Secure DNS

Update: Aug 9, 2016

 If you are having issues with the SecureDNS service and Avast for Business - Cloud, you can disable this feature by uninstalling SafeZone via the Web-based console. 


SecureDNS protects you against DNS (Domain Name System) hijacking where a malicious program redirects you from a URL with a verified IP address to a phony look-a-like website designed to acquire sensitive login information and credit card details you type. SecureDNS provides an encrypted connection between your web browser and Avast's own DNS server to ensure that the web page in your browser is the authentic one.


Secure DNS has 2 components. Secure DNS Client and Shield. Shield is never installed in case of AfB. Shield is the component which sniff DNS packets and forward them to the Secure DNS Client.


Secure DNS Client is used by the Secure DNS Shield and SafeZone browser. So in Premium and PES the component is present. When the Secure DNS Client is started (initialised) is doing around 200 request to all our Secure DNS servers to pick the best one with the fastest response time. The GUI issue "Secure DNS can't run on this network" appears when none of the 200 Secure DNS servers is reachable by the Secure DNS Client.
You can check if Secure DNS is used or not by visiting URL



How Secure DNS works


Avast secure DNS copies every web request made by your system and compares the IP address your internet provider offers to the IP address Avast Secure DNS offers.

One of the following three actions are taken:

-     When IP addresses are the same: no change is made and the IP from your provider is used.

-     If Secure DNS does not offer an IP address, the internet provider address is used.

-     If Secure DNS offers a different IP address than your internet provider, the Avast IP address is used.


Web Performance Using SecureDNS


Avast Secure DNS routes your connection using an IP address that is known and secure even if the route may be slightly slower. This slight decrease in speed can be caused by one or more of the following:

  • There are some countries where Avast does not have a DNS server and accessing them from an external country can be noticeably slower compared to using the default DNS.
  • The Avast IP may have a longer route to the same server than the default DNS IP address.
  • Some providers, including corporate networks, have their own DNS servers which sort and handle DNS requests. These servers may have different, locally based IP addresses that differ from the global IP address and may load web sites faster.
  • Some providers block or filter encrypted DNS requests which may slow down, or stop connections to Avast Secure DNS if the request waits for a timeout.




What is DNS hijacking?


The Domain Name System (DNS) translates readable domain names such as to a corresponding IP address such as   DNS hijacking can happen if a malware program gains unauthorized access to your computer, changes the DNS settings, and then directs you to a rogue DNS server when you request a URL. The rogue server directs you to a fake website with a similar domain name instead of the one you requested. Cyber criminals typically target sites with valuable personal information such as banks, search engines, and social media sites in order to capture private user information and infect the visiting computer system with malware. Although a DNS server is typically responsible for web transactions, they are also used for email, Virtual Private Networks (VPNs) and automated data transfers such as software updates. For businesses, the cost of using a hijacked, enterprise DNS is even greater. The business can have all of their network data copied and read including customer and financial data, passwords, emails and proprietary documents.



How do I know if I am a victim of DNS hijacking?



Indications that your DNS is being redirected include unusual search results and unexpected pages loading while web browsing. For example when browsing to a page, say You will be re-routed to a page that is not google and that lists some available options along with spam ads that are designed to entice you to click on them.



Please NOTE

Secure DNS feature is not supported on all Operating systems and all network environments. It is just message that for your network the secure DNS feature is not available. One of the reasons would be that port UDP:443 is not allowed or UDP:53 allows only real DNS that is not encrypted with avast encryption etc. but in general it is just message your PC environment is not compatible with secure DNS.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.
Powered by Zendesk