Unwanted Avast DNS traffic

[REDACTED]

Good afternoon! My IPS is reporting unusual behavior, coming from one of my computers that is running Avast Antivirus. I have added the log as an attachment. The specified IP-addresses are part of the Avast services, according to a reverse-DNS lookup. Could anyone elaborate what is happening?

[Eddy]

http://forum.avast.com/index.php?topic=53253.0

[REDACTED]

I know how to clean malware, sir! I'm trying to find out why the Avast service itself is doing weird DNS lookups. Currently running a packet capture and a malware scanner to please you

EDIT: Added MBAM log.

[Pondus]

Probably related to avast dns hijack check

https://www.avast.com/no-no/faq.php?article=AVKB89#idt_09

[REDACTED]

Strange, as this option doesn't appear in my settings menu. Screenshot attached.

[Pondus]

right click avast tray icon, and about ... what build version? and what avast free/pro/ais

[REDACTED]

Avast! Free Antivirus.
Version: 11.1.2253

[REDACTED]

As I have no clue what is happening and on what level this is happening I have decided to uninstall my Avast! packages. I would recommend others with the same problem to do so as well.

[lukor]

Hi WuhKuh,
these are IP addresses of avast servers used for SecureDNS feature. SecureDNS (encrypted DNS queries) is available on AIS and Premier as a separate shield + on all version inside SafeZone browser.

The communication you might see is the SecureDNS handshake an initial part of the service setup, where we connect to every server enabled for the service at the moment (the list is dynamic) and find the one that is closest to you (network wise - meaning that it might be geographically pretty far).

The protocol used is the opensourced DnsCrypt (used e.g. by OpenDNS as well), you can update your IPS to check for DnsCrypt on ports 53 and 443. Would you rather prefer these to be moved to other ports, since you have troubles seeing encrypted DNS traffic on port 53? The traffic is encrypted and is used to provide tamper resistent DNS queries - something DNSSEC fails to provide for most of the domains at this moment.

Cheers,
Lukas.

[lukor]

And also, as mentioned by Jakub56, port 53 can also be used by other apps (such as Bittorrent or Skype), although in that case it would most probably be directed to avast owned IPs. Please also be aware, that the list of IPs is dynamic - so that we can add servers in areas with higher traffic dynamically - so some of the ips might already by out-of-use, while new IPs might be added to the list every day.

[REDACTED]

Avast! Free Antivirus.
Version: 11.1.2253

Hi WuhKuh,
these are IP addresses of avast servers used for SecureDNS feature. SecureDNS (encrypted DNS queries) ............on all version inside SafeZone browser.
Lukas.

I'm betting like others your version of FREE had SafeZone silently installed which puts this "DNS feature" in the background.
If you have un-installed Avast and are looking for a way to safeguard your DNS here is one option: https://www.opendns.com/home-internet-security/

[lukor]

Hi thekochs,

in Free, SecureDNS is used only for browsing with the SafeZone browser. Just the handshake - selecting the best server - is done when network is firstly connected - to be ready for fast turn on.

So there is no SecureDNS feature in the background in Avast Free, but we think its pretty usefull, and thats why encrypted DNS is inside SafeZone for many years.

SafeZone browser can be uninstalled or choosen not to be installed in the Custom menu during setup. Sorry for the bug, where we failed to check previous uninstalls -- it was out only for 3 days though.

Lukas.