On Wed, Oct 12, 2016 at 12:36:45PM -0400, David G. Simmons wrote:
> Hi Chris,
> I run a program called Little Snitch on my mac that monitors all
> incoming and outgoing network activity. I have the screws tightened
> down pretty hard on it, so it always asks before it allows an incoming
> or outgoing connection from a program to a new address.
> But in the interim, I have figured it out ... I dig a little deeper,
> and found this:
> DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com
> ; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;raw.githubusercontent.com. IN A
> ;; ANSWER SECTION:
> raw.githubusercontent.com. 6 IN CNAME github.map.fastly.net.
> github.map.fastly.net. 687 IN CNAME
> prod.github.map.fastlylb.net. 6 IN A 126.96.36.199
> So apparently github is using a shared-hosting or load-balancer that
> resolves to the same address as a bunch of other websites. Like
> andyshora.com <http://andyshora.com/> and deladdiogames.com
> <http://deladdiogames.com/> and probably others.
> I'm guessing that TCPDump doesn't attempt to resolve the host name for
> the IP address, but LittleSnitch does, and gets a (seemingly random)
> hostname back from the shared host/load balancer and therein lies the
Oh wow, that is interesting. When I tried, I must have gotten "lucky,"
because github didn't use any unusual looking addresses.
Thanks for following up.