1 | initial version |
OK, so stopping the AVG anti-malware service eliminates these UDP encrypted frames and the Client then issues its first TCP SYN to the A Record which it receives in the DNS Response, following the classical approach.
So, to answer my question, looks like some anti-malware packages watch the DNS Resolver, perform their own DNS look-ups using an encrypted, UDP-based protocol against their own DNS servers (well, loaded on top of a world-wide infrastructure managed by Total Server Solutions), and ... here I'm unclear how they manage this -- hand the result to the querying application, superseding what the OS-native Resolver has placed there.
That's neat. Smells like an attractive target for a nation-state actor, too
Anyway, thank you Chris for getting me to dig more deeply. Best,
--sk