MAC addresses, IP addresses, ports, and domain names

Every network request uses four types of identifier. Each one operates at a different layer and has a different scope. Confusing them leads to troubleshooting in the wrong place.

DNS hostname (Layer 7). A human-readable name like "www.example.com". Its job is to give people something memorable instead of a number. DNS translates it into an IP address before anything else can happen. Scope: global. Changes when: the domain owner updates the DNS record.

IP address (Layer 3). A numeric address like 93.184.216.34 (IPv4) or 2606:2800:21f:cb07::1 (IPv6). Its job is end-to-end routing: getting the packet from your machine to the destination, across however many routers sit in between. Scope: end-to-end (stays the same through every router). Changes when: the device moves to a different network or the DHCP lease renews.

MAC address (Layer 2). A 48-bit hardware address like DC:A6:32:12:34:56. The first three bytes (DC:A6:32) identify the manufacturer (in this case, Raspberry Pi). Its job is local delivery: getting the frame from one device to the next device on the same network segment. Scope: local segment only. Changes at: every router hop (as you learned in Module 2).

Port number (Layer 4). A 16-bit number from 0 to 65,535. Its job is multiplexing: allowing one device to run many services at the same IP address. Your laptop might have connections to port 443 (HTTPS), port 22 (SSH), and port 53 (DNS) all running simultaneously. Scope: per-host.

The diagram below shows where each identifier lives in the request path. Notice that DNS resolves first (hostname to IP), then ARP resolves on the local segment (IP to MAC), then TCP connects (IP:port pair creates a socket).

When you type "www.example.com" in a browser, your operating system needs to find the IP address. Here is the sequence:

1. The OS checks its local DNS cache. If a recent query already resolved this name, the cached answer is used immediately.
2. If the cache is empty, the OS sends a recursive query to a configured DNS resolver (your ISP's resolver, Google's 8.8.8.8, or Cloudflare's 1.1.1.1).
3. The resolver performs iterative queries across the DNS hierarchy. It asks a root server, which points to the .com TLD servers. Then it asks the .com servers, which point to example.com's authoritative nameservers. Then it asks those nameservers for the actual IP address.
4. The authoritative server returns the A record (IPv4 address) or AAAA record (IPv6 address).
5. The resolver caches the answer (respecting the TTL, Time to Live, set by the domain owner) and returns it to your OS.
6. Your browser connects to the returned IP address.

The key distinction: your OS makes a recursive query (asking the resolver to do all the work). The resolver then makes iterative queries (following referrals step by step through the hierarchy).

IPv4 uses 32-bit addresses (4.3 billion possible). IPv6 uses 128-bit addresses (3.4 x 10^38 possible, or roughly 340 undecillion).

Private address ranges (RFC 1918) are reserved for internal networks and are not routable on the public internet. If you have ever seen 192.168.1.x on your home router, that is RFC 1918 at work. The three ranges are:

10.0.0.0/8 (16.7 million addresses), 172.16.0.0/12 (1 million addresses), and 192.168.0.0/16 (65,536 addresses).

IANA's central pool of IPv4 addresses ran out on February 3, 2011. Regional registries exhausted their allocations between 2011 and 2015. Today, NAT (Network Address Translation) lets many devices share one public IP by rewriting addresses at the network edge. NAT solved the address shortage but broke the internet's original end-to-end design. Peer-to-peer applications, VoIP, and online gaming now need complex NAT traversal workarounds (STUN, TURN, ICE protocols).

MAC addresses are 48-bit identifiers assigned to network interface cards. They look like DC:A6:32:12:34:56, where the first three bytes (DC:A6:32) are the OUI (Organizationally Unique Identifier), assigned by the IEEE to identify the manufacturer.

When your laptop sends a packet to a server on a different network, it already knows the server's IP address (from DNS). But to send the Ethernet frame to the local router, it needs the router's MAC address. That is where ARP comes in.

ARP (Address Resolution Protocol, RFC 826) works like this: your laptop broadcasts an ARP request to every device on the local segment saying "Who has IP 192.168.1.1? Tell me your MAC address." The broadcast uses the special MAC address FF:FF:FF:FF:FF:FF, which every device on the segment receives. Only the router (which owns that IP) replies, sending its MAC address back as a unicast frame directly to your laptop. Your laptop caches this mapping and uses it for subsequent frames.

Port numbers let one device run multiple services on the same IP address. RFC 6335 divides the 65,536 possible ports into three ranges:

System ports (0-1,023): assigned by IANA for well-known services. SSH is 22, DNS is 53, HTTP is 80, HTTPS is 443. On most operating systems, binding to these ports requires elevated privileges.

Registered ports (1,024-49,151): assigned by IANA on request for specific applications. MySQL is 3306, PostgreSQL is 5432, RDP is 3389.

Ephemeral ports (49,152-65,535): used by the operating system for outbound connections. When your browser connects to a web server on port 443, your OS picks a random ephemeral port (like 52,847) as the source port. Each connection gets a different ephemeral port.

A socket is the combination of an IP address and a port number (e.g., 93.184.216.34:443). A TCP connection is uniquely identified by a 4-tuple: source IP, source port, destination IP, destination port. That is how your browser can have dozens of connections to the same server: each uses a different source port, creating a unique 4-tuple.

Try the port and protocol explorer below to look up common services and their port numbers.

When you type https://www.example.com in a browser, all four identifiers come into play in sequence:

1. DNS hostname resolves to IP address. The browser asks DNS for the A record of www.example.com. DNS returns 93.184.216.34.

2. IP determines the next hop. ARP resolves to MAC. The OS sees that 93.184.216.34 is not on the local subnet. Traffic must go through the default gateway (e.g., 192.168.1.1). The OS checks its ARP cache for the gateway's MAC. If missing, it sends an ARP broadcast. The router replies with its MAC.

3. TCP connects using IP:port. The OS opens a TCP connection to 93.184.216.34:443. It picks ephemeral source port 52,847. The 4-tuple (192.168.1.50:52847, 93.184.216.34:443) uniquely identifies this connection.

4. TLS uses the hostname again. During the TLS handshake, the browser sends the hostname "www.example.com" in the SNI (Server Name Indication) extension. The server uses this to pick the correct certificate.

5. HTTP sends the request. The browser sendsGET / HTTP/1.1 with Host: www.example.com. The server returns the page.

Four identifiers, four layers, one request. DNS gives you the IP. ARP gives you the MAC. Ports give you the process. The hostname comes back around in TLS for certificate selection.