Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

OK, so stopping the AVG anti-malware service eliminates these UDP encrypted frames and the Client then issues its first TCP SYN to the A Record which it receives in the DNS Response, following the classical approach.

So, to answer my question, looks like some anti-malware packages watch the DNS Resolver, perform their own DNS look-ups using an encrypted, UDP-based protocol against their own DNS servers (well, loaded on top of a world-wide infrastructure managed by Total Server Solutions), and ... here I'm unclear how they manage this -- hand the result to the querying application, superseding what the OS-native Resolver has placed there.

That's neat. Smells like an attractive target for a nation-state actor, too

Anyway, thank you Chris for getting me to dig more deeply. Best,