30 Dec 2025
research: domain parking and aging
I wanted to test a simple idea: are malicious domains sitting on parking infrastructure before they get activated?
The answer from this run was still messy. Parking showed up, but live nameserver lookups mostly saw domains after they had already moved. If you only look at current nameservers, you see the tail end of the process, not the aging window itself.
What I Ran
This was data collected for the December 2025 study window. The
observation date was 2025-12-15.
The rule was:
RDAP registration date <= feed listing date <= observation dateIf a domain was registered after 2025-12-15, I did not
use it as an example for this study.
| Stage | Source | Volume |
|---|---|---|
| Malware ground truth | URLhaus | 30,407 rows in 90-day window, 3,000 sampled |
| Phishing ground truth | OpenPhish feed, | 300 URLs, 201 unique domains |
| Benign baseline | Tranco top-1M | 2,000 domains |
| Point-in-time NS lookup | Google DNS-over-HTTPS | 5,000 domains |
| Registration dates | RDAP through IANA bootstrap | cross-checked against feed listing dates |
Live Parking Was Rare
Out of 3,000 malicious domains sampled from the December 2025 URLhaus window plus the OpenPhish feed, only 141 resolved nameserver records when checked.
sampled malicious domains: 3000
resolved NS records: 141
resolved rate: 4.7%
currently parked: 3
current parking rate: 0.1%The Tranco baseline was lower:
baseline parking rate: 0.05%
malicious over baseline: about 2xThat is a small signal. Three parked malicious domains versus one parked baseline domain is not enough for a dramatic claim.
But it does point in the same direction as the earlier run: by the time a domain appears in URLhaus or OpenPhish, it has usually already left parking.
None of the 50 resolving OpenPhish domains from the December 2025 snapshot were on parking nameservers.
The takeaway for me is that point-in-time NS lookups undercount parking. They answer:
is the domain parked now?They do not answer the better question:
was the domain parked before activation?That second question needs passive DNS history.
URLhaus Dwell Time Was Short
URLhaus was the cleaner feed for dwell-time measurement because it has per-row listing dates.
From 500 RDAP lookups on the main malicious sample, 19 domains passed the strict date check:
registration date <= URLhaus listing date <= 2025-12-15The dwell-time summary looked like this:
median dwell: 15.7 days
under 30 days: 10/19
under 90 days: 12/19
over 90 days: 7/19That is the cohort where fresh aging actually showed up. More than half of the verified URLhaus domains activated within 30 days of registration.
I would not overread the sample size, but the shape is useful:
register domain -> wait days or weeks -> appear in malware feedThat fits deliberate short aging, spray-and-pray registration, or a mix of both.
OpenPhish
Of 50 OpenPhish domains that still resolved NS records, 24 passed RDAP verification. Only 4 had registrations within 365 days of the snapshot.
| Domain | Registered | Dwell to 2025-12-15 | Notes |
|---|---|---|---|
roblox.com.ml |
2025-09-23 | 82.9 days | Roblox lure |
roblox.gs |
2025-07-16 | 152.4 days | Roblox lure |
sechehomes.co.ke |
2025-05-09 | 219.9 days | phishing |
sso-auth.com |
2025-04-01 | 258.0 days | auth lure |
The remaining verified OpenPhish domains were older compromised or reused sites. Their median dwell was 2,055 days.
That changed how I read the earlier result. A naive analysis can accidentally mix new registrations with the wrong observation date and produce a clean-looking median that is not actually defensible.
The December view showed two populations:
- fresh URLhaus malware, with a median dwell of 15.7 days
- older OpenPhish infrastructure, with only a small fresh subset under 365 days
Parking Providers I Saw
I excluded GoDaddy domaincontrol.com from the parking
list. It is too broad and creates false positives.
Among resolving malicious domains, the current parking hits were small:
| Provider | Malicious resolved set | Tranco resolved set |
|---|---|---|
| ParkLogic | 2 / 141 | 1 / 1,981 |
| Afternic | 1 / 141 | 0 / 1,981 |
| ParkingCrew | 0 / 141 | 0 / 1,981 |
| Sedo | 0 / 141 | 0 / 1,981 |
| Above.com | 0 / 141 | 0 / 1,981 |
ParkLogic and Afternic appeared only in the malicious set, but the counts were too small for a strong provider-level conclusion.
Above.com, Sedo, and ParkingCrew did not appear in the December 2025 nameserver results.
The Missing Piece Was Historical DNS
The event I actually wanted was:
parking NS -> active NSExample shape:
ns1.sedoparking.com -> ns1.active-host.exampleThat transition is the high-value detection point. Current NS lookups only catch domains that are parked now. Passive DNS is needed to find domains that recently left parking.
So the December run answered the easier question:
is this feed domain parked at lookup time?It did not fully answer:
was this domain parked before it appeared in the feed?What Worked And What Did Not
The useful pieces:
- abuse-feed snapshots with fixed observation dates
- RDAP verification against feed listing dates
- URLhaus per-row timestamps for dwell measurement
- live NS checks against a careful parking-provider list
- Tranco as a rough benign baseline
The things I would avoid:
- treating
domaincontrol.comas parking - mixing later registrations with December feed dates
- using OpenPhish snapshot dates as if they were per-URL listing dates
- making provider-level claims from three parking hits
- claiming parking-to-active transitions without passive DNS
Reproducing The Run
The local run looked like this:
python3 domainparkingfinal.py --skip-pdnsClosing Notes
Domain parking is part of the infrastructure story, but it is easy to miss if you only look after abuse-feed listing.
In this December 2025 run, current parking was rare: 0.1% of malicious domains were parked at lookup time, compared with 0.05% in the baseline. URLhaus showed a fresh cohort with a median registration-to-listing dwell time of 15.7 days. OpenPhish looked older, with only four verified domains under 365 days.
The detection surface I would build on is not "domain is parked right now." It is "domain recently left parking and moved to active infrastructure."
For that, historical DNS is the piece that matters. Current nameserver lookups are useful, but they only show the tail of the process.