Dev Ops Crash Course - Day One

Published Monday, March 20, 2017

Notes from day two, day three, day four, and day five.

Internet 101


Some vocab:

  • Bandwidth: capacity to receive information
  • Bitrate: speed of sending information (bits per second)
  • Latency: drag / delay when sending information

Internet is a design philosophy expressed through agreed upon protocols:

  • IPv4 - current protocol (32bit)
  • IPv6 - new protocol to provide more IP addresses (128bit)

IP addresses have A, B, and C classes.


How DNS works:

In local network settings, DNS is set to Google Public DNS.

  • better performance
  • better security

Anatomy of a URL:

protocol subdomain domain
https:// www.

DNS records

Record types:

  1. A record: address, maps hostname to physical IP address
  2. PTR record: pointer, maps IP to name (helpful when scanning logs)
  3. CNAME record: alias, map domain name to another domain name

Can use multiple records for redundancy strategy. For example, you want multiple MX records for mail servers. Config priority on each record.

DNS lookup

$ dig

; <<>> DiG 9.8.3-P1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60914
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;      IN  A


;; Query time: 29 msec
;; WHEN: Mon Mar 20 12:06:16 2017
;; MSG SIZE  rcvd: 42
$ whois
# Query terms are ambiguous.  The query is assumed to be:
#     "n"
# Use "?" to get help.

# The following results may also be obtained via:

NetRange: -
NetName:        DIGITALOCEAN-9
NetHandle:      NET-104-131-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS46652, AS14061, AS393406, AS62567
Organization:   Digital Ocean, Inc. (DO-13)
RegDate:        2014-06-02
Updated:        2014-06-02
Comment:        Simple Cloud Hosting

OrgName:        Digital Ocean, Inc.
OrgId:          DO-13
Address:        101 Ave of the Americas
Address:        10th Floor
City:           New York
StateProv:      NY
PostalCode:     10013
Country:        US
RegDate:        2012-05-14
Updated:        2017-01-28
Comment:        Simple Cloud Hosting

OrgNOCHandle: NOC32014-ARIN
OrgNOCName:   Network Operations Center
OrgNOCPhone:  +1-347-875-6044

OrgTechHandle: NOC32014-ARIN
OrgTechName:   Network Operations Center
OrgTechPhone:  +1-347-875-6044

OrgAbuseHandle: ABUSE5232-ARIN
OrgAbuseName:   Abuse, DigitalOcean
OrgAbusePhone:  +1-347-875-6044

Local spoofing:

  1. Open localhost file: /etc/hosts

  2. Add spoofed DNS entries (IP address, site+domain):


DHCP “dynamically distributes network configuration parameters, such as IP addresses”. Process of obtaining IP address on private network. It’s obtained on a lease that will eventually expire.

Router gives out IP addresses. There’s a limited number.

You can configure leases to expire after a certain period of time. Helps prevent running out.

Packets and Traffic

Packets directed by routers. Routers owned by ISPs.

See the path of your request:

$ traceroute
traceroute to (, 64 hops max, 52 byte packets
 1 (  4.954 ms  2.340 ms  2.594 ms
 2 (  6.657 ms (  7.809 ms  11.878 ms
 3  * * *
 4  * * *
 5 (  29.671 ms (  13.458 ms  6.881 ms
 6 (  14.051 ms  12.765 ms  10.800 ms
 7 (  5.831 ms (  7.330 ms (  6.450 ms
 8 (  10.902 ms (  6.161 ms (  13.696 ms
 9 (  9.293 ms  10.936 ms (  18.379 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *


TCP manages sending and receiving of packets (Transmission Control Protocol).

HTTP and DNS manage the sending and receiving of web files

Made possible by TCP + IP routing

Examining Network Traffic

Your computer has a hardware address that you can change. Look up with ifconfig.

Example: free wifi networks

  • allow you to log on for limited time, then they try to upsell you
  • they identify your device by hardware address
  • change hardware address will allow you to stay on for free (bc you look like a new device)

tcpdump command allows you to examine traffic on a server. Wire Shark is a GUI for tcpdump. Allows you to examine packets going across network. Can see handshake that’s getting made (TCP).

Get capture file (tcpdump -i eth0 -s 65536 -w capture.pcap), then import into Wire Shark.

Transport Layer Security

Data sent using HTTPS is secured via Transport Layer Security protocol.

When a company registers for a certificate, they provide info and Certificate Authority (trusted entity) verifies it. If valid, authority issues certificate. Certificate Authority signs for your authenticity. Process is not difficult. Relies on trust in the Certificate Authority.

You can be your own Certificate Authority with self-signed certificates, but that’s not trusted.

View SSL Certificate on Chrome: open Developer Tools, then click on the Security Tab.

Often in the wild, people terminate SSL at the load balancer, so traffic between load balancer and hosts is unencrypted traveling over private network. Terminating at load balancer is a common pattern and makes things easier to scale. Otherwise you’d have to make sure certificate and keys are on all hosts.


Explaining public/private key encryption:

Understanding the SSH encryption and connection process:

We disabled password identification on our servers (hosts). Instead, we identify by public keys, which is more secure. Developers’ public keys have been distributed out to all servers. Then developers can connect from their local machines, where private keys are stored.


Setting up SSL on new Digital Ocean droplet

  1. Create new Droplet - Ubuntu - $5/mo - Datacenter: New York - Private networking, backups, IPv6, monitoring - Select SSH keys - Choose hostname (we used
  2. SSH into new droplet as root user - ssh or ssh -l root

Our IP address was released into Digital Ocean pool. We had a server at, then deleted that server, so it went back into the pool. BUT we never updated our DNS record for
  1. Go to
  2. Update A record to new IPv4, add new AAAA record for IPv6
  3. Add PTR record to
Back to setting up SSL...
  1. Get certificate from
  2. On server, run apt-get update, apt-get upgrade
  3. On server, run openssl req -new -newkey rsa:4096 -nodes -keyout example.key -out example.csr (generates certificate signing request and key)
  4. Install Apache on server: run apt-get install apache2 on server
  5. Check if it’s running service apache2 status
  6. Visit domain in browser, should say “It works!”
  7. On list of certificates, get the one for the domain, enter key and click activate
  8. Look for email when approved
  9. Save stuff into some file (I missed whatever that was)
  10. Now we’re following these instructions for Apache2 * NOTE: instructions for chain file are outdated
  11. sudo a2enmod ssl
  12. sudo serve apache2 restart
  13. sudo vi /etc/apache2/sites-available/default-ssl.conf
  14. cat AddTrustExternalCARoot.crt COMODORSAddTrustCA.crt COMODORSADomain...crt enroll_flatironschool_com.crt > cert-ssl-enroll.pem
  15. cp example.key ssl-cert-enroll.key
  16. mv ssl-cert-enroll.key /etc/ssl/private/
  17. mv ssl-cert-enroll.pem /etc/ssl/certs/
  18. sudo a2ensite default-ssl