Elementary, my dear Watson! or, why secure DNS is a good thing

Sherlock Holmes and Dr. John Watson strolled through my neighborhood on a pleasant September evening. What case they were working I have no notion, but I distinctly heard this exchange from my upstairs window:

“Small enough house, this,” said Watson, “and the yard is a horror, but the trim’s lately painted and the gutters new. Minor civil servant?”

“An academic librarian,” Holmes declared confidently, “with a professional interest in institutional repositories and, hm, quite likely other library technology as well. Possibly even one of Michael Gorman’s ‘blog people.’ Dried fruit is a favorite breakfast food, kept in a Whirlpool refrigerator—odd, that; I’d have thought this one a bit of a conservationist.”

“Remarkable, Holmes!” exclaimed Watson. “However did you determine so much without even a sight of the house’s inhabitants?”

“Elementary, my dear Watson,” said Holmes, drawing a Raspberry Pi out of his pocket. “I merely sniffed DNS queries on the house network.”


The Domain Name System (DNS) is the system that matches IP addresses to domain names. For example, as I type this, the domain dsalo.info is mapped to the IPv4 address 192.241.132.143. Any device needing to know this—to browse this website, for instance—sends a “DNS query” containing the domain name into the system, which (through rather roundabout means; here is a good explainer if you care to know more) determines and returns the corresponding IP address.

Here’s the thing. DNS queries and responses presently travel over the Internet in the clear, unencrypted. A teensy little Raspberry Pi computer can indeed sniff any network for them! This allows the Holmeses of this world to learn quite a lot about the Internet behavior of the sniffed network’s denizens, even if every single website they visit is HTTPS-encrypted. It’s much like the NSA’s cell-phone “metadata:” content is unavailable, but there’s plenty to be learnt without it.

The Not-so-Secret Royalty of the Internet is presently trying to fix this mess. Last I looked, there were three different proposals in the hopper for securing DNS queries from random detectives and other malfeasors. Though none of them is receiving unanimous acclaim, DNS-over-HTTPS appears to be something of a frontrunner due to ease of implementation.

Whichever proposal wins out, I would hope libraries would have the sense to implement it as soon as practical.


Below is the list of domain names on which Holmes based his deductions. I got the list by turning Wireshark loose to packet-capture my own home network one morning when nobody else was home, then saving the sniffed traffic as a “packet-capture” (colloquially “pcap”) file and running Wireshark’s Statistics --> Resolved Addresses command on it. By all means see if you can reproduce Holmes’s deductions! As I tell my students, I’m a hypocrite: I deplore the Internet of Things, yet I have an internetted Thing in my very own home.

# Resolved addresses found in /Users/Dorothea/Dropbox/Courses/510/ExamplePCAP.pcap
# Hosts
# 72 entries.
170.224.177.96 whirlpool.com
107.20.197.119 rpxnow.com
52.48.107.73 www.atmire.com
104.154.236.248 248.236.154.104.bc.googleusercontent.com
74.126.144.95 74-126-144-95.wansec.net
74.126.144.96 74-126-144-96.wansec.net
107.20.133.174 rpxnow.com
172.217.9.33 photos-ugc.l.googleusercontent.com
192.0.77.32 s0.wp.com
72.21.91.70 cs45.wac.edgecastcdn.net
104.19.196.151 cdnjs.cloudflare.com
52.55.165.109 grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c
23.45.144.149 e2486.g.akamaiedge.net
216.80.72.149 vbw1.ala.org
107.20.177.204 rpxnow.com
23.192.166.97 e3194.x.akamaiedge.net
104.19.199.151 cdnjs.cloudflare.com
18.210.177.140 ec2-18-210-177-140.compute-1.amazonaws.com
34.232.198.212 grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c
34.234.240.76 ec2-34-234-240-76.compute-1.amazonaws.com
151.101.184.134 prod.disqus.map.fastlylb.net
176.9.5.110 static.110.5.9.176.clients.your-server.de
52.84.11.178 d3hmp0045zy3cs.cloudfront.net
13.33.165.155 server-13-33-165-155.ord50.r.cloudfront.net
72.21.81.200 cs22.wpc.v0cdn.net
104.19.195.151 cdnjs.cloudflare.com
151.101.184.188 dualstack.imgix.map.fastly.net
198.58.116.203 meredith.wolfwater.com
192.0.77.2 i0.wp.com
52.222.217.179 server-52-222-217-179.msp50.r.cloudfront.net
128.148.254.67 plibwwwcit.services.brown.edu
10.0.1.1 Galactus.local
172.217.3.225 photos-ugc.l.googleusercontent.com
52.222.209.170 server-52-222-209-170.msp50.r.cloudfront.net
128.193.164.120 lib-c4l.library.oregonstate.edu
192.241.132.143 devo.reclaimhosting.com
23.21.245.99 sunmaid.com
104.19.198.151 cdnjs.cloudflare.com
192.0.73.2 secure.gravatar.com
52.84.11.137 d3hmp0045zy3cs.cloudfront.net
34.229.227.71 ec2-34-229-227-71.compute-1.amazonaws.com
34.224.175.4 webapi.camera.home.nest.com
52.54.32.125 webapi.camera.home.nest.com
94.130.66.93 mokum.place
224.0.0.2 all-routers.mcast.net
162.144.29.143 162-144-29-143.unifiedlayer.com
207.38.94.44 web623.webfaction.com
108.177.122.132 photos-ugc.l.googleusercontent.com
52.201.33.128 webapi.camera.home.nest.com
54.243.117.215 prodhost-1739552751.us-east-1.elb.amazonaws.com
52.84.11.145 d3hmp0045zy3cs.cloudfront.net
54.243.186.135 prodhost-1739552751.us-east-1.elb.amazonaws.com
52.222.209.29 server-52-222-209-29.msp50.r.cloudfront.net
52.44.49.101 grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c
93.184.216.182 s9.gp1.wac.gammacdn.net
52.86.243.133 ec2-52-86-243-133.compute-1.amazonaws.com
104.19.197.151 cdnjs.cloudflare.com
52.84.11.100 d3hmp0045zy3cs.cloudfront.net
2606:2800:220:807:12d7:2210:17b1:7cf s9.gp1.wac.gammacdn.net
2400:cb00:2048:1::6813:c597 cdnjs.cloudflare.com
2607:f8b0:4009:80a::2001 photos-ugc.l.googleusercontent.com
2607:f8b0:4009:815::2003 ord38s08-in-x03.1e100.net
2607:f8b0:4009:812::2001 photos-ugc.l.googleusercontent.com
2607:f8b0:4002:c06::5f yv-in-x5f.1e100.net
fe80::de9b:9cff:feef:be21 Galactus.local
2607:f8b0:4002:c09::be yb-in-xbe.1e100.net
2400:cb00:2048:1::6813:c697 cdnjs.cloudflare.com
2400:cb00:2048:1::6813:c397 cdnjs.cloudflare.com
2400:cb00:2048:1::6813:c797 cdnjs.cloudflare.com
2a04:4e42:2c::188 dualstack.imgix.map.fastly.net
2607:f8b0:4009:803::2016 ord37s08-in-x16.1e100.net
2400:cb00:2048:1::6813:c497 cdnjs.cloudflare.com