Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manually revert the Windows only DNS over HTTP work-around (for Brave VPN) #25488

Closed
bsclifton opened this issue Sep 19, 2022 · 4 comments · Fixed by brave/brave-core#15140
Closed

Manually revert the Windows only DNS over HTTP work-around (for Brave VPN) #25488

bsclifton opened this issue Sep 19, 2022 · 4 comments · Fixed by brave/brave-core#15140
Assignees
@spylogsster
Labels
feature/vpn OS/Desktop OS/Windows QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/exclude
Milestone
1.45.x - Release

Comments

@bsclifton
Copy link
Member

bsclifton commented Sep 19, 2022
edited
Loading

Description

We should manually revert the logic introduced in brave/brave-core#13434

Basically, Windows can leak your ISP due to Smart Multi-Homed Name Resolution (even when you're on VPN). This is a feature of Windows and is expected behavior. See #22163 for full details. During security review, we came up with a plan that attempted to solve this. If users aren't already using DNS over HTTP, it would enable this (on Windows only). When disconnecting from VPN, it would revert that config change.

This approach has a few problems

  • In edge cases, it's been raised that the config may be lost (need concrete steps; nothing reported yet)
  • VPN provider has some filtering logic which uses DNS
  • This work-around would only ever work inside Brave and not on the entire system

Steps to Reproduce

  1. Be on Windows
  2. Enable brave://flags/#brave-vpn
  3. Purchase VPN from staging (https://account.bravesoftware.com)
  4. Connect to VPN

Actual result:

DNS over HTTP defaults to 1.1.1.1 and becomes enabled

Expected result:

DNS over HTTP should not be affected

Reproduces how often:

100%
@bsclifton bsclifton mentioned this issue Sep 19, 2022
Closed
@spylogsster spylogsster mentioned this issue Sep 20, 2022
Merged
25 tasks
@brave-builds brave-builds added this to the 1.46.x - Nightly milestone Sep 21, 2022
@bsclifton bsclifton mentioned this issue Sep 21, 2022
Merged
7 tasks
@srirambv srirambv mentioned this issue Sep 22, 2022
Closed
@kjozwiak
Copy link
Member

The above requires 1.45.69 or higher for 1.45.x verification 👍

@MadhaviSeelam
Copy link

MadhaviSeelam commented Sep 28, 2022
edited
Loading

Verification PASSED using

Brave | 1.45.75 Chromium: 106.0.5249.65 (Official Build) beta (64-bit)
-- | --
Revision | 3269dc3633cdd2ab94546fdbe54962e45b17a6e0-refs/branch-heads/5249@{#580}
OS | Windows 11 Version 21H2 (Build 22000.978)

Reproduced using STR from the description #25488 (comment) using 1.45.67

Ex1 Ex2
step2 step2

Steps:

  1. Install 1.45.75
  2. launch Brave
  3. Purchase and setup Brave VPN
  4. Connect to a region - (Netherlands)
  5. open brave://settings/security
  6. confirmed DNS over HTTP defaults to default selection With your current service provider in the Use secure DNS section
  7. load browserleaks.com/dns
  8. confirmed no "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown as all DNS queries are resolved by the VPN as expected
step 3-4 step 5-6 step 7-8
step2 step2 step2

@stephendonner stephendonner added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Oct 3, 2022
@stephendonner
Copy link

Verification PASSED using

Brave 1.45.84 Chromium: 106.0.5249.91 (Official Build) beta (x86_64)
Revision fa96d5f07b1177d1bf5009f647a5b8c629762157-refs/branch-heads/5249@{#707}
OS macOS Version 11.7 (Build 20G817)

Steps:

  1. installed 1.45.84
  2. launched Brave
  3. purchased and set up Brave VPN
  4. connected to the USA (Central) region
  5. opened brave://settings/security
  6. confirmed Use secure DNS defaults to ON
  7. confirmed With your current service provider radio button is selected
  8. loaded browserleaks.com/dns
steps 1-4 steps 5-7 step 8
Screen Shot 2022-10-03 at 2 00 36 PM Screen Shot 2022-10-03 at 2 04 18 PM Screen Shot 2022-10-03 at 2 05 13 PM

Confirmed no "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown as all DNS queries are resolved by the VPN as expected

@stephendonner
Copy link

stephendonner commented Oct 3, 2022
edited
Loading

Verification PASSED using

Brave 1.45.84 Chromium: 106.0.5249.91 (Official Build) beta (64-bit)
Revision fa96d5f07b1177d1bf5009f647a5b8c629762157-refs/branch-heads/5249@{#707}
OS Linux

NOTE: VPN is disabled and unavailable on Linux.

This is a regression test to ensure we don't regress DNS-over-HTTP/leaks.

1.44.103

Case 1: Use secure DNS ON, no DoH server - PASSED

Steps:

  1. installed 1.44.103
  2. launched Brave
  3. opened brave://settings/security
  4. confirmed Use secure DNS was set to Enabled
  5. confirmed With your current service provider radio button was selected
  6. loaded browserleaks.com/dns

Confirmed I saw my local ISP's DNS resolvers listed

brave://settings/security browserleaks.com/dns
Screen Shot 2022-10-03 at 2 53 20 PM Screen Shot 2022-10-03 at 2 53 38 PM

Case 2: Use secure DNS ON, CleanBrowsing DoH set - PASSED

Steps:

  1. installed 1.44.103
  2. launched Brave
  3. opened brave://settings/security
  4. confirmed Use secure DNS was set to Enabled
  5. set the radio button to With CleanBrowsing (Family Filter)
  6. loaded browserleaks.com/dns

Confirmed I did NOT see my local ISP's DNS resolvers listed

brave://settings/security browserleaks.com/dns
Screen Shot 2022-10-03 at 3 03 59 PM Screen Shot 2022-10-03 at 3 04 10 PM

1.45.84

Case 1: Use secure DNS ON, no DoH server - PASSED

Steps:

  1. installed 1.45.84
  2. launched Brave
  3. opened brave://settings/security
  4. confirmed Use secure DNS was set to Enabled
  5. set the radio button to With CleanBrowsing (Family Filter)
  6. loaded browserleaks.com/dns

Confirmed I saw my local ISP's DNS resolvers listed

brave://settings/security browserleaks.com/dns
Screen Shot 2022-10-03 at 3 21 52 PM Screen Shot 2022-10-03 at 3 21 59 PM

Case 2: Use secure DNS ON, CleanBrowsing DoH set - PASSED

Steps:

  1. installed 1.45.84
  2. launched Brave
  3. opened brave://settings/security
  4. confirmed Use secure DNS was set to Enabled
  5. set the radio button to With CleanBrowsing (Family Filter)
  6. loaded browserleaks.com/dns

Confirmed I did NOT see my local ISP's DNS resolvers listed

brave://settings/security browserleaks.com/dns
Screen Shot 2022-10-03 at 3 22 55 PM Screen Shot 2022-10-03 at 3 23 04 PM

@stephendonner stephendonner added QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Oct 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spylogsster spylogsster

Labels
feature/vpn OS/Desktop OS/Windows QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Yes release-notes/exclude
Projects
None yet
Milestone
1.45.x - Release
Development

Successfully merging a pull request may close this issue.

Removed Windows only DNS over HTTP work-around brave/brave-core
6 participants
@stephendonner @kjozwiak @spylogsster @bsclifton @brave-builds @MadhaviSeelam