Edge using Amazon DNS?

blackice

Level 39
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,823
What really bothered me is it still happens even if I block port 53 on the router and if I use DoH in browser. I’m not worried about Amazon, but I am annoyed it negates any filtering DNS.
 

Morro

Level 17
Verified
Top Poster
Well-known
Jul 8, 2012
844
It doesn’t appear every test but I have it in any browser using any of these after 2 or 3 tests:
dnscheck.tools
browserleaks.com
dnsleaktest.com

Still happening for me this morning.

Considering that it was suddenly there this morning I expect a chance that it returns, as such I was careful to mention “right now”. I guess it is just a matter of when it returns and not if.
 

blackice

Level 39
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,823
After more testing it looks like it could be Route 53 being used on some of the TLDs the leaktest tries, I wonder if that affects DNS filtering? And why is it only Windows devices!?

Thanks @TairikuOkami and @oldschool for nudging me in the right direction. I've never seen Route 53 show up in DNS leak tests before.

I think the Port 53 blocking issue is due to IPv6 not being blocked properly and I will have to take my network down later to test that.
 
Last edited:
  • Like
Reactions: vtqhtr413 and Morro

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,515
Aside from disabling IPv6
Code:
rem Disable IPv6
netsh int ipv6 isatap set state disabled
netsh int teredo set state disabled
netsh interface ipv6 6to4 set state state=disabled undoonstop=disabled
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "6to4_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "ISATAP_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition" /v "Teredo_State" /t REG_SZ /d "Disabled" /f
reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "DisabledComponents" /t REG_DWORD /d "255" /f
reg add "HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters" /v "EnableICSIPv6" /t REG_DWORD /d "255" /f
I would also set this:
Code:
rem Disable Discovery of Designated Resolvers (DDR), a mechanism for DNS clients to use DNS records to discover a resolver's encrypted DNS configuration
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableDdr" /t REG_DWORD /d "0" /f

rem 3 - Require DoH / 2 - Allow DoH / 1 - Prohibit DoH
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DoHPolicy" /t REG_DWORD /d "3" /f

rem Disable IDN (internationalized domain name)
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableIdnEncoding" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableIdnMapping" /t REG_DWORD /d "0" /f

rem 1 - Discovery of Network-designated Resolvers DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ)
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableDnr" /t REG_DWORD /d "0" /f

rem Disable smart multi-homed name resolution
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "DisableSmartNameResolution" /t REG_DWORD /d "1" /f
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableParallelAandAAAA" /t REG_DWORD /d "1" /f

rem Disable Multicast/mDNS repeater / https://f20.be/blog/mdns
reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableMDNS" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows NT\DNSClient" /v "EnableMulticast" /t REG_DWORD /d "0" /f

reg add "HKLM\System\CurrentControlSet\Services\Dnscache\Parameters" /v "EnableAutoDoh" /t REG_DWORD /d "2" /f

rem 1 - Disable Domain Name Devolution (DNS AutoCorrect) / 0 - Enabled (Default)
reg add "HKLM\System\CurrentControlSet\Services\Tcpip\Parameters" /v "UseDomainNameDevolution" /t REG_DWORD /d "0" /f
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
799
@blackice and now for the bizarre. Of 3 of my Windows 10 PCs, 2 were getting the Ireland amazon servers 1 wasn't. 2 of 3 of my Windows 11 PCs, were also getting the amazon servers, 1 wasn't. So the one Windows 10 PC was using a Netgear USB wireless adapter running Kaspersy free. The other Windows 11 PC is only using Windows Security. All of them are connected to the same router....so was it because of the Netgear adapter and Kaspersky on the Windows 10 PC, and was the Window 11 just running Windows Security made the difference....what if it's F-Secure? So I uninstalled it from one of my Windows 11 Notebooks, and guess what, no more Amazon servers, only my ISP showing up on the ip leaktest site. Mullvad also showed the same results

Next, I uninstalled F-Secure from the other Windows 11 Notebook, and what do you know, no more Amazon servers. If you have F-Secure installed, try uninstalling it and see if it works for you. As I did remember in GlassWire, that F-Secure does connect to Ireland servers, its plug in hosting service, so maybe somehow those get tied in together? So it's no longer an issue on those PCs with either Brave or Chrome. Needless to say, F-Secure is being replaced by Kaspersky Plus for the time being

f secure ireland.jpg
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
799
Just uninstalled F-Secure from my 3rd PC, Windows 10. No more Amazon servers :):):) I was using F-Secure Internet Security.

edit: disabling the F-Secure browser extension, and turning off the Browsing Protection in the apps settings, did not resolve it, isn't a "solution" unless there's something else to try, apart from Windows firewall settings. I'm more of a get rid of the offending culprit, compared to a more involved work around type of user :)
 
Last edited:

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,515
What really bothered me is it still happens even if I block port 53 on the router and if I use DoH in browser. I’m not worried about Amazon, but I am annoyed it negates any filtering DNS.
Do you also block it in the firewall? Because Windows overrules router. In WFC you can allow only specific DNS IPs

capture_04062024_181111.jpg
 

Morro

Level 17
Verified
Top Poster
Well-known
Jul 8, 2012
844
Next, I uninstalled F-Secure from the other Windows 11 Notebook, and what do you know, no more Amazon servers. If you have F-Secure installed, try uninstalling it and see if it works for you. As I did remember in GlassWire, that F-Secure does connect to Ireland servers, its plug in hosting service, so maybe somehow those get tied in together? So it's no longer an issue on those PCs with either Brave or Chrome. Needless to say, F-Secure is being replaced by Kaspersky Plus for the time being

View attachment 282614

I believe you, I do, but that makes it even weirder for me? I do not use F-Secure, and granted after that first one it has not happened to me any more? (So far that is.)
 

blackice

Level 39
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,823
Do you also block it in the firewall? Because Windows overrules router. In WFC you can allow only specific DNS IPs

View attachment 282615
Blocked the port in the firewall on the router. I even made sure it was working by changing the Windows setting and seeing if the router blocked the internet if it didn't have a DHCP provided DNS. And it did.
I believe you, I do, but that makes it even weirder for me? I do not use F-Secure, and granted after that first one it has not happened to me any more? (So far that is.)
Maybe another program that uses it.
Thanks :) At least now I'm back to this. I used the DNS leak test extended test

View attachment 282616
View attachment 282617
Thanks! I have had F-Secure installed. I will try with it uninstalled later and see. I'm guessing you're right.
 

blackice

Level 39
Thread author
Verified
Top Poster
Well-known
Apr 1, 2019
2,823
@Jonny Quest Looks like we have a winner! Uninstall of F-Secure and it's gone. Maybe it's part of the network filtering process. Also, my resolutions are snappier. Not in a way that matters, but it definitely was inspecting DNS requests. I know others like Avast also mess with DNS. F-Secure would still be me option for a 3rd party AV. But I think I may just done messing with any 3rd party AV for now. Things always go smoother without.
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
799
@Jonny Quest Looks like we have a winner! Uninstall of F-Secure and it's gone. Maybe it's part of the network filtering process. Also, my resolutions are snappier. Not in a way that matters, but it definitely was inspecting DNS requests. I know others like Avast also mess with DNS. F-Secure would still be me option for a 3rd party AV. But I think I may just done messing with any 3rd party AV for now. Things always go smoother without.
I agree, I haven't installed anything yet, and in thinking about it, I will not install Kaspersky Plus with it's 42 modules and all its settings. Granted, some of them can be disabled to only manually run, so I get that part. But when you need a search bar, which was helpful, to find a module or setting, is a bit much. The free version is wonderful though :) Even their Internet Security had ~39 modules. I had gone to F-Secure Internet Security for it's simplicity, protection and its 3 module home screen. So, we'll see :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top