19

I've googled around and it seems like SSL encrypts URLs. (Correct?) As I understand it, if I go to a site like http://security.stackexchange.com then a DNS server looks at the URL, says hey, he wants to go to IP xxx.xx.xxx.xxxx and then the packets are routed to that IP address across the Internet. But if the URL in an HTTPS message is encrypted then how can the packets be routed? If a DNS gets a request for an encrypted URL, how do they know where to send the packets?

bernie2436
  • 1,447
  • 10
  • 22
  • 29
  • 1
    "I've googled around and it seems like SSL encrypts URLs. (Correct?)" Yes, that's correct. For more information see [Is HTTPS URL in plain text at first connection?](https://security.stackexchange.com/questions/117536/is-https-url-in-plain-text-at-first-connection/117544#answer-117544). – rugk Mar 17 '16 at 00:43

1 Answers1

34

The DNS server does not look at the URL; the DNS server does not know what a URL could be.

The client browser extracts the intended server name from the URL. In a URL like https://www.example.com/foobar.html, the server name is the part after the https:// but before the next /; i.e., www.example.com in this example. The server name is what is sent to the DNS.

The DNS responds with the IP address for that server. The client then talks with that server, they do their SSL magic, and once the tunnel has been established (and only then), the client sends the URL (specifically, the part after the server name, in my example /foobar.html) to the server. And that one goes in the tunnel, hence encrypted.

This answer is a walk through the SSL protocol.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480