Spent the last 3 days trying to figure out what on my PC is causing a denial of service attack to my router. What is happening is the DNS server through the router/firewall is getting nailed at once with 1000 DNS queries, sees it as an attack (rightfully so) and locks out the port. I recognize the list and it looks like the Alexa Top 1000.
So I performed a boot scan with Avast, scanned with Malwarebytes, Spybot, Windows Defender, Microsoft Safety Scanner and the MS Malicious Software Removal tool. Wiped most programs off the PCs, scoured regedit/msconfig boot process and used CCleaner. Nothing found.
I tried to find it using Process viewers but still can’t find it since it is so illusive. Turns out it waits until the PC goes to screen saver, idle or comes out of sleep. When I try to view the process that is doing it my network logs show it stops right when I touch the keyboard. Was just getting ready to reinstall Windows at this point.
I just found another thread here back in January that has one post mentioning Alexa Top 1000 and Avast Secure DNS. I am however using the free version so I am not using secure DNS but is this Avast Free behavior with version 10.2.2218?
Avast is checking for DNS poisoning or the DNS having been hacked. So it doesn’t have to be using or have SecureDNS installed.
It checks on DNS, against most popular site (as these may be more prone to being poisoned/hacked) to see what is returned, e.g. does it match the expected/correct IP address.
Does turning off “Home Network Security” disable it? I turned it off and are waiting to see if it happens again. It was happening every few hours before thus my router blocking internal traffic because of it. Making 1000 DNS queries in a matter of seconds every few hours seems excessive.
This really should be documented somewhere since I could only imagine how many people have wasted countless hours in troubleshooting only to find the traffic was coming from Avast. I never would have guessed this was an internal attack and was busy pouring over logs looking at incoming traffic. Took me a bit to find it was my internal PC causing the attack and then finding they were DNS queries. Then days finally coming to the conclusion it was probably Avast.
Unfortunately as an avast user like yourself, I cant say why (other than checking your DNS Server is clear) or how frequently the DNS checks are done as my firewall doesn’t raise any flags.
I wouldn’t think disabling the Home Network Security would impact on this as in theory it is checking the home networks security (rather than external DNS. But I could be wrong.
You may find this helpful in the future for other info - the avastUI has a context sensitive help function - going to the area you are looking for some information and click the ? at the top right corner of the UI window.
I did this in the avastUI > Settings > Tools - which lists Home Network Security and clicked the ?
From the window that appears I found the “Home Network Security - Analyzes your home network for security risks. More…” The More… is clickable and produced the window (attached). This I would say confirms my suspicion that it doesn’t do the DNS checking.
I think only time will tell on this, given what Bob said and what is in the related Help - it should only be an on-demand “Home Network Security” scan.
I suspect I have the same problem identified earlier in this string. In an nutshell I would like to know how to disable the feature that initiates the AddDnsEntry process captured in the Avast “HDS.log”. Disabling the Home Network Security option did not halt this query that happens at just over a 24 hours interval.
As described earlier there are approximately 1000 web sites identified for this AddDnsEntry process and I have packet captures that reflect IP and IPv6 DNS queries for each. It should be noted that of the approximately 2000 DNS queries there were no attempt to connect to any of the sites. The sites identified in the packet capture align with the sites and sequence listed on the Avast HDS.log. About 85% of these sites are present on the latest Alexa Top 1000 URL list so I suspect this process is using an older Alexa listing. One of the sites queried is chaseswing.eu which causes an Anubis-Sinkhole alarm on Alien Vault sensors.