AVG's SecureDNS feature causes problems when using split horizon DNS.
AVG SecureDNS tries to validate a DNS response using a QUIC request to one of their servers on port 443. When using SecureDNS it will return the external view of your DNS server instead of the internal view.
917 18.820059 10.100.150.41 10.90.12.11 DNS 78 Standard query 0x255c A terminalserver.domain.com 918 18.820754 10.90.12.11 10.100.150.41 DNS 94 Standard query response 0x255c A terminalserver.domain.com A 10.90.12.201 919 18.821628 10.100.150.41 195.181.172.129 QUIC 154 59675 → 443 Len=112[Malformed Packet] 920 18.825398 195.181.172.129 10.100.150.41 QUIC 346 443 → 59675 Len=304[Malformed Packet]
Above wireshark output was generated from using nslookup on a Windows 10 machine. Eventually nslookup will return the external IP address of terminalserver.domain.com