Author Topic: Avast Requesting Top 1000 Domains?  (Read 5702 times)

0 Members and 1 Guest are viewing this topic.

Offline schester

  • Newbie
  • *
  • Posts: 7
Avast Requesting Top 1000 Domains?
« on: December 01, 2014, 07:15:41 PM »
It appears that since the release of the 2015 (version 10) release Avast is requesting the DNS records for the Top 1000 Domains.

It does this request every 24 hours and 10 minutes on each computer as far as we can tell. This occurs regardless of if Secure DNS is enabled, disabled or even not installed. I have confirmed that I see the requests from computers that have Secure DNS disabled as well as those that were installed excluding SecureDNS.

Why would Avast be requesting the Top 1000 domains every day?

If we were using the Secure DNS service would it be caching the DNS entries for the top 1000 sites?

Is this supposed to be a security feature to detect changes or something?

Maybe the data is being crowdsourced to check for hijacked domains?

I see this because we are also using OpenDNS and logging all DNS requests. I can see that many of the requests are blocked (about 360) of the approximately 1500 requests in 15 seconds. The requests are for a wide variety of sites like vk.com, xvideos.com, pornhub.com, redtube.com livedoor.com, backpage.com, pornerbros.com. Almost all of the captured requests (blocked) seem to start with vk.com and end with pornerbros.com. Allowed sites include facebook.com, google.com, yahoo.com, baidu.com.

We are seeing this across multiple customers, networks, etc. I reported the issue to Avast support directly last Friday, but have not received a response. I think this should be public so others are aware of this as well. (I couldn't find anything when searching online of others reporting similar findings.)

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11714
    • AVAST Software
Re: Avast Requesting Top 1000 Domains?
« Reply #1 on: December 01, 2014, 08:01:08 PM »
I believe the behavior is a part of the Home Network Security feature - checking whether the user's DNS isn't redirected somewhere it shouldn't be.

Offline npitcher

  • Newbie
  • *
  • Posts: 1
Re: Avast Requesting Top 1000 Domains?
« Reply #2 on: December 02, 2014, 12:53:28 AM »
It doesn't look to be the home network security. I think it must be deeper.

Here is what we see for DNS requests when manually initiating a "Home Network Security" scan.



Code: [Select]
ipm-provider.ff.avast.com
p010.sb.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns-v6.ff.avast.com
hns.ff.avast.com
ipm-provider.ff.avast.com
c2r.microsoft.com
avast.co.jp.ssl.ldc.d3.sc.omtrdc.net
ipmcdn.avast.com
ans.avast.com
googleapis.l.google.com
fonts.googleapis.com
www.google-analytics.com
www-google-analytics.l.google.com
ipm-provider.ff.avast.com