Hi Chris,

I run a program called Little Snitch on my mac that monitors all incoming and 
outgoing network activity. I have the screws tightened down pretty hard on it, 
so it always asks before it allows an incoming or outgoing connection from a 
program to a new address. 

But in the interim, I have figured it out ... I dig a little deeper, and found 

DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com

; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;raw.githubusercontent.com.     IN      A

raw.githubusercontent.com. 6    IN      CNAME   github.map.fastly.net.
github.map.fastly.net.  687     IN      CNAME   prod.github.map.fastlylb.net.
prod.github.map.fastlylb.net. 6 IN      A

So apparently github is using a shared-hosting or load-balancer that resolves 
to the same address as a bunch of other websites. Like andyshora.com 
<http://andyshora.com/> and deladdiogames.com <http://deladdiogames.com/> and 
probably others. 

I'm guessing that TCPDump doesn't attempt to resolve the host name for the IP 
address, but LittleSnitch does, and gets a (seemingly random) hostname back 
from the shared host/load balancer and therein lies the issue. 


> On Oct 12, 2016, at 12:25 PM, Christopher Collins <ccoll...@apache.org> wrote:
> On Wed, Oct 12, 2016 at 09:16:00AM -0400, David G. Simmons wrote:
>> Good morning,
>> I'm a bit of a security wonk about some things, so I watch what my machine 
>> is doing -- network wise -- pretty carefully. This morning, I was doing a 
>> brand-new newt install and came across something odd. 
>> For some reason, newt tries to make a connection to andyshora.com 
>> <http://andyshora.com/> on port 443. 
>> andyshora.com ->
>>   IP Address:
>>   Registrar: GOOGLE INC.
>>   Whois Server: whois.google.com
>>   Referral URL: http://domains.google.com
>> Why on earth would Newt be attempting this connection? If I deny the 
>> connection request, newt fails. 
> I don't see that same behavior.  While running tcpdump, I executed the
> following commands (latest develop branch of newt):
>    newt new myproj3
>    cd myproj3
>    newt install
> The only peer I see newt connecting to is github (a variety of IP
> addresses).
> Which branch of newt are you using?  Also, out of curiosity, how did you
> determine that it is newt that tries to connect to that domain?
> Thanks,
> Chris

David G. Simmons
(919) 534-5099
Web <https://davidgs.com/> • Blog <https://davidgs.com/davidgs_blog> • Linkedin 
<http://linkedin.com/in/davidgsimmons> • Twitter 
<http://twitter.com/TechEvangelist1> • GitHub <http://github.com/davidgs>
/** Message digitally signed for security and authenticity.  
* If you cannot read the PGP.sig attachment, please go to 
 * http://www.gnupg.com/ <http://www.gnupg.com/> Secure your email!!!
 * Public key available at keyserver.pgp.com <http://keyserver.pgp.com/>
♺ This email uses 100% recycled electrons. Don't blow it by printing!

There are only 2 hard things in computer science: Cache invalidation, naming 
things, and off-by-one errors.

Reply via email to