Network operators require comprehensive and com-prehensible network monitoring to manage resources, measure performance, ensure compliance, conduct audits, and de-tect/mitigate security threats. DNS labeling is one of the most useful techniques for tracking network activity, enabling operators to understand the web services that hosts communicate with. However, DNS-based monitoring has a blind spot: traffic to IPs with no associated DNS records, which we call orphan flows/IPs. Orphan flows can often indicate peer-to-peer or VPN communication, as well as bootstrap network services (e.g., root DNS / NTP servers), or software that is attempting to circumvent domain blocklisting systems. This work presents the first large-scale analysis of orphan flows to understand 1) the practical hurdles to measuring orphan flows, and 2) the potential utility of orphan flow identification for network operators and security analysts. Our seven-month study examines traffic from a large U.S. university with over 3.3 billion flows per day. We construct a robust multi-stage traffic analysis pipeline that accounts for practical challenges (e.g., data loss, clock skew) in order to hone in on true orphan flows. In total, we find communication to 26K orphan IPs, 63% of which we can categorize into behavior ranging from Windows update servers to malware-related traffic. Notably, we suspect 2.5% of the orphan IPs to be potentially malicious, but they do not appear in known threat intelligence sources. Ultimately, we shed light on a blind spot for network operators and highlight new monitoring opportunities.