Networking Fundamentals — From URL to Response

Hierarchical, cached, and slower than you think on a cold lookup. Records you'll touch: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), TXT (verification, SPF/DKIM), NS (delegation).

The TTL is a contract. Set it short before a migration, long for stability. "DNS hasn't propagated yet" almost always means a cache somewhere is honoring an old TTL.

TCP guarantees ordered, reliable bytes. Costs: handshake, retransmits, head-of-line blocking. The web rides on this.

UDP is fire-and-forget. No handshake, no retransmit. Used for DNS, video, games, VoIP — anywhere "stale" beats "late."

QUIC is UDP with the good parts of TCP rebuilt in user space — faster handshake, no head-of-line blocking, connection migration across networks. It's the foundation of HTTP/3.

TLS does two jobs: encrypt the channel and authenticate the server (and optionally the client) via certificates signed by a CA. Your browser ships with a list of trusted CAs; the server presents a chain that ends at one.

Things to know: certs expire (set up auto-renewal — Let's Encrypt + cert-manager); SNI lets one IP host many domains; mTLS adds client certs for service-to-service trust; HSTS tells browsers to refuse HTTP for your domain forever.

• 1.1: text, one request at a time per connection. Browsers opened 6 connections in parallel to fake concurrency.
• 2: binary frames, multiplexed streams over one TCP connection, header compression.
• 3: same as 2 but on QUIC/UDP — kills head-of-line blocking at the transport layer, faster on flaky networks.

IP identifies a machine; port identifies a program on it (80 = HTTP, 443 = HTTPS, 22 = SSH, 5432 = Postgres). IPv4 ran out of addresses years ago — IPv6 has 2¹²⁸ of them. NAT lets a whole home network share one public IPv4 by rewriting source addresses.

By default a page on a.com cannot read responses from b.com. The server at b.com opts in by sending Access-Control-Allow-Origin. For non-trivial requests the browser first sends an OPTIONS preflight asking permission.

CORS is enforced by the browser, not the server. curl ignores it entirely — that's why the same call works in your terminal and fails in your app.

A load balancer spreads traffic across many backend servers. L4 (TCP) ones route on IP/port; L7 (HTTP) ones route on path, header, cookie. Algorithms: round-robin, least-connections, IP hash for sticky sessions.

A reverse proxy (nginx, HAProxy, Envoy, Cloudflare, AWS ALB) sits in front of your app and does TLS termination, caching, rate-limiting, header rewrites, and load balancing. Almost every production app has one.

Cloudflare, Fastly, CloudFront, Akamai. Hundreds of edge locations cache static assets and increasingly run code. Cache-Control headers tell the CDN how long to hold a response; cache keys decide what counts as "the same" request. Get the keys wrong and one user's data leaks to another.

A cookie is just a header the browser echoes back. Flags that matter: Secure (HTTPS only), HttpOnly (no JS access), SameSite=Lax/Strict/None (cross-site behavior). Modern browsers default to Lax, which kills most CSRF — but you still need to think about it.