February 18, 2018
Do you know which internet domains you are actually visiting when you are browsing your favorite websites?
In this blog we are attempting to answer this question by filtering all domain visit attempts while browsing the Majestic top 10.000 most popular internet domains.
While browsing these domains, the browser actually made 460.717 attempts to contact a total of 86.645 unique domains.
Analysis shows that a total of 38% of all attempted domain visits could be categorized as Online Marketing and Tracking, Malware Distributing, Phishing, Telemetry, Social Media, or Crypto-jacking services.
We have a cleanly installed test system with Microsoft Windows 10 Pro and Mozilla Firefox as the default browser. A simple script automates the consecutive browsing of all 10.000 domains. Finally, we installed Barriqade on the system to log all domains visited during our experiment. Also, we configured Barriqade to detect and filter domains listed in any of the following categories of domains:
Our lab environment continuously browses the web and detects domains meeting any of the above categorizations, based on our own automated detection methods, manual inspection, reporting by Barriqade users, and the categorizations made by independent third parties.
Barriqade allows the user to determine for each of these categorizations individually what Barriqade should do when a visit to any of them is detected: block, allow, or show a notification. The user can also add any number of custom rules.
After performing the automated visiting of all Majestic top 10.000 domains on our test system, we are able to show you the following results.
The first important observation to make is the fact that the total number of domain - or DNS - lookups by the test system is much more than the top 10.000 domains we started with as input. The reason for that, is the fact that when your browser connects to and downloads the initial web page of the requested domain, it is likely to find references to resources hosted on other domains as well, which your browser subsequently attempts to get.
The following shows an example of exactly such behavior of contacting multiple different domains when visiting edition.cnn.com in a browser:
The browser not just visited the edition.cnn.com-domain, but also cnd.optimizely.com and quite a few others.
While browsing all 10.000 domains, the browser actually made 460.717 attempts to contact (and request resources from) a total of 86.645 unique domains. Many domains are referenced multiple times, like www.google-analytics.com and connect.facebook.com, explaining the difference between these numbers. Every website using Google Analytics, or has a Facebook widget integrated, likely results in visits to these respective domains.
The top 10 most referenced domains are:
Notice that most of these top 10 referenced domains are related to Google Analytics, Google Ad Services and Facebook widgets put on many websites.
Since we configured Barriqade to detect and filter domains listed in a number of different categories mentioned earlier, Barriqade was able to block a total of 38% of all attempted domain visits by our test computer:
Amongst those filtered are all of the top 10 referenced domains shown above, since they are categorized as either marketing / tracking domains, or social media domains respectively.
The following shows the number of filtered domain visits by Barriqade per domain category:
Two domain visit attempts were filtered as a result of a Phishing Domain classification by Barriqade. While browsing all of the Majestic top 10.000 domains, two references were made to third party domains known for phishing activity. Similarly, 112 references were made to domains known for hosting malware / ransomware.
A total of 57 attempted visits to Crypto-jacking, or web mining domains were filtered. Most of these were references to coinhive.com and jsecoin.com. Other research shows that this number is on the rise.
Filtering Software Telemetry and User Tracking Domains resulting in 738 domain visit attempts being blocked. These are mostly the result of Microsoft Windows 10 on the test system trying to contact telemetry and/or user tracking domains during the 20 hour-test.
The number of filtered Social Media domain visits can mostly be attributed to Twitter and Facebook widgets. Such widgets usually refer to images and other content hosted on servers of Twitter, Facebook, or others.
Finally, the large number of filtered domain visits related to Online Marketing and Tracking can be explaining by the fact that most websites show advertisements, which are usually served by known third party ad and tracking services. Filtering those domains means that the browser is unable to connect with them, which stops the browser downloading ads, or sending your behavior characteristics during your visit of a website as analytics information to such a third party service.
Try Barriqade yourself and stop your browser and device contacting unwanted domains!
For this blog we configured Barriqade to filter everything Barriqade can without using custom rules, but you don’t have to do the same. Simply enable the filters for the categories of domains you don’t want your device to visit, not just your browsers.Try Barriqade