System administration

What could be the reason for the mystical substitution of domains?

The system configuration is as follows:
1) Local DNS ( Acrylic DNS Proxy , on the same machine, 127.0.0.1) translates all domains to 127.0.0.1, except for whitelisted domains , they are listed in AcrylicHosts.txt.
2) All applications are proxified and access the internet via SOCKS (MicroTik on LAN) using Proxifier . Direct connection (through the gateway) is blocked and not possible.

And everything seems to work well, without failures, but some applications report the impossibility of connecting (with their servers, without specifying the address). In the Proxifier log, this is accompanied by lines like this:

[08.11 23:51:09] svchost.exe (2784) - www.mozilla.org resolve via 127.0.0.1:53 : DNS
[08.11 23:51:10] some_app.exe (2856) - www.mozilla.org(127.0.0.1):80 : direct connection

mozilla.org is a real example.
That is, these applications are accessing domains that were recently accessed from other places (this is a hypothesis). When such an application met for the first time, I first sinned against its developers. Like, what a game, random access to various popular sites. But when I came across other applications with similar behavior, I realized that it was not about them.

At first I tried to add these domains to the white list in the hope that such applications were checking something for themselves there. But each time the connection occurs to a new site. For example, clouds (of all brands), certificate authorities (the application goes through all of them), popular sites, etc.

Actually, the question is, what could be the matter?