app, cache, and database.
- DNS NXDOMAIN, TLS failure, HTTP 404, and HTTP 500 are different layers.
- Forward one request ID so edge, app, and database evidence can be correlated.
- Authorize product/account access in the app; a valid URL is not authorization.
Remember this
HTTP carries one request through cache and origin layers; status codes describe application results, not DNS or TLS failures.
Response bytes become a rendered page
The first response is usually HTML, not a finished screen. The renderer parses HTML incrementally into the DOM and CSS into the CSSOM. It combines visible nodes and computed styles into a render tree, calculates geometry during layout, paints drawing commands, and composites layers into the pixels you see.
Parsing also discovers more work: stylesheets, fonts, images, modules, and scripts each become resource requests with their own cache and timing path. CSS can block rendering because the browser needs styles to construct the render tree. A classic script can block HTML parsing unless it is deferred, asynchronous, or a module with appropriate behavior. The page can therefore receive the main HTML quickly and still show content late.
JavaScript may then mutate the DOM, trigger more network requests, or cause additional layout and paint. DOMContentLoaded means the document has been parsed and deferred scripts have run; it is not the same as “the user can see the main product” or “every image has loaded.” Use paint and interaction metrics for user experience, not only the load event.
Quick reference
- HTML → DOM; CSS → CSSOM; both contribute to the render tree.
- Layout computes geometry; paint records drawing; compositing assembles layers.
- Discovered CSS, JS, fonts, and images create additional resource requests.
DOMContentLoadedis a lifecycle milestone, not a complete UX metric.- Large JavaScript and render-blocking CSS can dominate after a fast server response.
Remember this
A fast HTML response is not a fast page: parsing, resource discovery, layout, paint, and JavaScript can dominate after TTFB.
Failure story: stale DNS reaches the old origin
Trigger. The team deploys product version 2 to 198.51.100.20 and changes the A record, but the previous record had a one-hour TTL. One recursive resolver still returns old origin 192.0.2.10, where version 1 remains healthy. Symptom: some users see stale product data with HTTP 200; others see version 2. Application dashboards for the new origin look healthy because affected traffic never arrives there.
Root mechanism. DNS caches are allowed to reuse the old record until TTL expiry. This is not eventual consistency inside the product database, and retrying the same resolver may return the same cached address. The decisive evidence is disagreement between DNS answers plus the remote_ip that served the response.
Recovery and prevention. Confirm the authoritative record, compare recursive resolvers, and use curl --resolve to test each origin while preserving the hostname for TLS and HTTP routing. Keep the old origin compatible until the previous TTL window has passed; if emergency risk justifies it, restore service there or revert the authoritative record. Before planned migrations, lower TTL far enough in advance for the old TTL to expire—lowering it at cutover does not shorten answers already cached.
Quick reference
- Trigger: address changed while old answers still have unexpired TTL.
- Symptom: split users, valid TLS, HTTP 200, but different release/content.
- Evidence: resolver answers + TTL +
curl --resolveper-origin results. - Recovery: keep or restore compatibility on the old origin through the TTL window.
- Prevention: lower TTL before migration, then observe traffic at both origins.
Remember this
A DNS migration can return two healthy HTTP 200 responses from different origins; resolver answers and remote IP expose the split.
Diagnose the stage, not “the website”
Debugging becomes simpler when every symptom is assigned to the earliest stage that can produce it. NXDOMAIN is naming. A certificate warning is TLS identity. A 404 is an HTTP application response. A long wait before response headers is often server or network time to first byte; a fast response followed by a blank or janky screen belongs to rendering or JavaScript.
Start with browser DevTools Network: preserve the log, reload, inspect the main document, and record DNS/connect/TLS timing when exposed, status, protocol, remote address, cache source, TTFB, and download. Then reproduce outside the browser with curl; inspect DNS with dig; inspect certificates with openssl; and correlate the response request ID through edge and application logs.
Do not optimize the largest-looking box without representative measurements. DNS time can be zero because of cache reuse. Connection time can be zero because the browser reused a socket. TTFB combines network and server work. Compare cold and warm navigations, representative regions, and realistic devices before changing architecture.
Quick reference
- No name/address → inspect DNS; do not start in application logs.
- Certificate/handshake error → inspect hostname, chain, expiry, client clock, protocol.
- HTTP 4xx/5xx → request reached an HTTP server; use status and request ID.
- Good TTFB, late paint → inspect render-blocking resources and main-thread work.
- Compare cold vs warm runs because caches and connection reuse change the path.
Remember this
The earliest failing stage chooses the tool: DNS → dig, TLS → openssl, HTTP → curl and request IDs, rendering → DevTools Performance.
Key takeaway
Pressing Enter starts a chain of independently observable contracts: DNS maps the name, TCP/TLS or QUIC creates an authenticated transport, HTTP carries intent, edge and origin systems compute a representation, and the browser turns response bytes into pixels. Caches and reused connections can shorten the path, while a failure at any layer produces different evidence. Diagnose the earliest failed contract instead of treating the page as one black box.
Practice (30 minutes): choose a site you control. Record a cold navigation in DevTools, run the Navigation Timing snippet, then reproduce the document with curl -w and inspect its DNS answer with dig. Write one row for DNS, connect/TLS, TTFB, download, and DOM readiness. Now create an intentional failure safely: use curl --resolve with a wrong test IP or local test origin—do not change production DNS—and prove whether failure occurs at transport, TLS, or HTTP. Recover by restoring the correct address. You pass when you can identify the remote IP, negotiated HTTP version, status, slowest measured stage, and exact command that isolated it.
Related Articles
Explore this topic