Avast! 2015 Security Suite Secure DNS and OpenDNS

Follow

Comments

23 comments

  • Avatar
    magdiel1975

    I just spend a couple of days trying to figure out why my OpenDNS settings were not working. I noticed that by disabling "secure DNS" in Avast, OpenDNS started working again.. isn't this a loophole for those who want to bypass OpenDNS? - Is there a way to block this? - How can Avast bypass the DNS settings of the router?

  • Avatar
    mattwilson9090

    It's not a loophole. It's how the Avast software is supposed to work. If the DNS traffic doesn't reach OpenDNS, there is nothing that OpenDNS can do.

    The way to block this is the way you control and secure anything else on your computer, keep your security settings up to date, do not install anything that isn't needed on your computer, control who can install software, and then once the software is installed, check the software's settings to see what it is actually doing. And never, ever, install the "internet security" version of any antivirus software that is on the market. They generally do things that they should not be doing, all in the name of security, but in reality they just make a mess of things.

  • Avatar
    Alexander Harrison

    In this case, Avast is creating a local tool that's grabbing the DNS requests from the computer, encrypting them, and sending them straight to Avast without ever seeing your own local DNS server settings. This works much the same way that the Roaming Client does; however, it's tucked away inside the AV software and it's enabled by default without notification. 

  • Avatar
    sanctifiedbygrace

    Hi!. My Avast looks different. When I go to Settings>Active Protection, the list of options is: File System Shield, Web Shield, Mail Shield, AntiSpam and Firewall. I just upgraded my Avast to a yearly paid account in October. I checked the other options to the left under Active Protection, and none of them shows DNS server. Do you have any ideas on how to access this button?

  • Avatar
    magdiel1975

    @Alexander.. so how can I block Avast Secure DNS from changing the DNS I have set on my router? - I know I can disable it on my computer, but I want my router to block Avast from changing the DNS settings I have set the router to.

  • Avatar
    mattwilson9090

    @magdiel1975

    We have tried to explain this to you several times. There is absolutely *NOTHING* that you can do short of changing the settings on individual computers. It is local software that completely bypasses "ordinary" DNS and makes a direct and encrypted link to the Avast servers to get DNS information from them. It is not changing any settings, on your router or elsewhere. It is intercepting DNS requests on the local computer before they are resolved with "standard" DNS.

    Local software is replacing the regular DNS stack with a method of it's known. There is no way to make that any more clear, no matter how many times you try to ask the question, and however many times we try to rephrase the same answer.. Short of blocking guest access to your network, or blocking all possible IP addresses that Avast is using, there is no way to block this behavior. You might be able to use a packet sniffer such as wireshark to figure out where this traffic is going to, but it's likely going to several different IP addresses, so you'd have to identify and block them all. This has nothing to do with the settings on your router or OpenDNS, and short of blocking those things I've already mentioned, there is no way to prevent this from happening either at the router level or OpenDNS.

  • Avatar
    magdiel1975

    @Mattw..

    I understand you are annoyed by my question, in the future, please do not respond and simply ignore it... it will be very beneficial for you and me.. thanks for responding... If it bothers you so much, pretend you didn't see the question.. you or anybody here is obligated to respond..and besides, my question was directed to Alexander..hence the @Alexander.

  • Avatar
    mattwilson9090

    This is a public forum where anyone can post or respond to anything that they like. You don't get to control who can and cannot respond to your posts. If you don't want anyone else to be able to respond to your posts then you should submit a trouble ticket to OpenDNS where only OpenDNS support employees will respond to you.

    Nonetheless, that will not change the basics of the answers that I and Alexander, and perhaps others, have given you multiple times and in multiple threads. This is software installed on a local computer that bypasses standard DNS techniques to directly access Avast servers. It is not changing settings on your router or anywhere else. To prevent this from happening you either need to change the settings on the local computer, prevent guest access to your network, or since this bypasses DNS, you have to block access to all Avast servers at the IP level.

    It doesn't matter how many times you ask the same basic question, the answer will never change.

  • Avatar
    magdiel1975

    I am not trying to control anything.. I simply stated, if the fact that I ask a question more than once bothers or annoys you in any way.. you "could" simply ignore it..or you can get annoyed and frustrated and respond letting me know how you feel.. :) 

    You very wisely stated...

    "This is a public forum where anyone can post" -

    so, for this same reason, If I choose to post the same question I will. - Don't take any offense on this, but maybe I am not satisfied or don't really trust your answer and feel the need to keep asking until I get an answer that satisfies me.. Not saying your answer is right or wrong...just some people see things differently that others.

  • Avatar
    mattwilson9090

    Continue asking the same question and you will continue getting the same answer, which is exactly the same answer as you have gotten from Alexander, myself and others. I have simply gone into more detail and offered more options.

    How are you not satisfied? You have gotten the same exact answer from everyone who has responded to you, including an OpenDNS employee. Do you really think that if you keep asking the same question someone is going to give you a different answer? Or is the only answer that will satisfy you is one that will magically change the universe to your liking?

    Thus far the only person who see things different from me is you. Everyone else, including an OpenDNS employee, has already given you the same basic answer. It is locally installed software that directly connects to Avast servers, it is not in any manner changing the settings on your router or anywhere else on your network other than whatever device might have that software installed. The DNS settings on your router are simply not being used. Your router can prevent this activity by preventing access to the responsible Avast servers at the IP address level. You might be able to block it at the port level if your router is capable of that, but first you'd have to identify the port or ports being used, and depending on what port is used it might prevent access to other services. Since your DNS settings are not being accessed you cannot block the behavior via that avenue.

    And this piece of software is just one way that computers that you do not control can bypass your network and security settings to do things that you don't approve. The only sure way to ensure that people on your network aren't doing things that you don't approve of is to control all of the computers on your network and to never allow guest access to your network.

  • Avatar
    rotblitz

    @sanctifiedbygrace
    "My Avast looks different."

    Then it may not have this "Secure DNS" option at all?

    Also, if you don't have problems with using OpenDNS, this is not a concern anyway.

  • Avatar
    mattwilson9090

    @sanctifiedbygrace

    You may also want to check with Avast support, or if they have a forum similar to this one for OpenDNS. After all, what you're referring to is an Avast feature, so beyond knowing to turn it off when possible because it would prevent OpenDNS from working, OpenDNS and it's user's probably aren't going to be the most knowledgeable about Avast features and how they work.

  • Avatar
    Alexander Harrison

    Avast! Secure DNS acts on the program layer of the internet stack which touches the DNS request before it reaches the standard network stack and intercepts it. It then sends it directly to Avast's DNS servers over a different port and under an encrypted protocol straight to Avast, then Avast returns the answer. It is done in such a way that the standard network DNS settings are never even seen. This may not be present in your Avast! since this is only a feature included in a paid subscription to Avast! Internet Security 2015. 

    If you are still uncertain, I'd recommend opening a discussion post elsewhere in this forum for further discussion rather than the informational post regarding this feature of Avast!. This behavior is very similar to the OpenDNS Roaming Client which overrides the local DNS setting with an encrypted tunnel to OpenDNS. The Roaming Client is available on any Umbrella subscription. 




    1.jpg
  • Avatar
    sanctifiedbygrace

    @AlexanderHarrison - Thanks, but I do have a 2015 paid subscription. Where else would you suggest I open a post in the forum? I thought I was in the right place...

  • Avatar
    mattwilson9090

    You could start a new thread in this forum, or perhaps the community help or one of the other forums. Just read what the forums are about and choose what seems best. However, since your question has more to do with turning on and using a feature of another product, rather than how that feature might or might not interact with OpenDNS I'd also strongly suggest checking with Avast tech support, or if they one, an Avast tech support board like this one.

  • Avatar
    Alexander Harrison

    This post is a how-to on how to disable Avast! Secure DNS to allow OpenDNS to work on the computer and how to turn it on, what is such a feature, why is it there, etc, are better served in a new discussion thread made in https://support.opendns.com/forums/21295462-Community-Help to allow this how-to to have comments on how to use the above instructions instead of a general discussion. With regards to "missing features" in Avast software, I'd suggest reaching out to Avast since OpenDNS is unable to help much with why a feature isn't available in Avast. 

  • Avatar
    ictag
    Hi @magdiel1975, You are right. If Avast is installed on a PC that relies Opendns to block content it is child's play to bypass this protection. This is true irrespective of whether the PC is a private PC or a public PC and irrespective of how OpenDNS is configured. Any user can do this by selecting the enable-all feature in Avast. They do not need to be an administrator to bypass and you cannot prevent this using the avast password protection. But you can prevent this DNS-bypassing. I contacted Avast and this is what they explained (and I tested it too). 1. As a PC administrator go to the PC settings. 2. Choose programs (or deinstall software) 3. Select Avast but don't deinstall it. Instead right hand click on Avast to get the context menu. 4. Select the Update option. 5. When you execute update you can select Avast features to deinstall. Deinstall the DNS filter. Now your PC is properly protected against viruses and also against inappropriate Web content :) @alexander, it would be great if you could update your wonderful tutorial to include these steps, Alan
  • Avatar
    Alexander Harrison

    Alan, I've included these steps in the original article so it can help others looking for this information as well. Thanks for sharing!

  • Avatar
    lijiarong

    Hi currently using Avast Secureline VPN it block Opendns,any solution solve this issue?

    Thanks

  • Avatar
    mattwilson9090

    What issue is there to solve? The two are incompatible products. You have to choose to use one or the other.

  • Avatar
    magdiel1975

    @lijiarong

    Yes.. I have been trying to figure out how to block Avast Secure DNS for a very long time now.. I have tried blocking port 443 through iptables with no success.. Until finally I thought of blocking port 443 through Access Restrictions in your router.. that did the trick :)

    Not sure why iptables in the firewall was not working, but this way it is.




    block 443.JPG
  • Avatar
    lijiarong

    @magdiel1975

    wah wah it cool !

    i had set it on my TPlink router.

    Thanks !

  • Avatar
    magdiel1975

    Glad it worked for you too. Just make sure you only block por 443 UDP and not TCP, otherwise you may break HTTPS

Please sign in to leave a comment.