AVG now offers a “Secure DNS” service which is designed to prevent DNS poison attacks. Two elements of this service are worth noting:
- How DNS queries are made when Secure DNS is enabled: Rather than UDP port 53 being used for DNS queries, Windows computers that use AVG will instead use UDP port 443 as a first priority, thereby bypassing the standard DNS services (if outgoing UDP port 443 traffic isn’t blocked)*.
- If a DNS response mismatches a publicly-resolved entry, the browser’s connection is blocked.
The result of the above is that ADAM’s services are impacted as follows:
- Forced DNS responses are bypassed: The standard DNS service (UDP/TCP port 53) is re-directed to the local resolver, by default, on all of our platforms in order for all DNS queries to be forced to your desired policy/rule set. But since AVG uses an alternate channel, AVG disables forced filtering at the gateway.
- Blacklisted domains (or non-whitelisted domains) are allowed through, effectively disabling DNS firewall/blocking altogether.
- Internal tools such as mytools.management disallow the Windows browser from connecting.
Solution:
To experience ADAM as designed, disable Secure DNS in AVG completely.
*Some subscribers have blocked outbound port 443 traffic, which causes AVG to use TCP port 53 as a fail-safe, but that disables QUIC, so it’s not an ideal solution.