Networking & DNS
Study Guide

Link (L2 frames, MAC), Internet (IP, routing), Transport (TCP/UDP ports), Application (HTTP, DNS, TLS). Symptom mapping: no ARP = L2; ping fails across subnets = L3; connection refused vs timeout = L4 vs firewall; TLS errors = app layer.

TCP: connection-oriented, reliable, ordered, flow control - HTTP/S, SSH, DB protocols. UDP: datagrams, no guarantee - DNS queries, VoIP, some gaming/metrics. Choose TCP unless latency or statelessness favors UDP.

NAT maps many private IPs to fewer public IPs at a gateway. Outbound connections get ephemeral ports on the public side. Implications: inbound needs port forwarding or DNAT; some protocols break without ALG; logging must correlate internal vs external addresses.

Symmetric: return path same as forward path - expected for stateful firewalls. Asymmetric: different paths each direction - can break stateful middleboxes (firewalls, LB) that only see one direction. Common with multi-homed servers or bad policy routing.

Equal-Cost Multi-Path load-shares flows across links via hashing (often 5-tuple). Naive hashing can polarize traffic if few flows; some NICs need RSS tuning. In overlay networks, inner vs outer header hashing affects stickiness.

CIDR combines IP prefix with bit mask length. /24 means first 24 bits are network, 8 bits for hosts in that IPv4 block. Determines subnet size and which IPs are same broadcast domain vs routed separately.

Hosts send non-local traffic to the default gateway. Routers use a routing table (prefix to next hop) including static routes, BGP/OSPF learned routes, and default route. Cloud VPCs use implicit local routes + Internet/NAT gateways.

10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Not routable on the public Internet - translated at edge. Plan non-overlapping ranges for VPC peering and VPN to avoid conflicts.

Route table: where packets go (subnets, IGW, NAT, TGW). Security group: stateful L4/L5 allow rules on ENIs. NACL: stateless subnet-level allow/deny. All three must permit traffic for connectivity.

BGP exchanges reachability between autonomous systems. In cloud, used with Direct Connect, VPN, and multi-region. Attributes (AS-PATH, MED, local-pref) influence path selection. Understanding peering and route advertisement prevents blackholes and asymmetric paths.

A/AAAA: hostname to IPv4/IPv6. CNAME: alias to another name (cannot coexist with other data at same name). MX: mail server priority and host. Also know TXT (SPF/DKIM), NS (delegation).

Authoritative servers answer for zones they own (start of authority). Recursive resolvers (8.8.8.8, corporate DNS) walk the tree for clients and cache results. TTL controls cache freshness; low TTL speeds cutover, high TTL reduces load.

Different answers for the same name based on viewer location (internal vs external resolver). Used to return private IPs inside the VPC and public IPs from the Internet. Requires careful resolver configuration to avoid leaks or confusion.

CoreDNS provides cluster DNS; Services get <svc>.<ns>.svc.cluster.local. Headless services return pod IPs. ExternalName maps to external DNS. Compare with Consul/etcd for mesh-style discovery.

CoreDNS overload, conntrack exhaustion, UDP vs TCP fallback for large responses, ndots search path causing extra queries, VPC resolver limits, stale caches after cutover. Debug with dig +trace, tcpdump, and checking /etc/resolv.conf.

ClientHello (ciphers, SNI), ServerHello + certificate chain, key exchange (ECDHE), Finished messages, then symmetric encryption for application data. Modern TLS 1.2+; prefer TLS 1.3. Certificate must match hostname (SAN).

L4 (NLB): TCP/UDP, fast, IP:port routing, preserves source IP options. L7 (ALB): HTTP host/path routing, TLS termination, cookies, WAF integration. L7 sees application semantics; L4 is transparent.

Termination: LB decrypts TLS, may re-encrypt to backends (TLS bridge). Passthrough: TCP stream to backend - backend holds certs, LB cannot inspect HTTP. Trade-offs: visibility, cert management, SNI requirements.

Stop sending new connections to an unhealthy or scaled-in target while allowing existing TCP/HTTP sessions to finish. Prevents dropped in-flight requests during deploys. Tune delay vs client keepalive behavior.

Active checks (HTTP/TCP) mark targets out of rotation. Too-aggressive checks flap services; wrong path returns 404 and kills good nodes. Consider check interval, threshold, security group paths, and whether checks use correct Host header or mTLS.

Site-to-site VPN: encrypted over Internet, quick, variable latency, ~1.25 Gbps class limits. Direct Connect: private fiber to AWS, consistent latency, higher bandwidth, longer lead time. Often pair DX primary + VPN backup.

Peering: 1:1, no transitive routing by default. TGW: hub-and-spoke, transitive routing, easier multi-account topologies, supports attachments and route domains. TGW costs more but scales operationally.

Hardened SSH entry point into private subnets instead of exposing every instance. Prefer SSM Session Manager (no inbound 22), MFA, and short-lived access over long-lived bastions when possible.

Data plane: sidecar proxies (Envoy) intercepting traffic - mTLS, retries, metrics. Control plane: Istio/Linkerd components programming proxy config. Interview: mesh adds observability and policy at cost of complexity and latency.

Different default VPCs, missing peering/TGW routes, regional endpoints vs global DNS, WAF/geo rules, certificate SAN mismatches, SG referencing self in another region incorrectly, stale CloudFront origins, IAM SCP regional denies.

1) DNS resolves? 2) Route from client to target subnet? 3) SG/NACL/firewall allow path? 4) Service listening on correct interface/port? 5) LB target healthy? 6) TLS/SNI correct? Document assumptions at each hop.

ping (ICMP may be blocked), traceroute/mtr, dig/nslookup, curl -v, ss -tlnp/netstat, tcpdump, nc -zv. Match tool to layer.

Refused: SYN reached host, nothing listening on port (or explicit reject). Timeout: no response - often firewall drop, wrong route, or security group. Different fixes: open port vs fix routing/rules.

Encapsulation adds bytes; if path MTU smaller than packet + overhead, fragmentation or black hole (PMTUD failure). Fix: lower interface MTU, TCP MSS clamp, or jumbo frames end-to-end where supported. Common with VPN and Geneve/VXLAN.

Assume breach: verify every request (identity, device posture), least-privilege micro-segmentation, no implicit trust inside the corporate network. Implemented with IdP, service identity (mTLS), network policies, and continuous validation - not "VPN then trust everything on LAN."