about "it was not me, it was someone else" or "it was just a HEAD request, I didn't really see that picture" will make a difference in all cases. (We will likely be able to trace back the actual request to someone, but it may not help the host in question.)
That's why I suggested "OPTIONS" or "TRACE". There is no real content exchanged in either of those two verbs. Well, I guess a truly subverted HTTP server could send content with any verb, but equally you can run a content server over DNS if you try hard enough... I don't think it matters that many web servers don't implement those VERBs as the exchange from a TCP perspective is identical to a GET or HEAD in either case. The only difference is that the content may be an options list or a 400 response. Not something a TCP stack cares about. That is not to ignore the concern you raised. I agree that it's very real. But it's a question of degree as the risk already exists. If someone was trawling thru my ISPs dnscache logs and saw queries to unsavoury host names referred to by UDMs, that could similarly be embarrassing. Or worse, raise an alert with the local authorities if the host names in question contains words on a government proscribed list - as exist in some countries already. So if TCP measurements were to be allowed - then HTTP OPTIONS in cleartext is almost as innocuous as a DNS query over TCP which is almost as innocuous as a DNS query over UDP. It's also pretty innocuous from the receivers perspective too. Seeing an occasional OPTIONS request in an HTTP log is pretty mild compared to all the other cruft sent by spiders and bots. On my personal web server I see about 1 real request for every 30-40 spider/bot requests. The anomaly for me is a real person looking at my site :-) Mark.