How does ip-api.com manage to see the DNS IP of my ISP?

Question

I am in a "not exactly safe" country, so I use a VPN to access Internet (xray running on a VPS under Ubuntu, protocol vless-reality). The server is located in Netherlands. The VPN works perfectly, by checking at http://whatismyipaddress.com I can see server address and not my real IP.

Recently I decided to check whether the server was safe, so I started scanning it through different online security services. I was really surprised to find out that the http://edns.ip-api.com/json service can see the DNS/geo of my real ISP. And it doesn't look like it's using WebRTC, because it gives the same result using a Python script:

import urllib.request
import json

content = urllib.request.urlopen("http://edns.ip-api.com/json").read()
#content = urllib.request.urlopen("http://85.10.196.124/json").read()

result = json.loads(content)
print(result['dns'])

I thought something was giving me out in the http request, so I tried using the IP instead of a domain name to request the document (included in the above script). The result however is the same.

Can someone for the love of God explain how this works?!

Answer 1

Turns out 85.10.196.124 http-redirects to [random-combination].edns.ip-api.com, which forces the DNS server set on my system to contact ip-api.com and resolve this domain, as it is not cached.

For some reason, Nekoray, which I use as VPN client, uses my ISP's DNS to do resolution. This allows ip-api.com website to track the DNS query and see my ISP's DNS IP. In Nekoray settings I have DNS set to dns.google, but it looks like for some reason it's not using it.

I'm gonna look into Nekoray's settings now to find the reason.