I think the point is the original author did not prove anything was sent to Avira in this case. All they have is speculation that "the router is making DNS queries about a Avira safe things domain and the DNS query QPS is correlated to the amount of traffic in the network".
I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".
> I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".
I do wish that it is at least it's Google-like (https://developers.google.com/safe-browsing/v4/update-api) and I hope that it's simply just a bad code, but the simplest method to check if a domain is blacklisted is to simply send the domain - there's no hashing and canonisation to deal with. And before counterarguing, this already happened with Avast (https://www.howtogeek.com/199829/avast-antivirus-was-spying-...), so while I agree that a stronger evidence is needed at the same time I can definitely consider it a smoking gun.
I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".
So we need more evidence.