Yesterday I was testing my router and forcing a filtered DNS. When checking DNS leak tests both my W11 machines show:https://imgur.com/a/57Fvmsl
It doesn’t matter what DNS is set in the router or what browser is used. Amazon AWS servers show in most checks. Even blocking port 53 (this really bothers me) on my router this Apparently blocking port 53 isn’t 100% effective on my router. I’ll have to test more when I can take down the network for a bit and disable IPv6. I think it isn’t being blocked. DNS shows on these leak tests for Windows only:
This result only happens on Windows devices and shows even when Edge is set to DoH servers. It happens for me on Edge, Chrome, and Firefox. I also confirmed with other people on malwaretips.com ( Edge using Amazon DNS? | MalwareTips Forums ) (in multiple different continents) they are also seeing this, and some reported seeing it when using Brave as well. It doesn’t always happen on the first test. I thought it was only Edge, but after retrying Chrome and Firefox 3-4 times it showed up there. Sometimes it shows up the first time, sometimes it shows up the 10th time. I know in the screenshot it shows Quad9 servers, but they don’t use Amazon servers for their Dublin location. And it happens even with my local ISP. This was not happening 3 days ago when I was doing similar testing. No other devices in my home have these results, even Amazon FireTV Sticks and tablets.
Is anyone here seeing this?
Answer: I’m fairly certain it is Amazon Route 53 for some of the TLDs used in the leak tests, but it doesn’t explain why it is only windows devices. Anyway, probably not a windows issue. Mystery solved there I suppose.
Extended Answer: Seemed to be from F-Secure Antivirus. A very decent product, but good lord was that hard to track down. They use Amazon Route 53 for their services to speed them up.
Yes it forced all other DNS requests to Quad9 which was set on the router and advertised via DHCP. But it occurs no matter how the router is set, even just using the ISP DNS. I would think it was a router issue, but other users reported seeing the same Dublin AWS servers in their results as well. It also is blocking Amazon devices from using 8.8.8.8 as expected for apps like Netflix.
The only way anyone found on Malwaretips was uninstalling. It is F-Secure checking web traffic by intercepting DNS and examining it. They use Amazon Route53 to speed up the process.
Blocking port 53 outgoing on TCP and UDP and advertising the DNS set in the router through DHCP at the router’s IP.
Edit: After testing it more seems port 53 isn’t completely blocked despite being designated as so in the router. Pretty sure I need to disable IPv6 to test this, but I can’t bring my network down at the moment to do it. It seemed to be working yesterday, but if I change the DNS in Windows11 the selected DNS (non-DoH) still shows regardless of the router blocking port 53.
I’ll have to test more when I can take down the network for a bit and disable IPv6. I think it isn’t being blocked.
But that part is somewhat irrelevant. It shows even when DoH is activated in Edge. I’ve never seen this before. It negates any DNS filtering. Where is the Amazon DNS coming from?
Pretty sure it is Amazon Route 53 for some of the TLDs used in the leak tests, but it doesn’t explain why it is only windows devices. Anyway, probably not a windows issue.
I just got help with this problem as well. I couldn’t figure out where the dns leak was coming from. By disabling F-Secure antivirus I saw my installed google dns correctly. I wish I had found your post sooner. Respect
Glad it helped. I don’t have a problem with F-Secure, I in fact find it to be pretty great. But, I don’t like antivirus programs fiddling with things with no notice to the user.
Totally agree. At the moment I have solved this problem. I blocked the process on the path “C:\Program Files (x86)\F-Secure\F-Secure\FSNifWeb\1715672042\fshoster64.exe” using a firewall, creating a rule for the outgoing connection.
