• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

The Good, the Bad, and the Parked

Author avatar of Anthony KaszaAnthony Kasza
Updated — March 17, 2021 • 3 minute read
View blog >

A parked domain is a domain name that has been registered and is serving temporary content, is being held for future use, or is being used for monetization purposes. Some parked domains serve custom 404 pages, redirects, or advertisements.
Parked domains often serve ads to visitors as a mechanism for generating revenue for the domain owner. As more visits translate to more ad impressions and more ad impressions translate to more money for the domain owner, parked domains meant for monetization often use tricks to increase traffic volumes. These tricks include typo squatting, SEO trickery and search term mining, as well as name “guesses” (e.g. is a user is looking for spare car parts, they may type “carparts.example.com” into their browser).
How to Determine If a Domain Name is Parked
There are a few methods of identifying if a domain is parked or not. As Dhia Mahjoub pointed out previously, comparing the resolution between the domain name and a random subdomain can be used to determine if a single domain name is parked or not. Comparing the content served back from the server with varying HTTP referer headers is another way as parked domains often tailor ad content based on search engine queries. For example, if you end up visiting a parked domain and the referer is from a Google search for puppies, the ads on the parked domain may be for things like dog food or dog toys.
Another indicator of a single domain being parked is how many other domains are also resolving to the IP address that name resolves to. A large amount of domain names resolving to a single IPv4 address often indicates a parking IP or a shared hosting provider. This technique makes use of passive DNS data. Another technique which uses passive DNS data is to look at the number of domains the name servers of the domain in question are authoritative for. Name servers which have been delegated a large number of domain names (something like 15,000 or more) are often authorities for parked domains. Lastly, looking at the number of third party locations referenced in the source of the HTML served back from the domain is another indicator. As parked domains contain mostly dynamically loaded advertisements.
Recently a paper was published at the 2015 Network and Distributed System Security (NDSS) Symposium which outlined ways of identifying parked domains based on DNS records and HTTP content. The paper is a very good read and the accompanying Github is fantastic. We on the research team have adapted some of the techniques used in this paper to classify parked domains.
Notes of Interest
While exploring the techniques used in the paper previously mentioned, we came up with a novel mechanisms for comparing two domain’s HTML content. Using RabbitMQ, Celery, and Flask we built a basic web service which would render a page using PhantomJS and return the HTML as a string. Using the html parsing code from Python’s lxml module we created a tree of the HTML elements; this is essentially a DOM tree. We then converted the DOM tree to a networkx graph and used matplotlib to visualize the tree. We also converted the DOM tree to a graph specific to the zss module which implements the Zhang Shasha algorithm. Doing so for two different domain names allows us to calculate a tree edit distance (similar to a string edit distance) between the two DOMs.
Here is a script which reads HTML from files (of full saved web pages) and does the comparison.
Below are some interesting images showing the DOM structure of three parked domain names who had a very similar DOM tree regardless of the content on the page (as dynamically served ads often change on each page load).
DOM structure of three parked domain names who had a very similar DOM tree (1)
DOM structure of three parked domain names who had a very similar DOM tree (2)
DOM structure of three parked domain names who had a very similar DOM tree (3)
The same 3 domains can also be viewed within OpenDNS Investigate. The following WHOIS information shows us all registrant and nameserver history for each domain:
BTCCLASSIFIED.COM
The following WHOIS information shows us all registrant and nameserver history (1)
DUKUNMP3.COM
The following WHOIS information shows us all registrant and nameserver history (2)
FILMESADVANCED.COM
The following WHOIS information shows us all registrant and nameserver history (3)
And confirms the parking location at Bodis – a known parking provider.
Bodis is a known domain parking provider
Below are two images showing the DOM trees of Google searches. They too are very similar to each other because the actual content of the pages is irrelevant.
Shows the DOM trees of Google searches (kittens)
Shows the DOM trees of Google searches (puppies)
What is the Impact of Parked Domains to Your Network?
There is no legitimate reason for anyone to visit a parked domain. By definition, parked domains serve back useless content. Additionally, the strong focus on dynamically serving ads to browsers make parked domains a great vehicle for malvertising. We’ve also noticed many of the domain shadowing names Angler EK have repurposed in the past were originally parked.
Comparing DOM trees is a very telling method of grouping like HTML content together. As parked domains often reuse a set of templates for displaying advertisements to users comparing DOM trees eliminates any noise the ads may introduce when comparing HTML source of two web pages.

Suggested Blogs

  • Hitachi’s SASE: How Umbrella & Duo Delivered Identity and Security December 13, 2022 2 minute read
  • Why Using DNS for Protection Should Be Your First Line of Defense September 1, 2022 2 minute read
  • New Security for a World Where Everyone and Everything Are Connecting August 30, 2022 3 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella