Dan Brubaker Horst | Writing

Dash It All

2025-10-18T13:26:01-04:00

I learned the difference between a dash and a semicolon—and when to use them—from my English teacher, Suzanne Ehst, back in 1998, my junior year of high school.¹ I learned the difference between an en-dash and an em-dash from Matthew Butterick in 2013.²

I use dashes in my writing to adjust the cadence so it feels more like spoken word or transcribed thought.³ I type them without thinking on my preferred computing platforms (macOS: option + shift + -; iOS: long-press - then select the longest dash). And, if I have to, I copy them from my list of useful punctuation.

Some Angry Internet People claim that any text written with em dashes must have been composed by an LLM because no one uses dashes in their writing. I disagree. I’ve used the right punctuation in my prose—dashes included—for decades. I’ll keep using them appropriately, even if I risk getting falsely accused of passing off GenAI slop as my own work.

A clause appended to a sentence with a semicolon should be a complete sentence on its own. A sentence fragment must be appended to a sentence with an em-dash. Sue explained it like this: a semicolon is an RV pulling a car; a dash is an RV pulling a trailer. ↩
An en dash “–“ is used to in a range e.g. 10–20. An em dash “—“ is the right punctuation for appending a clause to a sentence or for a parenthetical statement. ↩
I was once chided for using em dashes too often in scientific writing in 2004—the only editorial feedback I remember from college. ↩

Building Custom PCs

2025-05-29T12:20:21-04:00

So, you want to build your first gaming PC? Great! This can be fun—especially if you understand how to make appropriate tradeoffs and avoid common pitfalls.

There is an endless supply of information about the minutia of PC building and the benchmarks of the latest tech. It’s easy to get lost in the details if you can’t evaluate this information critically. The good news is that the fundamentals aren’t that complicated and have remained largely unchanged since 3dfx created the market for PC gaming graphics cards in the late 90s.

Computer performance is a balance between CPU, memory (RAM), GPU, and disk (SSD). Over-power—or under-power—one or two of these core components and you’ll be wasting money on unrealized potential. These essential parts all communicate with each other via different buses and connectors on the motherboard—which is designed for a specific type of CPU. Once assembled, everything must get enough power—from an appropriately-sized power supply—and be able to get rid of the heat that is generated under load; cool computers run better. Oh, and you need to put all of this into some kind of enclosure—like a case or, in a pinch, a cardboard box.

The key design constraints are budget, availability, and the time you’re willing to spend on the endeavor.

Budget: The amount of money you’re willing and able to spend now determines the areas and degrees of investment you can make. Unless you have thousands of dollars to spend on a PC build, you will have to compromise on something.
- Prioritize your spending on the things that are most difficult to change later. The CPU and motherboard are the core of the machine—buying a good set first gives you a foundation you can build on for 6 years—or, possibly, even longer.
- If you can’t afford all the RAM you want now consider spending a little extra to get a single large DIMM—say 16GB—and adding a second (or more) later. That way you won’t end up with a pair of small DIMMs taking up your available RAM slots.
- GPUs are the most expensive single component—and the fastest to get outdated. Don’t blow your budget on something that will diminish in value quickly.
Availability: The crypto boom, COVID supply shocks, and the AI boom have turbocharged demand for GPUs. In this supply-constrained environment, scalpers have made high-end GPUs at MSRP essentially unobtainable on the open market. Someday—maybe—the GPU market will return to a more “normal” state for PC gamers but, until then, sourcing a GPU will remain a major constraint.
Time: If you can devote a lot of time to researching specific components and tinkering with the results—overclocking etc.—you can achieve the best possible result for your money.
- Focus on the core—CPU and motherboard—first then, work your way out.
  - For the CPU, find the price/performance cutoff point of the current offerings and decide if it’s worth it to you to go above that point, if not, select a solid CPU that offers a good value.
    - Motherboards are a bit more complicated. The chipset features, memory configuration, voltage regulator design, and the number and speed of the peripheral busses of a motherboard play a crucial role in how capabable and expandable your machine will be during its functional life. Get a good quality one—but you probably don’t need an ultra-premium gaming-focused one to get the results you want. Don’t get one with integrated graphics for a gaming machine.
- If you don’t have a lot of time, just buy a pre-made machine. At the low end, OEMs have economies of scale and supplier arrangements that you don’t have access to as an individual. At the high end, say Falcon Northwest, you’ll get a more powerful, polished result than can be achieved by all but the most dedicated PC builder.

Other things to avoid:

Tempered glass case windows. It’s common for inexperienced PC builders to push something a little too hard and end up with a bunch of broken glass everywhere. It’s not worth it.
Pushing on anything too hard. Apply just enough force to seat components with good electrical contact. More than that risks damaging or outright breaking something important.
Using too much—or too cheap—thermal compound. You need just enough thermal compound to ensure the physical and thermal coupling between components—like CPU and cooler. Any more thermal compound than absolutely necessary to fill the surface imperfections of the materials will decrease the thermal performance of the joint. Spending a small amount of money on a high-performance thermal compound is a sound investment. Prep the surfaces to remove any skin oils—isopropyl alcohol wipes are fine—and use a squeegee—like an old credit card—to ensure it is applied in a thin, consistent layer.
Liquid cooling. Don’t start with this; get a good heatsink and add more case fans if necessary.
Tiny cases. I’ve always been fond of small computers but it makes fitting everything together and getting the right airflow a lot harder. If you want a small, quiet computer buy a Mac mini or something.
Thinking this will save you money. PC building is less of a money pit than some hobbies—like racing cars or owning a boat or whatever—but you’re not going to get the cheapest possible computing experience.

Go forth and be glorious!

Calendars

2024-11-07T17:54:03-05:00

I am a recovering productivity nerd with a keen sense of my own mortality that spends time with computer systems professionally. Because of this, I’ve accumulated opinions about dates and calendars.

Dates should be written in ISO 8601 format e.g. 2024-12-31.
- The year-month-day order eliminates any ambiguity between month/day/year and day/month/year.
- year-month-day strings are sorted the same both alphabetically and chronologically; n.b. beginning filenames with dates in this format is a great way organize time-bound information.
Weeks are the most useful unit of time.¹ Months are too long to go without a recap. Days are too short to identify any trends. The week number helps anchor it in context; I track two:
- The current year e.g. 2024 WK 45
  - This can be displayed in calendaring software:
    - MacOS Calendar: Settings > Advanced > Show week numbers
    - Google Calendar: Gear Menu > Settings > General > Language and region > View options > Show week numbers
    - Outlook (Mac): Outlook Settings > Other: Calendar > Calendar Options: Show week numbers
    - Fantastical (iOS): Settings > Calendar Views > Calendar Weeks
  - You can configure the Periodic Notes plugin for Obsidian to create weekly notes using this format by setting the Format for Weekly Notes to YYYY/MM/YYYY [WK]ww.
- The week of my life e.g. 2167 (of about 4000). I was born on a Friday so I increment my “death clock” week number at the end of the workweek.
Weeks start on Monday.
- This best reflects the rhythms of school, 9–5 office work, and similar job schedules.
- It keeps the days of the weekend together on the right hand side of a 7-day calendar view making it easier to plan your weekend as a contiguous chunk of time. This reduces context switching when toggling between 5-day (work) and 7-day (personal) week views.
- There is wide support for starting the week on Monday in modern computer and phone operating systems.
  - MacOS: System Settings > Language & Region > First day of the week
  - iOS: Settings > General > Language & Region > First day of the week
  - Google Calendar: Gear Menu > Settings > General > Language and region > View options > Start week on
  - Outlook (Mac): Outlook Settings > Other: Calendar > Work Schedule: First day of week
  - Fantastical (iOS): Settings > Calendar Views > Start Week On
Months are not long enough for long-term planning. If you need to execute a strategy or manage a long-running project, use a one-page year-long compact calendar.
- There is an Excel template that does the heavy lifting. I customize mine to include both types my week numbers and work-specific times e.g. quarters or program increments.
Calendaring, like note-taking, benefits from being physically tangible. You don’t have to draw your calendars from scratch (although that can be satisfying); printing out a compact calendar and annotating it by hand works well.
- Even though it doesn’t employ my preferred calendaring conventions, I have a soft spot for the Field Notes 15-Month Work Station Calendar.
- If your days are extremely busy, then I’ve had good results using the Emergent Task Planner (sadly out of print; you can print your own).

I’ll leave thoughts on time and task management for another day.

For time management anyway; the most useful unit of time for doing is 20 minutes. ↩

Photography

2024-08-23T17:31:10-04:00

I bought my first digital camera in July of 2005. I have taken over 39,000 photos with it—and a series of increasingly sophisticated devices Canon PowerShot A95, Canon Digital Rebel XTi, iPhone 4s, Canon SL1, Nexus 6P, Pixel 3, iPhone 13 Mini, Fuji XT-5 —over the ensuing nineteen years. The act of taking photos is woven into how I experience holidays, family gatherings, vacations, and—at times—my daily life. It’s something that I enjoy doing.

The appeal of photography is multifaceted:

It’s an accessible form of artistic expression.
Photographs are windows into the past; they reflect the life we’ve lived.
It is a technical puzzle: How do you get the results you want by understanding and manipulating your equipment and the environment?
There is gear to be researched, evaluated, purchased, and lusted after.
- Cameras & camera bodies of every degree of quality and sophistication.
- Lenses in every shape, size, and manufacturer—don’t forget vintage glass!
- All sorts of bags, straps, holsters, and clips to keep everything organized and at the ready.
- Filters—glass filters—that abate or modify the light entering the lens in all kinds of ways or stay out of the way and act as protection.
There are a host of workflow and digital asset management concerns.
- Let’s talk about RAW files… (hours pass).
- How to I merge all the photos I take on my phone with the ones I take with my “real” camera?
- What replication strategy across cloud providers makes sense for my needs?
- How much digital refinement or modification to the images do you want to be able to do?
- How can you adjust your camera’s settings to get the best results without having to do as much (or any) post-processing?

Last week, after much indecision, I purchased a full version of Capture One Pro. Now I have a desktop application where I can manage my entire collection of photos for the first time since Google stopped development on Picasa in 2016. I’ve been reviewing the photos I’ve taken—all 39,000—to see which ones I like enough to share on Glass (@dbh) and, in the processes, I’ve come to the conclusion that I’m not a particularly good photographer. I’m an unremarkable amateur that hasn’t meaningfully improved in over a decade.

Why did I take this photo?
Does it make you feel anything?

This isn’t surprising. My once-fervent enthusiasm has waned over the last decade as the pressures of adult life and disillusionment with my results encroached upon my creative drive. I don’t look at the photo books or instructional texts I’ve purchased or asked for as gifts. I haven’t taken the online photography courses I’ve purchased. I’ve stopped listening to photography podcasts. I don’t watch any photography content on YouTube other than gear reviews.

I can get better through directed effort or languish as I am now. Prompted by this newly-acknowledged reality, I finally cracked open my copy of The Art of Photography. The second edition was released in 2017; my unread copy predates that. These points from the first chapter elucidate why I am struggling:

Photography is visual communication.
Photographs are manifestations of the photographer’s interests and how they feel about them; they convey emotion.
Great photographers know their strengths and weaknesses; they leverage their strengths to explore their interests.

Over 99% of the photos I have taken say:

I saw a thing, I positioned the thing in the center of the frame (or, sometimes, on one third of the frame), I checked focus and exposure compensation, I triggered the shutter.

There is no emotional weight to the scene. Lines, shape, and form are limited to rudimentary expression. The direction or intensity of light is barely considered beyond exposure compensation and (rarely) metering mode. Visually striking results occur rarely and randomly because I’m not deliberately making images—I’m taking snapshots. I’d like to be able to do better than that.

Technical Debt

2024-07-31T13:18:44-04:00

Technical debt is both pervasive and disruptive to the discipline of software engineering. No software Aside from ephemeral software that is discarded after use. is free from technical debt. Despite this, it’s hard for organizations to make productive, impactful changes to the processes and practices that cause technical debt to arise.

It is tempting—and common—to draw parallels between technical debt and financial debt. You can try to apply lessons from Financial Peace University to your code base and technical systems but I think it is more useful to think about of technical debt in terms of its impact on marginal cost.

One of core responsibilities of software engineers is to control the marginal cost Marginal cost, by definition, is the change in the total cost when the quantity produced is increased. The marginal costs of software increase in a nonlinear fashion as the complexity of the system increases i.e. it is much easier to change a simpler thing than a complicated thing. The biggest cost centers are engineering time, cloud computing resources, and licensing fees. of:

Extending a system with new functionality
Scaling a system for broader use

This helps keep the cost of change low over time. Keeping marginal costs low was one of the claimed benefits of Extreme Programming (XP); a set of practices that predated Agile. There are good ideas in XP but the methodology has fallen out of favor over time. Agile software development should have similar outcomes but often doesn’t. Marginal costs are influenced by:

Architecture decisions
Process design
Implementation choices

Thus “paying down” technical debt involves remediating one of these aspects of the software development life cycle (SDLC). This isn’t a simple problem space but it is prevalent enough that patterns have emerged. That’s why accumulation of technical debt is one of the Bottlenecks of Scaleups.

The only effective way to manage these marginal costs is to periodically and rigorously simplify standing systems through methods like introducing new layers of abstraction, breaking services into smaller component pieces, and depreciating anything you can get away with.

First Ruck

2024-06-16T10:13:47-04:00

I went for my first ruck yesterday. Rucking is not a new idea for me—I have just been avoiding actually doing it for over a decade. This year, I walked around the backyard once or twice with a weighted pack for a little bit but that was it. Yesterday, did 1.5 miles around the neighborhood in 26 minutes with a 10-pound weight in my pack. Today, I can feel it in my upper back and a little bit in my left ankle.

My partner got me a GoRuck GR0, which is a 16L minimalist assault-style pack, for Christmas in 2013 but I’ve just been using it as a normal backpack. A few months ago I listened to a podcast with Jason McCarthy, the founder of GoRuck, and I learned a lot about how and why to ruck from that conversation. His recommendation was to carry the pack high up on your shoulders—he doesn’t use the waist belt or the sternum strap. Dr. Peter Attia uses both of those straps but also carries up to a 90 pound load. Since I’m starting with a light load (less than 10% body weight), I removed my waist belt but kept the sternum strap.

To pack my weight, I put two synthetic foam yoga blocks at the bottom of my bag then wrapped a beach towel around a 10-pound Rogue change plate so that there was one layer of towel between the plate and the back of the pack. I cinched a Gunner tie-down strap—one from NRS would be fine too—around the towel bundle to hold everything in place. This kept the weight high and close to my shoulders. It also filled the pack so nothing bounced around.

It was hot and sunny when I went out. There’s a lot of shade in my neighborhood but there are stretches of road that get a good amount of sunlight. My subdivision was designed in the 50s and the roads look like a doughnut where if you follow the outer loop, then the inner loop, it’s exactly one mile long. This layout was deliberate—they used to race horses around the “track” formed by the roads in the early years. It’s really convenient for measuring exercise. There’s also some hills—which aren’t too common around here—which helps keep it interesting.

40

2023-04-29T22:28:58-04:00

I was born on Friday, April 29th, 1983. It was unseasonably warm that year. Spring came and went quickly; the trees were no longer blooming when my mother left the hospital.

Now, 2080 weeks later, it doesn’t feel like I’ve passed a life milestone today. But, within the next decade, I expect to reach the inflection point where I have less time remaining than I have already spent on the earth.

I want to be healthy and happy enough to make the best of the second half of my life. To do that, I need to invest in my overall fitness now. A frank self-assessment of my physical health reveals:

I am not metabolically healthy.
I don’t have good enough stability.
My musculature is both underdeveloped and too weak.
I have poor cardiovascular endurance.
I have abysmal peak aerobic output.

Thankfully, I can change all of these things. It will take directed effort and setting aside far more time every week to care for my body than I have over the last twenty years.

I have also underinvested in my mental health in my adult life. To rectify the situation, I’m working with my care team to relieve anxiety, rebuff depression, and improve emotional regulation. Taking care of your mind is hard work too.

Overall, I’m optimistic about the future. One thing concerns me: my 30s feel like they were gone in a flash. The same thing will happen to my 40s if I’m not careful. I can’t slow the passage of time, but I can try to be more mindful of the present.

Ten Years of DevOps Obstacles

2022-02-24T13:44:20-05:00

I started writing about DevOps in 2012. The conversations I’m having in the OIT now sound suspiciously similar to ones I had in the Hesburgh Libraries ten years ago. I am not pleased with this sense of déjà vu.

Today I attended a higher-ed meetup about “DevOps.” The organizers asked a panel to define what that term means and how it worked–or didn’t–at their institution. In response, I said:

DevOps–and “splat”-Ops in general like DevSecOps, GitOps, ChatOps, etc.–attempts to change organizational culture, structure, and practices to improve software delivery performance. Software delivery performance has industry-defined measures, indicators, and associated practices. It asserts that making fast, frequent changes to your services and infrastructure without compromising their integrity is a foundational capability for successful organizations.

I also said that we’re having a hard time doing these things. There are lots of pitfalls when you’re starting:

DevOps enthusiasts want to talk about tools.
- Many DevOps tools adopt a “move fast and break things” mentality; caveat emptor.
- Don’t start a conversation about kuberneties¹.
It is hard to change the behavior of large, established organizations.
- Organization change management–even when done successfully–takes years.
- Be mindful of Conway’s Law. Reimagining your work requires changing your organizational structure. There are existing resources to help with this.
Leadership needs to believe in the benefits of these organizational capabilities
- Lack of buy-in from upper management limits the potential scope & impact of changes.
- Increasing the pace of change is threatening instead of exciting to organizations that have adopted strict ITIL or another lumbering change-management system.
- InfoSec and your auditors need to be allies or you won’t get far

Many of the tools and practices in this space have been around for years. Unless you have novel use cases or operate on a grand scale, you’ll only run into modest technical hurdles. The hard part of changing an organization is re-skilling, reorienting, and realigning the people.

Organizations do not change overnight. It takes a lot of hard work from knowledgeable, well-intentioned people to make a meaningful difference. I take some solace from the fact that our aspirational peers are quick to acknowledge they’re working on issues too.

I’m being a bit facetious here. There’s a vast and powerful array of tooling that takes advantage of the APIs provided by K8s. Even so, avoid using it directly unless you are building platforms instead of solutions. Avoid building platforms unless they provide key business capabilities you can’t get another way–otherwise, have an IaaS partner run them for you. ↩

Software Delivery

2020-10-15T14:45:28-04:00

This was extracted from an internal document I wrote for work but I reference it so often I wanted to give it a more permanent home.

Efficient, reliable, and reproducible software delivery keeps the cost of introducing change low over the lifetime of a service offering. With this as a foundation, organizations can iterate toward adopting and leveraging enterprise integrations that reduce maintenance burden and decrease time to delivery for new work.

Key Measures

From Accelerate, Appendix B and The Key to High Performance (free PDF e-book; email sign-up required) p3 (YouTube). The more painful code deployments are, the poorer the software delivery performance and culture.

Deploy frequency: How often are changes made to production? Favor small, frequent changes.
- Continuous Delivery
- Version control
Lead time: How long does it take to go from commit to running in production?
- Version control
- Test automation
Mean time to restore (MTTR): How long does it take to restore a failed service?
- Version control
- Monitoring
Change fail percentage: How often do changes cause an outage or another negative outcome?
- Strongly correlated with overall software delivery performance

Key Indicators

From Accelerate, Technical Practices and The Key to High Performance (free PDF e-book; email sign-up required) p14 (YouTube).

Continuous Delivery

Test automation: automated tests give quick feedback and create a virtuous cycle of quality
Deployment automation: see Characteristics of Cloud Computing below
Trunk-based development: keep master deployable, favor short-lived feature branches
Shift left on security: include InfoSec early and often in the SDLC
Loosely coupled architecture: see Key Outcomes for System Architecture below
Empowered teams: teams choose the tools they use, favor performance over standards
Continuous integration: run tests on every commit, merge, and deploy

Other Indicators

Version control: track everything—not just code, configuration is just as important
Test data management: automated test suites need access to appropriate data
Monitoring: measure the four golden signals: latency, traffic, errors, saturation

Characteristics of Cloud Computing

From NIST 800-145. Implementing systems that display these characteristics is strongly correlated with high-performance organizations.

On-demand self-service. Allow automatic provisioning of computing resources, storage, etc. without requiring human interaction with the service provider.
Broad network access. Services are available over the network and accessed through standard mechanisms that are device agnostic.
Resource pooling. Storage, processing, memory, network bandwidth, and other resources are pooled, shared, and dynamically assigned using a multi-tenant model.
Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand.
Measured service. Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Key Outcomes for System Architecture

Decoupled systems are crucial for lowering the cost of change. This evaluation is from The Key to High Performance (free PDF e-book; email sign-up required) p3 (YouTube).

Can your team make large-scale changes to the design of your systems without the permission of someone outside of your team or without depending on other teams?
Can your team complete its work with neither fine-grained communication nor fine-grained coordination?
Can your team deploy and release your product on-demand independently of other services?
Can your team do most of your testing on-demand without requiring an integrated test environment?
Can your team perform deployments during normal business hours and with negligible downtime?

What Happens When You Type a URL Into a Browser

2020-09-11T11:13:47-04:00

UPDATE 2021-08-30: Jenna Pederson over on the AWS blog wrote a much better response to the question I try to answer here.

I started listening to the “How the Internet Works” episode of the Ladybug podcast today. They set out to answer the technical interview question:

What happens when you type a URL into a browser?

Before I listened to their explanation I pressed pause. This is my explanation of the process without doing any research–just like I wouldn’t be able to do in an interview setting. (Yes, I did type the example commands into my terminal to get the output.)

EDIT: Never mind. I spent way more time on this and went into greater detail than I would if I were speaking off the cuff (I still didn’t do any fact checking or fill in any gaps in my working knowledge so take all of this it with a grain of salt). This is one of the pitfalls of technical interviews. I don’t have a lot of professional experience standing in front of a white board and explaining things extemporaneously and if you asked me to do just that it wouldn’t have gone very well but that doesn’t mean I don’t understand what’s going on. Instead, I write documents that thoroughly explain the required information with an eye towards a less technical audience.

Typing a URL into a browser is something we do all the time and, although it is appears to be simple, a lot of things happen before we get to the web page we’re looking for.

Browsers perform a lot of actions in the address/combo bar itself. As you are typing it tries to guess what you want to do by:

Matching patterns of URLs or words you enter with pages from your browsing history
Querying your default search provider and return the top results
Querying DNS for domain names that match what you have typed so far

The combination and execution of these behaviors vary from browser to browser but they all do something like this. The results of these queries show up as options for you to choose from. Let’s say you don’t select any of these suggestions and press enter when you finish typing. Next, the browser will try to make a request to a web server based on what you typed. To do that, it goes through another two processes:

URL resolution
Content negotiationI'm using the term "content negotiation" loosely here. The narrowest technical definition of content negotiation is the process where the client and the server use accepts headers and content types—HTML, txt, JSON, XML, application/octet stream (binary), etc.—to determine the encoding and/or the content of the response body. I am using it to mean "the client and the server figure out what they need from each other" before the response body is processed by the client.

URLs have a structure:

<protocol>://<OPTIONAL subdomain>.<apex domain>.<toplevel domain (TLD)>:<OPTIONAL port>/<OPTIONAL path>?<OPTIONAL query>=<OPTIONAL paramter>

The steps a browser takes depends on the parts of the URL you entered.

For example:

danhorst.com

Has a few more steps than:

https://www.danhorst.com

URL resolution starts by querying DNS to find an IP address that maps to the address that was entered. DNS (domain name service) is a globally distributed network of servers that store what are essentially big lookup tables for all the domains that are registered on the Internet. Internet infrastructure companies run DNS servers as a part of their operations. For example, CloudFlare runs 1.1.1.1 and Google runs 8.8.8.8. When you create a domain using a registrar like, Hover.com or NameCheap, it registers it with the global lists on servers blessed by ICANN (ICANN governs the Internet and I think the acronym is French so I don’t know what it stands for exactly). The records get picked up by other DNS providers from there. That is why it takes a while for DNS changes to propagate.

The DNS provider your browser uses depends on the network settings of your device. Those settings can are configured per network adapter so they vary based on which one you are using to access the Internet. For most people, the DNS service is provided by your Internet Service Provider (ISP). It can also be manually set to specific provider. Companies may run internal DNS if they want to control how name resolution works on their internal network. For example, if you have a VPN for work it may allow you to resolve DNS records that don’t exist on the public Internet.

There are different kinds of DNS records: A, CNAME, TXT, MX, etc. For name resolution, we’re primary looking at A (address) records. CNAME records can be used to specify additional addresses that resolve to a server (I’m not familiar enough with how this works to be able to explain how this works in detail). MX records have to do with mail routing. TXT records are used for other metadata. For example, Google Webmaster Tools asks you to add a unique TXT record to your domain to prove that you control it.

You can query DNS outside of the browser too. I do this when I need to troubleshoot a connectivity issue.

~ $ dig danhorst.com +short
104.198.14.52

(I use the +short flag to limit the output almost all the time. The default output for dig has way more information than I need for checking name resolution.)

Once the browser has an IP address that maps to the domain it initiates a TCP/IP connection to that IP address. IP stands for “Internet Protocol” and we typically use IPv4 address which take the form of four period-delimited blocks of 1-3 integers e.g. 129.0.0.1, 8.8.8.8IPv6 is also a thing but those addresses are so long I never remember what they look like exactly. IPv6 doesn’t have a lot of support in the Internet at large.. If no protocol is specified in the URL, the browser assumes that you meant HTTP (Hypertext Transfer Protocol) and attempts to connect to port 80 on the IP address of the server.

You can use telnet to check to see if it is possible to connect to a specific port for a given IP address:

~ $ telnet 104.198.14.52 80
Trying 104.198.14.52...
Connected to 104.198.14.52.
Escape character is '^]'.

Or you can use curl to check how the server responds:

curl -I danhorst.com
~ $ curl -I danhorst.com
HTTP/1.1 301 Moved Permanently
Cache-Control: public, max-age=0, must-revalidate
Content-Length: 37
Content-Type: text/plain
Date: Fri, 11 Sep 2020 07:13:49 GMT
Location: https://danhorst.com/
Age: 32302
Connection: keep-alive
Server: Netlify
X-NF-Request-ID: bd036650-87b5-4e74-8033-06731acad39a-25552555

The -I parameter tells curl to make a HEAD request. HTTP defines verbs that clients can use to make requests from servers. The common ones are: GET, POST, and HEAD (PUT, PATCH, and DELETE are valid too but they don’t have universal support). GET requests retrieve content from a web server. POST requests send content to a web server. HEAD requests get only the HTTP headers for a given URL.

A web server’s response to a client request has three parts: status code, headers, and body. A HTTP status code is a 3-digit number that describe the response at a high level. HTTP headers are colon-delimited key-value pairs that contain metadata about the response that the client uses to process the response and, in some cases, make additional requests. The response body is the data that is processed and/or displayed by the client.

See HTTP/1.1 301 Moved Permanently? That’s an HTTP status code. We’ve moved from DNS resolution, which happens at the network layer to content negotiation that happens between the web server and the client. 301 is an HTTP status code that has specifically means “moved permanently”. The 3XX status codes are redirects which means that they tell the client “you need to get the content you are looking for somewhere else”. Thankfully it tells you where to look next via the Location header: https://danhorst.com/.

This redirect also changed the protocol from HTTP to HTTPS (the S stands for “secure”, or it may have originally stood for SSL, Secure Socket Layer, but that means of encryption was deprecated in favor of TLS, Transport Layer Security, years ago.) HTTPS uses a pair of public/private encryption keys to ensure that the messages sent between the client and the server are kept private and unaltered in transit. HTTPS communication is sent over port 443 instead of port 80.

There are two key parts of securing web traffic: a means of validating that the server can be trusted to respond to the requested URL and a means of encrypting and decrypting the messages being sent. Only a few organizations, called Certificate Authorities, can establish that a server is trusted. They issue what is called a “root certificate” that forms the base of the chain of trust between organizations to certify that a server is legit. This takes the form of a “certificate chain” that starts with the root certificate, may include one or more intermediate certificates, and ends with the certificate for the domain associated with a web server. The important things about a certificate chain are that it:

Traces back to a known-good root CA, possibly through one or more intermediate certificates from trusted sources
Is valid for a fixed window of time (typically one year from when it was issued)
Is valid for a specific domain be it wildcard e.g. *.danhorst.com or specific e.g. www.danhorst.com

To establish a chain of trust from a web server that will serve traffic for a specific domain you start by generating a Certificate Signing Request (CSR)Certificate management can be a complicated manual process. That’s why a lot of people prefer setting up something like Let’s Encrypt to auto-renew certificates or put web servers behind a load balancer that integrates with Amazon Certificate Manager (or it’s equivalent outside of AWS) to avoid this whole mess. The only reason I can describe it in detail now is that I had to this two weeks ago.. Generating CSRs, and almost everything else you might want to do with TLS, it handled with specific incantations of openssl. I do this so infrequently I don’t remember the details and have written scripts to take the guesswork out of it. You submit the CSR a certificate authority and they give you back a <certificate-name>.key file that contains the private key to store securely on the server and a certificate chain to share with the world. There are lots of ways to encode the certificate chain but I like to use plain text (X509) so the certificate chain is just a text file with a list of public keys in it (I use a <certificate-name>.pem file to do this). Some web servers expect the root CA to be first and the domain certificate to be last and others are the reverse (don’t ask me why). You may have to experiment to figure how to go from what the certificate authority gave you to what you need for the server to work.

The list of trusted root certificate authorities is managed by the operating system or language runtime of the clientThere have been times where I needed to add certificates to a certificate store and explicitly point a Java process to that certificate to avoid errors (this isn’t a great time).. This only becomes a problems when you have a self-signed certificated (not blessed by a root CA) or if you use a more obscure root CA (why would you do this?).

Once a chain of trust is established using the certificate chainIt’s important to include the entire certificate chain, from the root CA up to the specific cert, or else some clients won’t trust it. There are also ways a certificate can be cross-signed to other authorities, but the specifics are lost on me., the browser uses the public key provided by the certificate chain to encrypt the communication with the server. It does this using one of many methods. There is both the protocol–SSL (deprecated), TLS 1.0 (deprecated), TLS 1.1 (deprecated), TLS 1.2, TLS 1.3 (emerging)–as well as the “cypher suite”–the specific encryption algorithms–used to perform the encryption. The client and the server compare lists of available protocols and cypher suites for those protocols and try to find one they both have in common. It is up to the server administrator to disable weak or defunct protocols and cypher suites on the web server in order to ensure that the connection is secureMost of the Internet that we use day to day is served over HTTPS. Overall, this is a good thing for privacy and security, but it comes with a price: older clients and machines get left behind. A few weeks ago I started up a netbook for the first time in years and it couldn’t make valid HTTPS connections to anything so it was unable to even update it’s packages.. If both the browser and the web server can agree on a supported means of encryption then the request/response cycle can continue.

Let’s try accessing the “Location” header value it returns:

~ $ curl -I https://danhorst.com/
HTTP/2 301
cache-control: public, max-age=0, must-revalidate
content-length: 41
content-type: text/plain
date: Fri, 11 Sep 2020 07:13:50 GMT
location: https://www.danhorst.com/
strict-transport-security: max-age=31536000
age: 40924
server: Netlify
x-nf-request-id: 160d69b1-c6eb-44e5-af2b-64c14a83d621-3083499

Another 301! I’ve configured my website to never serve content from the apex domain danhorst.com. The way apex domains are resolved means that there are fewer options for managing how name resolution works for large, complicated, websites. At least, that’s the way it used to be. I’m short on the specifics, but there was an RFCThe nuts and bolts of how exactly the Internet is described in specs that are referred to as RFCs (I think that stands for Request for Change but that isn’t a great name for a standard that governs something this important.) I have looked at a few of these but they are dry and difficult to read. The formatting doesn’t help either–it’s 80 column fixed width text as if it were old-school terminal output. I’ve had better luck reading them via Pretty RFC., I believe it was originally proposed by Amazon–years ago, made to address this problem and it now has broad support. I chose to follow the outdated guidance of not serving content from apex domains for my personal site but I didn’t for rocketlabdelta.com and I haven’t had any issues (not that either site really gets any traffic).

Following the location header one more time we get:

~ $ curl -I https://www.danhorst.com/
HTTP/2 200
cache-control: public, max-age=0, must-revalidate
content-length: 0
content-type: text/html; charset=UTF-8
date: Fri, 11 Sep 2020 20:09:09 GMT
etag: "53d06608fda472d36b8dae0280615192-ssl"
strict-transport-security: max-age=31536000
age: 1
server: Netlify
x-nf-request-id: 325c0416-d223-4844-9452-7f7737e97a73-8669214

We’ve made it to a page! 2xx status codes mean things are working as expected (4xx are client errors, 5xx are server errors). Now the browser can process the HTML that is returned (you know it’s HTML because of the value of the content-type header). How the browser goes from the HTML document to a web page that you can see and interact with is complicated enough that it deserves it’s own article.