I am in a "not exactly safe" country, so I use a VPN to access Internet (xray running on a VPS under Ubuntu, protocol vless-reality). The server is located in Netherlands. The VPN works perfectly, by checking at http://whatismyipaddress.com I can see server address and not my real IP.
Recently I decided to check whether the server was safe, so I started scanning it through different online security services. I was really surprised to find out that the http://edns.ip-api.com/json service can see the DNS/geo of my real ISP. And it doesn't look like it's using WebRTC, because it gives the same result using a Python script:
import urllib.request
import json
content = urllib.request.urlopen("http://edns.ip-api.com/json").read()
#content = urllib.request.urlopen("http://85.10.196.124/json").read()
result = json.loads(content)
print(result['dns'])
I thought something was giving me out in the http request, so I tried using the IP instead of a domain name to request the document (included in the above script). The result however is the same.
Can someone for the love of God explain how this works?!
Turns out 85.10.196.124 http-redirects to [random-combination].edns.ip-api.com, which forces the DNS server set on my system to contact ip-api.com and resolve this domain, as it is not cached.
For some reason, Nekoray, which I use as VPN client, uses my ISP's DNS to do resolution. This allows ip-api.com website to track the DNS query and see my ISP's DNS IP. In Nekoray settings I have DNS set to dns.google, but it looks like for some reason it's not using it.
I'm gonna look into Nekoray's settings now to find the reason.