brave-browser
brave-browser copied to clipboard
Implement OpenVPN style DNS resolving
Description
Basically, Windows can leak your ISP due to Smart Multi-Homed Name Resolution
(even when you're on VPN). This is a feature of Windows and is expected behavior. See https://github.com/brave/brave-browser/issues/22163 for full details.
We had attempted a solution using DNS over HTTP (see https://github.com/brave/brave-core/pull/13434) but there were a few issues. See https://github.com/brave/brave-browser/issues/25488 where we want to back this pull request and logic out.
The example shared by @bridiver can be found here: https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin
This works as a temporary firewall and reverts its rules if there's a crash. Unlike the DNS over HTTP solution, this should also apply to all programs running on the device (instead of only queries made within Brave). A good test would be to hit https://browserleaks.com/dns from another browser when connected using the OpenVPN work-around
More context and details available to Brave employees by reading the security re-review here: https://github.com/brave/security/issues/1029
Needs discussion; marking as blocked for now
This is not a blocker for the release though
Removing blocked
label as it's implemented, with QA/Yes
and a provided testplan.
Verification PASSED
using
Brave | 1.50.91 Chromium: 111.0.5563.64 (Official Build) beta (64-bit) |
---|---|
Revision | c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995} |
OS | Windows 10 Version 22H2 (Build 19045.2728) |
Admin-installed Brave - PASSED
Brave VPN Helper-service dynamic launching - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- click on the
VPN
button - toggle VPN to
Connected
- press
ctrl
+alt
+del
- click on
Task Manager
- confirm the presence of
Brave VPN Helper
service processes - disconnect and reconnect
Brave VPN
- confirm you see the processes disappear and then re-appear
Brave VPN ON |
Brave VPN OFF |
Brave VPN ON |
---|---|---|
![]() |
![]() |
![]() |
Brave VPN Helper-service process kill & respawn - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
BraveVPN
- open the
Task Manager
viactrl
+alt
+del
- look for the
Brave Beta Vpn Service
process - kill the helper service executable by clicking
End task
inTask Manager
- confirm the service automatically restarts after crash
- repeat a few times to kill it again and check the service will be restarted 3 times in total
- after killing the service the 4th time, it should not be restarted again
- disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
screencast |
browserleaks.com/dns |
brave://settings/security |
---|---|---|
![]() |
![]() |
![]() |
Crash reporting - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- open
Registry Editor
- look for
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
- edit the
ImagePath
string to be"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me
(or similar) - launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- context click on one of the column headings
- toggle
Command line
on - look for the
brave_vpn_helper.exe
process that's launched with--type=crashpad-handler
- toggle
Brave VPN
toDisconnected
- toggle
Brave VPN
toConnected
- confirm the
brave_vpn_helper.exe
process disappears from theTask Manager
(as it crashed) - open
C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
- confirm crash-report .dmp (dump) files populate the above folder for each crash
- grab a
.dmp
filename - load
https://brave.sp.backtrace.io/
- enter basic auth
- set the filters to
upload_file_minidump
equal_to
dump-filename
(without the.dmp
extension) - press
enter
- confirm crash-dump report loads
example | example | example | example |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |
Non-admin installed Brave
DoH fallback - PASSED
- double-click on the appropriate
beta
build's ` installer - when prompted by Windows to allow the app to make changes, click
No
- click
Yes
on theBrave-Browser-Beta can be installed without administrator privileges. Continue?
dialog - configure
Brave VPN
- launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- ensure there's no
Brave VPN Helper
service/process running - load
https://browserleaks.com/dns
- confirm under
ISP
your local ISP's DNS resolvers aren't shown (should be Cloudflare) - open
brave://settings/security
- confirm it says
This setting is locked by BraveVPN while it is connected
, underUse Secure DNS
Task Manager |
browserleaks.com/dns |
brave://settings/security |
---|---|---|
![]() |
![]() |
![]() |
IPv6 Connectivity- PASSED
test-ipv6.com - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
Brave VPN
- load
https://test-ipv6.com
- confirm you receive a score, in red, of
0/10
- disconnect from
Brave VPN
- reload the URL
- confirm you receive a score, in green, of
10/10
VPN off |
VPN on |
---|---|
![]() |
![]() |
ipv6-test.com - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
Brave VPN
- load
https://ipv6-test.com
- confirm
IPv6
readsNot supported
underIPv6 connectivity
- disconnect from
Brave VPN
- reload
https://ipv6-test.com
- confirm
IPv6
readsSupported
VPN off |
VPN on |
---|---|
![]() |
![]() |
IPv6 address reachability (ping) - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- with
Brave VPN
Disconnected
, ping2001:470:1:18::223:250
- confirm it responds to all pings, with 0% packet loss
- connect to
BraveVPN
- ping
2001:470:1:18::223:250
- confirm it drops all packets, with 100% loss
VPN off |
VPN on |
---|---|
![]() |
![]() |
one more PR for crashes autoupload https://github.com/brave/brave-core/pull/17074
Verification IN-PROGRESS
using
Brave | 1.50.93 Chromium: 111.0.5563.64 (Official Build) beta (64-bit) |
---|---|
Revision | c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995} |
OS | Windows 11 Version 21H2 (Build 22000.1641) |
Admin-installed Brave - PENDING
Brave VPN Helper-service dynamic launching - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- click on the
VPN
button - toggle VPN to
Connected
- press
ctrl
+alt
+del
- click on
Task Manager
- confirm the presence of
Brave VPN Helper
service processes - disconnect and reconnect
Brave VPN
- confirm you see the processes disappear and then re-appear
Brave VPN ON |
Brave VPN OFF |
Brave VPN ON |
---|---|---|
![]() |
![]() |
![]() |
Brave VPN Helper-service process kill & respawn - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
BraveVPN
- open the
Task Manager
viactrl
+alt
+del
- look for the
Brave Beta Vpn Service
process - kill the helper service executable by clicking
End task
inTask Manager
- confirm the service automatically restarts after crash
- repeat a few times to kill it again and check the service will be restarted 3 times in total
- after killing the service the 4th time, it should not be restarted again
- disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
screencast |
browserleaks.com/dns |
brave://settings/security |
---|
Crash reporting - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- open
Registry Editor
- look for
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
- edit the
ImagePath
string to be"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me
(or similar) - launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- context click on one of the column headings
- toggle
Command line
on - look for the
brave_vpn_helper.exe
process that's launched with--type=crashpad-handler
- toggle
Brave VPN
toDisconnected
- toggle
Brave VPN
toConnected
- confirm the
brave_vpn_helper.exe
process disappears from theTask Manager
(as it crashed) - open
C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
- confirm crash-report .dmp (dump) files populate the above folder for each crash
- grab a
.dmp
filename - load
https://brave.sp.backtrace.io/
- enter basic auth
- set the filters to
upload_file_minidump
equal_to
dump-filename
(without the.dmp
extension) - press
enter
- confirm crash-dump report loads
example | example | example | example |
---|
Non-admin installed Brave
DoH fallback - PENDING
- double-click on the appropriate
beta
build's ` installer - when prompted by Windows to allow the app to make changes, click
No
- click
Yes
on theBrave-Browser-Beta can be installed without administrator privileges. Continue?
dialog - configure
Brave VPN
- launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- ensure there's no
Brave VPN Helper
service/process running - load
https://browserleaks.com/dns
- confirm under
ISP
your local ISP's DNS resolvers aren't shown (should be Cloudflare) - open
brave://settings/security
- confirm it says
This setting is locked by BraveVPN while it is connected
, underUse Secure DNS
Task Manager |
browserleaks.com/dns |
brave://settings/security |
---|
IPv6 Connectivity- PENDING
test-ipv6.com - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
Brave VPN
- load
https://test-ipv6.com
- confirm you receive a score, in red, of
0/10
- disconnect from
Brave VPN
- reload the URL
- confirm you receive a score, in green, of
10/10
VPN off |
VPN on |
---|
ipv6-test.com - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
Brave VPN
- load
https://ipv6-test.com
- confirm
IPv6
readsNot supported
underIPv6 connectivity
- disconnect from
Brave VPN
- reload
https://ipv6-test.com
- confirm
IPv6
readsSupported
VPN off |
VPN on |
---|
IPv6 address reachability (ping) - PENDING
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- with
Brave VPN
Disconnected
, ping2001:470:1:18::223:250
- confirm it responds to all pings, with 0% packet loss
- connect to
BraveVPN
- ping
2001:470:1:18::223:250
- confirm it drops all packets, with 100% loss
VPN off |
VPN on |
---|
Removing QA Pass-Win64
as this also needs to be verified on Windows 11.
Removing
QA Pass-Win64
as this also needs to be verified on Windows 11.
Something's wrong with my installation/setup on Windows 11, so I logged https://github.com/brave/brave-browser/issues/29217.
@MadhaviSeelam do you have bandwidth to take this, since my personal Windows 11
installation is neither true release
(it's a preview release
) nor acting right, per the above issue? Thanks!
Verification PASSED
using
Brave | 1.50.110 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)
Admin-installed Brave - PASSED
Brave VPN Helper-service dynamic launching - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- click on the
VPN
button - toggle VPN to
Connected
- press
ctrl
+alt
+del
- click on
Task Manager
- confirm the presence of
Brave VPN Helper
service processes - disconnect and reconnect
Brave VPN
- confirm you see the processes disappear and then re-appear
Brave VPN ON |
Brave VPN OFF |
Brave VPN ON |
---|---|---|
![]() |
![]() |
![]() |
Brave VPN Helper-service process kill & respawn - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
BraveVPN
- open the
Task Manager
viactrl
+alt
+del
- look for the
Brave Beta Vpn Service
process - kill the helper service executable by clicking
End task
inTask Manager
- confirm the service automatically restarts after crash
- repeat a few times to kill it again and check the service will be restarted 3 times in total
- after killing the service the 4th time, it should not be restarted again
- disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
screencast
https://user-images.githubusercontent.com/98358127/230138286-51fe834e-2cf1-4e26-b173-dbe1dda14d03.mp4
browserleaks.com/dns |
brave://settings/security |
---|---|
![]() |
![]() |
Crash reporting - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- open
Registry Editor
- look for
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
- edit the
ImagePath
string to be"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me
(or similar) - launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- context click on one of the column headings
- toggle
Command line
on - look for the
brave_vpn_helper.exe
process that's launched with--type=crashpad-handler
- toggle
Brave VPN
toDisconnected
- toggle
Brave VPN
toConnected
- confirm the
brave_vpn_helper.exe
process disappears from theTask Manager
(as it crashed) - open
C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
- confirm crash-report .dmp (dump) files populate the above folder for each crash
- grab a
.dmp
filename - load
https://brave.sp.backtrace.io/
- enter basic auth
- set the filters to
upload_file_minidump
equal_to
dump-filename
(without the.dmp
extension) - press
enter
- confirm crash-dump report loads
example | example | example |
---|---|---|
![]() |
![]() |
![]() |
https://user-images.githubusercontent.com/98358127/230162213-37c93ce6-2945-40f0-89fa-c5421f955a91.mp4
Non-admin installed Brave
DoH fallback - PASSED
- double-click on the appropriate
beta
build's ` installer - when prompted by Windows to allow the app to make changes, click
No
- click
Yes
on theBrave-Browser-Beta can be installed without administrator privileges. Continue?
dialog - configure
Brave VPN
- launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- ensure there's no
Brave VPN Helper
service/process running - load
https://browserleaks.com/dns
- confirm under
ISP
your local ISP's DNS resolvers aren't shown (should be Cloudflare) - open
brave://settings/security
- confirm it says
This setting is locked by BraveVPN while it is connected
, underUse Secure DNS
Task Manager |
browserleaks.com/dns |
brave://settings/security |
---|---|---|
![]() |
![]() |
![]() |
Verification PASSED on
Brave | 1.50.114 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)
Admin-installed Brave
Brave VPN Helper-service dynamic launching - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- click on the
VPN
button - toggle VPN to
Connected
- press
ctrl
+alt
+del
- click on
Task Manager
- confirm the presence of
Brave VPN Helper
service processes - disconnect and reconnect
Brave VPN
- confirm you see the processes disappear and then re-appear
VPN ON
Brave VPN service | Brave VPN helper process | VPN ON |
---|---|---|
![]() |
![]() |
![]() |
VPN OFF
VPN OFF | Brave VPN service |
---|---|
![]() |
![]() |
Brave VPN Helper-service process kill & respawn - PASSED
Steps:
- (with Brave VPN installed as Admin, and configured)
- launch Brave
- connect to
BraveVPN
- open the
Task Manager
viactrl
+alt
+del
- look for the
BraveVpnService
process under service in task manager - kill the helper service executable by clicking
End task
inTask Manager
- confirm the service automatically restarts after crash
- repeat a few times to kill it again and check the service will be restarted 3 times in total
- after killing the service the 4th time, it should not be restarted again
- disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
Example | Example | Example | Example |
---|---|---|---|
![]() |
![]() |
![]() |
![]() |
Non-admin installed Brave
DoH fallback - PASSED
- double-click on the appropriate
beta
build's ` installer - when prompted by Windows to allow the app to make changes, click
No
- click
Yes
on theBrave-Browser-Beta can be installed without administrator privileges. Continue?
dialog - configure
Brave VPN
- launch Brave
- connect to
Brave VPN
- press
ctrl
+alt
+del
to openTask Manager
- ensure there's no
Brave VPN Helper
service/process running - load
https://browserleaks.com/dns
- confirm under
ISP
your local ISP's DNS resolvers aren't shown (should be Cloudflare) - open
brave://settings/security
- confirm it says
This setting is locked by BraveVPN while it is connected
, underUse Secure DNS
Task Manager |
browserleaks.com/dns |
brave://settings/security |
---|---|---|
![]() |
![]() |
![]() |