On Wed, Oct 12, 2016 at 12:36:45PM -0400, David G. Simmons wrote: > Hi Chris, > > I run a program called Little Snitch on my mac that monitors all > incoming and outgoing network activity. I have the screws tightened > down pretty hard on it, so it always asks before it allows an incoming > or outgoing connection from a program to a new address. > > But in the interim, I have figured it out ... I dig a little deeper, > and found this: > > DSimmons-Pro:client dsimmons$ dig raw.githubusercontent.com > > ; <<>> DiG 9.8.3-P1 <<>> raw.githubusercontent.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37344 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;raw.githubusercontent.com. IN A > > ;; ANSWER SECTION: > raw.githubusercontent.com. 6 IN CNAME github.map.fastly.net. > github.map.fastly.net. 687 IN CNAME > prod.github.map.fastlylb.net. > prod.github.map.fastlylb.net. 6 IN A 151.101.32.133 > > So apparently github is using a shared-hosting or load-balancer that > resolves to the same address as a bunch of other websites. Like > andyshora.com <http://andyshora.com/> and deladdiogames.com > <http://deladdiogames.com/> and probably others. > > I'm guessing that TCPDump doesn't attempt to resolve the host name for > the IP address, but LittleSnitch does, and gets a (seemingly random) > hostname back from the shared host/load balancer and therein lies the > issue.
Oh wow, that is interesting. When I tried, I must have gotten "lucky," because github didn't use any unusual looking addresses. Thanks for following up. Chris
