AVG Secure DNS compatibility

AVG now offers a “Secure DNS” service which is designed to prevent DNS poison attacks. Two elements of this service are worth noting:

  1. How DNS queries are made when Secure DNS is enabled: Rather than UDP port 53 being used for DNS queries, Windows computers that use AVG will instead use UDP port 443 as a first priority, thereby bypassing the standard DNS services (if outgoing UDP port 443 traffic isn’t blocked)*.
  2. If a DNS response mismatches a publicly-resolved entry, the browser’s connection is blocked.

The result of the above is that DNSthingy’s services are impacted as follows:

  • Forced DNS responses are bypassed: The standard DNS service (UDP/TCP port 53) is re-directed to the local resolver, by default, on all of our platforms in order for all DNS queries to be forced to your desired policy/rule set. But since AVG uses an alternate channel, AVG disables forced filtering at the gateway.
  • Blacklisted domains (or non-whitelisted domains) are allowed through, effectively disabling DNS firewall/blocking altogether.
  • Internal tools such as mytools.management disallow the Windows browser from connecting.

Solution:

To experience DNSthingy as designed, disable Secure DNS in AVG completely.

*Some subscribers have blocked outbound port 443 traffic, which causes AVG to use TCP port 53 as a fail-safe, but that disables QUIC, so it’s not an ideal solution.