brave-browser icon indicating copy to clipboard operation
brave-browser copied to clipboard

Published 20 hours ago verified publisher icon brave

Implement OpenVPN style DNS resolving

Open bsclifton opened this issue 1 year ago • 1 comments

Description

Basically, Windows can leak your ISP due to Smart Multi-Homed Name Resolution (even when you're on VPN). This is a feature of Windows and is expected behavior. See https://github.com/brave/brave-browser/issues/22163 for full details.

We had attempted a solution using DNS over HTTP (see https://github.com/brave/brave-core/pull/13434) but there were a few issues. See https://github.com/brave/brave-browser/issues/25488 where we want to back this pull request and logic out.

The example shared by @bridiver can be found here: https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin

This works as a temporary firewall and reverts its rules if there's a crash. Unlike the DNS over HTTP solution, this should also apply to all programs running on the device (instead of only queries made within Brave). A good test would be to hit https://browserleaks.com/dns from another browser when connected using the OpenVPN work-around

More context and details available to Brave employees by reading the security re-review here: https://github.com/brave/security/issues/1029

bsclifton avatar Sep 19 '22 20:09 bsclifton

Needs discussion; marking as blocked for now

This is not a blocker for the release though

bsclifton avatar Sep 21 '22 05:09 bsclifton

Removing blocked label as it's implemented, with QA/Yes and a provided testplan.

stephendonner avatar Feb 18 '23 06:02 stephendonner

Verification PASSED using

Brave 1.50.91 Chromium: 111.0.5563.64 (Official Build) beta (64-bit)
Revision c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995}
OS Windows 10 Version 22H2 (Build 19045.2728)

Admin-installed Brave - PASSED

Brave VPN Helper-service dynamic launching - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. click on the VPN button
  4. toggle VPN to Connected
  5. press ctrl + alt + del
  6. click on Task Manager
  7. confirm the presence of Brave VPN Helper service processes
  8. disconnect and reconnect Brave VPN
  9. confirm you see the processes disappear and then re-appear
Brave VPN ON Brave VPN OFF Brave VPN ON
image image image

Brave VPN Helper-service process kill & respawn - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to BraveVPN
  4. open the Task Manager via ctrl + alt + del
  5. look for the Brave Beta Vpn Service process
  6. kill the helper service executable by clicking End task in Task Manager
  7. confirm the service automatically restarts after crash
  8. repeat a few times to kill it again and check the service will be restarted 3 times in total
  9. after killing the service the 4th time, it should not be restarted again
  10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
screencast browserleaks.com/dns brave://settings/security
brave-vpn-helper image image

Crash reporting - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. open Registry Editor
  3. look for Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
  4. edit the ImagePath string to be "C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me (or similar)
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. context click on one of the column headings
  9. toggle Command line on
  10. look for the brave_vpn_helper.exe process that's launched with --type=crashpad-handler
  11. toggle Brave VPN to Disconnected
  12. toggle Brave VPN to Connected
  13. confirm the brave_vpn_helper.exe process disappears from the Task Manager (as it crashed)
  14. open C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
  15. confirm crash-report .dmp (dump) files populate the above folder for each crash
  16. grab a .dmp filename
  17. load https://brave.sp.backtrace.io/
  18. enter basic auth
  19. set the filters to upload_file_minidump equal_to dump-filename (without the .dmp extension)
  20. press enter
  21. confirm crash-dump report loads
example example example example
image (2) image crash-handler Screen Shot 2023-03-20 at 9 27 54 AM

Non-admin installed Brave

DoH fallback - PASSED

  1. double-click on the appropriate beta build's ` installer
  2. when prompted by Windows to allow the app to make changes, click No
  3. click Yes on the Brave-Browser-Beta can be installed without administrator privileges. Continue? dialog
  4. configure Brave VPN
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. ensure there's no Brave VPN Helper service/process running
  9. load https://browserleaks.com/dns
  10. confirm under ISP your local ISP's DNS resolvers aren't shown (should be Cloudflare)
  11. open brave://settings/security
  12. confirm it says This setting is locked by BraveVPN while it is connected, under Use Secure DNS
Task Manager browserleaks.com/dns brave://settings/security
image image image

IPv6 Connectivity- PASSED

test-ipv6.com - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to Brave VPN
  4. load https://test-ipv6.com
  5. confirm you receive a score, in red, of 0/10
  6. disconnect from Brave VPN
  7. reload the URL
  8. confirm you receive a score, in green, of 10/10
VPN off VPN on
image (2) image (1)
ipv6-test.com - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to Brave VPN
  4. load https://ipv6-test.com
  5. confirm IPv6 reads Not supported under IPv6 connectivity
  6. disconnect from Brave VPN
  7. reload https://ipv6-test.com
  8. confirm IPv6 reads Supported
VPN off VPN on
image image
IPv6 address reachability (ping) - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. with Brave VPN Disconnected, ping 2001:470:1:18::223:250
  4. confirm it responds to all pings, with 0% packet loss
  5. connect to BraveVPN
  6. ping 2001:470:1:18::223:250
  7. confirm it drops all packets, with 100% loss
VPN off VPN on
image image

stephendonner avatar Mar 15 '23 21:03 stephendonner

one more PR for crashes autoupload https://github.com/brave/brave-core/pull/17074

spylogsster avatar Mar 17 '23 21:03 spylogsster

Verification IN-PROGRESS using

Brave 1.50.93 Chromium: 111.0.5563.64 (Official Build) beta (64-bit)
Revision c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995}
OS Windows 11 Version 21H2 (Build 22000.1641)

Admin-installed Brave - PENDING

Brave VPN Helper-service dynamic launching - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. click on the VPN button
  4. toggle VPN to Connected
  5. press ctrl + alt + del
  6. click on Task Manager
  7. confirm the presence of Brave VPN Helper service processes
  8. disconnect and reconnect Brave VPN
  9. confirm you see the processes disappear and then re-appear
Brave VPN ON Brave VPN OFF Brave VPN ON
image image image

Brave VPN Helper-service process kill & respawn - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to BraveVPN
  4. open the Task Manager via ctrl + alt + del
  5. look for the Brave Beta Vpn Service process
  6. kill the helper service executable by clicking End task in Task Manager
  7. confirm the service automatically restarts after crash
  8. repeat a few times to kill it again and check the service will be restarted 3 times in total
  9. after killing the service the 4th time, it should not be restarted again
  10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
screencast browserleaks.com/dns brave://settings/security

Crash reporting - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. open Registry Editor
  3. look for Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
  4. edit the ImagePath string to be "C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me (or similar)
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. context click on one of the column headings
  9. toggle Command line on
  10. look for the brave_vpn_helper.exe process that's launched with --type=crashpad-handler
  11. toggle Brave VPN to Disconnected
  12. toggle Brave VPN to Connected
  13. confirm the brave_vpn_helper.exe process disappears from the Task Manager (as it crashed)
  14. open C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
  15. confirm crash-report .dmp (dump) files populate the above folder for each crash
  16. grab a .dmp filename
  17. load https://brave.sp.backtrace.io/
  18. enter basic auth
  19. set the filters to upload_file_minidump equal_to dump-filename (without the .dmp extension)
  20. press enter
  21. confirm crash-dump report loads
example example example example

Non-admin installed Brave

DoH fallback - PENDING

  1. double-click on the appropriate beta build's ` installer
  2. when prompted by Windows to allow the app to make changes, click No
  3. click Yes on the Brave-Browser-Beta can be installed without administrator privileges. Continue? dialog
  4. configure Brave VPN
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. ensure there's no Brave VPN Helper service/process running
  9. load https://browserleaks.com/dns
  10. confirm under ISP your local ISP's DNS resolvers aren't shown (should be Cloudflare)
  11. open brave://settings/security
  12. confirm it says This setting is locked by BraveVPN while it is connected, under Use Secure DNS
Task Manager browserleaks.com/dns brave://settings/security

IPv6 Connectivity- PENDING

test-ipv6.com - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to Brave VPN
  4. load https://test-ipv6.com
  5. confirm you receive a score, in red, of 0/10
  6. disconnect from Brave VPN
  7. reload the URL
  8. confirm you receive a score, in green, of 10/10
VPN off VPN on
ipv6-test.com - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to Brave VPN
  4. load https://ipv6-test.com
  5. confirm IPv6 reads Not supported under IPv6 connectivity
  6. disconnect from Brave VPN
  7. reload https://ipv6-test.com
  8. confirm IPv6 reads Supported
VPN off VPN on
IPv6 address reachability (ping) - PENDING

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. with Brave VPN Disconnected, ping 2001:470:1:18::223:250
  4. confirm it responds to all pings, with 0% packet loss
  5. connect to BraveVPN
  6. ping 2001:470:1:18::223:250
  7. confirm it drops all packets, with 100% loss
VPN off VPN on

stephendonner avatar Mar 20 '23 17:03 stephendonner

Removing QA Pass-Win64 as this also needs to be verified on Windows 11.

stephendonner avatar Mar 20 '23 22:03 stephendonner

Removing QA Pass-Win64 as this also needs to be verified on Windows 11.

Something's wrong with my installation/setup on Windows 11, so I logged https://github.com/brave/brave-browser/issues/29217.

stephendonner avatar Mar 23 '23 16:03 stephendonner

@MadhaviSeelam do you have bandwidth to take this, since my personal Windows 11 installation is neither true release (it's a preview release) nor acting right, per the above issue? Thanks!

stephendonner avatar Mar 31 '23 05:03 stephendonner

Verification PASSED using

Brave | 1.50.110 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Admin-installed Brave - PASSED

Brave VPN Helper-service dynamic launching - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. click on the VPN button
  4. toggle VPN to Connected
  5. press ctrl + alt + del
  6. click on Task Manager
  7. confirm the presence of Brave VPN Helper service processes
  8. disconnect and reconnect Brave VPN
  9. confirm you see the processes disappear and then re-appear
Brave VPN ON Brave VPN OFF Brave VPN ON
image image image

Brave VPN Helper-service process kill & respawn - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to BraveVPN
  4. open the Task Manager via ctrl + alt + del
  5. look for the Brave Beta Vpn Service process
  6. kill the helper service executable by clicking End task in Task Manager
  7. confirm the service automatically restarts after crash
  8. repeat a few times to kill it again and check the service will be restarted 3 times in total
  9. after killing the service the 4th time, it should not be restarted again
  10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.

screencast

https://user-images.githubusercontent.com/98358127/230138286-51fe834e-2cf1-4e26-b173-dbe1dda14d03.mp4

browserleaks.com/dns brave://settings/security
image image

Crash reporting - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. open Registry Editor
  3. look for Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService
  4. edit the ImagePath string to be "C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me (or similar)
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. context click on one of the column headings
  9. toggle Command line on
  10. look for the brave_vpn_helper.exe process that's launched with --type=crashpad-handler
  11. toggle Brave VPN to Disconnected
  12. toggle Brave VPN to Connected
  13. confirm the brave_vpn_helper.exe process disappears from the Task Manager (as it crashed)
  14. open C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports
  15. confirm crash-report .dmp (dump) files populate the above folder for each crash
  16. grab a .dmp filename
  17. load https://brave.sp.backtrace.io/
  18. enter basic auth
  19. set the filters to upload_file_minidump equal_to dump-filename (without the .dmp extension)
  20. press enter
  21. confirm crash-dump report loads
example example example
image image image

https://user-images.githubusercontent.com/98358127/230162213-37c93ce6-2945-40f0-89fa-c5421f955a91.mp4

Non-admin installed Brave

DoH fallback - PASSED

  1. double-click on the appropriate beta build's ` installer
  2. when prompted by Windows to allow the app to make changes, click No
  3. click Yes on the Brave-Browser-Beta can be installed without administrator privileges. Continue? dialog
  4. configure Brave VPN
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. ensure there's no Brave VPN Helper service/process running
  9. load https://browserleaks.com/dns
  10. confirm under ISP your local ISP's DNS resolvers aren't shown (should be Cloudflare)
  11. open brave://settings/security
  12. confirm it says This setting is locked by BraveVPN while it is connected, under Use Secure DNS
Task Manager browserleaks.com/dns brave://settings/security
image image image

MadhaviSeelam avatar Apr 03 '23 21:04 MadhaviSeelam

Verification PASSED on

Brave | 1.50.114 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Admin-installed Brave

Brave VPN Helper-service dynamic launching - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. click on the VPN button
  4. toggle VPN to Connected
  5. press ctrl + alt + del
  6. click on Task Manager
  7. confirm the presence of Brave VPN Helper service processes
  8. disconnect and reconnect Brave VPN
  9. confirm you see the processes disappear and then re-appear

VPN ON

Brave VPN service Brave VPN helper process VPN ON
image image image

VPN OFF

VPN OFF Brave VPN service
image image

Brave VPN Helper-service process kill & respawn - PASSED

Steps:

  1. (with Brave VPN installed as Admin, and configured)
  2. launch Brave
  3. connect to BraveVPN
  4. open the Task Manager via ctrl + alt + del
  5. look for the BraveVpnService process under service in task manager
  6. kill the helper service executable by clicking End task in Task Manager
  7. confirm the service automatically restarts after crash
  8. repeat a few times to kill it again and check the service will be restarted 3 times in total
  9. after killing the service the 4th time, it should not be restarted again
  10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.
Example Example Example Example
image image image image

Non-admin installed Brave

DoH fallback - PASSED

  1. double-click on the appropriate beta build's ` installer
  2. when prompted by Windows to allow the app to make changes, click No
  3. click Yes on the Brave-Browser-Beta can be installed without administrator privileges. Continue? dialog
  4. configure Brave VPN
  5. launch Brave
  6. connect to Brave VPN
  7. press ctrl + alt + del to open Task Manager
  8. ensure there's no Brave VPN Helper service/process running
  9. load https://browserleaks.com/dns
  10. confirm under ISP your local ISP's DNS resolvers aren't shown (should be Cloudflare)
  11. open brave://settings/security
  12. confirm it says This setting is locked by BraveVPN while it is connected, under Use Secure DNS
Task Manager browserleaks.com/dns brave://settings/security
image image image

GeetaSarvadnya avatar Apr 05 '23 14:04 GeetaSarvadnya