Elementary, my dear Watson! or, why secure DNS is a good thing

Sherlock Holmes and Dr. John Watson strolled through my neighborhood on a pleasant September evening. What case they were working I have no notion, but I distinctly heard this exchange from my upstairs window:

“Small enough house, this,” said Watson, “and the yard is a horror, but the trim’s lately painted and the gutters new. Minor civil servant?”

“An academic librarian,” Holmes declared confidently, “with a professional interest in institutional repositories and, hm, quite likely other library technology as well. Possibly even one of Michael Gorman’s ‘blog people.’ Dried fruit is a favorite breakfast food, kept in a Whirlpool refrigerator—odd, that; I’d have thought this one a bit of a conservationist.”

“Remarkable, Holmes!” exclaimed Watson. “However did you determine so much without even a sight of the house’s inhabitants?”

“Elementary, my dear Watson,” said Holmes, drawing a Raspberry Pi out of his pocket. “I merely sniffed DNS queries on the house network.”

The Domain Name System (DNS) is the system that matches IP addresses to domain names. For example, as I type this, the domain dsalo.info is mapped to the IPv4 address Any device needing to know this—to browse this website, for instance—sends a “DNS query” containing the domain name into the system, which (through rather roundabout means; here is a good explainer if you care to know more) determines and returns the corresponding IP address.

Here’s the thing. DNS queries and responses presently travel over the Internet in the clear, unencrypted. A teensy little Raspberry Pi computer can indeed sniff any network for them! This allows the Holmeses of this world to learn quite a lot about the Internet behavior of the sniffed network’s denizens, even if every single website they visit is HTTPS-encrypted. It’s much like the NSA’s cell-phone “metadata:” content is unavailable, but there’s plenty to be learnt without it.

The Not-so-Secret Royalty of the Internet is presently trying to fix this mess. Last I looked, there were three different proposals in the hopper for securing DNS queries from random detectives and other malfeasors. Though none of them is receiving unanimous acclaim, DNS-over-HTTPS appears to be something of a frontrunner due to ease of implementation.

Whichever proposal wins out, I would hope libraries would have the sense to implement it as soon as practical.

Below is the list of domain names on which Holmes based his deductions. I got the list by turning Wireshark loose to packet-capture my own home network one morning when nobody else was home, then saving the sniffed traffic as a “packet-capture” (colloquially “pcap”) file and running Wireshark’s Statistics --> Resolved Addresses command on it. By all means see if you can reproduce Holmes’s deductions! As I tell my students, I’m a hypocrite: I deplore the Internet of Things, yet I have an internetted Thing in my very own home.

# Resolved addresses found in /Users/Dorothea/Dropbox/Courses/510/ExamplePCAP.pcap
# Hosts
# 72 entries. whirlpool.com rpxnow.com www.atmire.com 74-126-144-95.wansec.net 74-126-144-96.wansec.net rpxnow.com photos-ugc.l.googleusercontent.com s0.wp.com cs45.wac.edgecastcdn.net cdnjs.cloudflare.com grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c e2486.g.akamaiedge.net vbw1.ala.org rpxnow.com e3194.x.akamaiedge.net cdnjs.cloudflare.com ec2-18-210-177-140.compute-1.amazonaws.com grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c ec2-34-234-240-76.compute-1.amazonaws.com prod.disqus.map.fastlylb.net static. d3hmp0045zy3cs.cloudfront.net server-13-33-165-155.ord50.r.cloudfront.net cs22.wpc.v0cdn.net cdnjs.cloudflare.com dualstack.imgix.map.fastly.net meredith.wolfwater.com i0.wp.com server-52-222-217-179.msp50.r.cloudfront.net plibwwwcit.services.brown.edu Galactus.local photos-ugc.l.googleusercontent.com server-52-222-209-170.msp50.r.cloudfront.net lib-c4l.library.oregonstate.edu devo.reclaimhosting.com sunmaid.com cdnjs.cloudflare.com secure.gravatar.com d3hmp0045zy3cs.cloudfront.net ec2-34-229-227-71.compute-1.amazonaws.com webapi.camera.home.nest.com webapi.camera.home.nest.com mokum.place all-routers.mcast.net 162-144-29-143.unifiedlayer.com web623.webfaction.com photos-ugc.l.googleusercontent.com webapi.camera.home.nest.com prodhost-1739552751.us-east-1.elb.amazonaws.com d3hmp0045zy3cs.cloudfront.net prodhost-1739552751.us-east-1.elb.amazonaws.com server-52-222-209-29.msp50.r.cloudfront.net grpc-web-proxy01-production-849742786.us-east-1.elb.amazonaws.c s9.gp1.wac.gammacdn.net ec2-52-86-243-133.compute-1.amazonaws.com cdnjs.cloudflare.com d3hmp0045zy3cs.cloudfront.net
2606:2800:220:807:12d7:2210:17b1:7cf s9.gp1.wac.gammacdn.net
2400:cb00:2048:1::6813:c597 cdnjs.cloudflare.com
2607:f8b0:4009:80a::2001 photos-ugc.l.googleusercontent.com
2607:f8b0:4009:815::2003 ord38s08-in-x03.1e100.net
2607:f8b0:4009:812::2001 photos-ugc.l.googleusercontent.com
2607:f8b0:4002:c06::5f yv-in-x5f.1e100.net
fe80::de9b:9cff:feef:be21 Galactus.local
2607:f8b0:4002:c09::be yb-in-xbe.1e100.net
2400:cb00:2048:1::6813:c697 cdnjs.cloudflare.com
2400:cb00:2048:1::6813:c397 cdnjs.cloudflare.com
2400:cb00:2048:1::6813:c797 cdnjs.cloudflare.com
2a04:4e42:2c::188 dualstack.imgix.map.fastly.net
2607:f8b0:4009:803::2016 ord37s08-in-x16.1e100.net
2400:cb00:2048:1::6813:c497 cdnjs.cloudflare.com