Windows 10 leaks DNS when using VPN by sending DNS to all network interfaces

[bsclifton]

Description

See https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1 for more information about why the "leak" happens (it's a Windows feature called Smart Multi-Homed Name Resolution).

Basically, Windows 10 will run multiple DNS queries (sending to multiple network interfaces) and it chooses the fastest response. Because of this behavior,

• Brave ships with DNS over HTTPS enabled (defaulted to With your current service provider) which you can view on brave://settings/security
• When changing DNS over HTTPS to use Cloudflare (1.1.1.1), it works as expected.

Possible solutions

• We could detect if VPN is connected and enable this while connected (or make a preference for that behavior). That would only affect the browser though.
• We could expose a preference (in Brave) to toggle the registry (HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the name DisableSmartNameResolution and a value set to anything except 0. If toggle is disabled, we can remove that value

Steps to Reproduce

1. Be on Windows
2. Have a VPN setup through the operating system (Windows key, type VPN settings, manually add one)
3. Connect to VPN
4. Visit https://browserleaks.com/dns and wait for test results

Actual result:

Some DNS queries will be resolved by the ISP 🙀

Expected result:

DNS queries should ALL be resolved by the VPN

Reproduces how often:

100%

[levicki]

We could expose a preference (in Brave) to toggle the registry (HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the name DisableSmartNameResolution and a value set to anything except 0. If toggle is disabled, we can remove that value

Please do not do this.

Browser should not mess with Windows Group Policy settings for at least two reasons:

1. It will be unreliable because the PC can be part of a domain, and domain GPO can overwrite the value.
2. It can break DNS queries in complex setups and leave users wondering why something suddenly doesn't work after installing Brave.

One possible solution would be to integrate a DNS client into Brave and then make that into an option (preferrably also controllable via Group Policy) so that you can choose not to use operating system DNS client. However, note that even then the DNS queries from such a built-in client can still be blocked or redirected by the firewall.

For example, on my home network I already rewrite all direct DNS queries from all network devices to use the firewall's caching DNS server, which in turn uses CloudFlare DNS to resolve those queries.

I believe that applications should not be adding this kind of functionality, because it is hostile to enterprise environment where it reduces visibility to network administrators (especially if said applications get compromised via extensions or other means) which will just lead to all the applications that enable and/or enforce DoH being banned.

[bsclifton]

Those are great points, @levicki - thanks for the input 😄 The best solution IMO for solving is to configure DoH.

We may try to ask users (when using VPN) to enable resolvers that aren't default in the interface and either offer a one click solution or deep link to the DoH section in settings

[levicki]

@bsclifton You are welcome.

Do note that if enabling DoH disables sending queries via Windows DNS client, then that could work for Brave.

However, that still leaves the OS DNS requests as well as a bunch of other application DNS requests, especially those based on Electron, or Microsoft Edge WebView2 which might use built-in DNS clients with their own preferred resolvers, again circumventing the VPN.

Finally, even disabling smart multi-homed resolution will only disable parallel DNS query on all network interfaces, but if DNS request fails it will still leak the query via LLMNR on all interfaces.

TL;DR -- privacy on the Internet is hard, doubly so if you aren't controlling the full stack from the OS to the router.

[srirambv]

@spylogsster not sure if this is fixed on 1.41.33. I still see the local IP and local DNS leak through when I check on https://ipleak.net.

cc: @GeetaSarvadnya as she also repro'd the issue while testing on Windows. @brave/legacy_qa to try as well

[stephendonner]

Verification PASSED using

Brave	1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	Windows 11 Version 21H2 (Build 22000.778)

Reproduced the original issue using 1.40.113:

Original issue

1. purchase, set up, and connect to BraveVPN via account.brave.software using latest beta build (leave it open and connected)
2. launch latest release build (1.40.113)
3. load browserleaks.com/dns using release
4. confirm you see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
5. load ipleak.net using release
6. confirm you see "local" DNS-server addresses being discovered
7. switch the VPN region on beta to any other region
8. reload browserleaks.com/dns using release
9. reload ipleak.net using release
10. confirm you (still) see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

browserleaks.com/dns	ipleak.net

---

Confirm default-profile pref - PASSED

1. install 1.41.91 or later
2. launch Brave
3. open brave://settings/security
4. confirm Use secure DNS is toggled to ON by default
5. confirm the With your current service provider radio button is selected
6. confirm DNS resolution works (load any site)

IPv4 - PASSED

1. purchase, set up, and connect to VPN via account.brave.software (development; staging has known issues right now) using latest beta build (leave it open and connected)
2. load browserleaks.com/dns using beta
3. confirm you don't see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
4. load ipleak.net using beta
5. confirm you see don't "local" DNS-server addresses being discovered
6. switch the VPN region on beta to any other region
7. reload browserleaks.com/dns using beta
8. reload ipleak.net using beta
9. confirm you don't see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

browserleaks.com/dns	ipleak.net

Confirm Cloudflare DNS servers (via IP addresses) - PASSED

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses:

λ tracert 172.70.249.120

Tracing route to 172.70.249.120 over a maximum of 30 hops

  1   148 ms   148 ms   151 ms  unn-212-102-43-120.cdn77.com [212.102.43.120]
  2   165 ms   157 ms   149 ms  unn-212-102-43-125.cdn77.com [212.102.43.125]
  3   149 ms   149 ms   150 ms  vl203.fra-itx7-core-1.cdn77.com [185.229.188.158]
  4   149 ms   150 ms   149 ms  vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13]
  5   165 ms   152 ms   150 ms  cloudflare-fra.cdn77.com [45.134.215.7]
  6   151 ms   150 ms   150 ms  172.70.248.3
  7   149 ms   150 ms   149 ms  172.70.249.120

Trace complete.

brave://settings/security UI - PASSED

1. new profile
2. launch Brave
3. open brave://settings/security
4. connect to BraveVPN using beta
5. open brave://settings/security
6. confirm Use secure DNS * With Cloudflare (1.1.1.1) is chosen
7. confirm DNS works (and no leaks, per above tests - this can piggy-backed on them)
8. disconnect BraveVPN
9. confirm Use secure DNS * With your current service provider is checked
10. confirm DNS works (not worried about leaks here, but good to double-check expectations)

brave://settings/security default	Use secure DNS - BraveVPN ON	Use secure DNS - BraveVPN OFF

[MadhaviSeelam]

Verification PASSED using

Brave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | Windows 11 Version 21H2 (Build 22000.739)

Test Case 1: Original issue reproduced on latest release build 1.40.113 - PASSED

Steps:

1. Install 1.41.91
2. Purchase and setup Brave VPN on 1.41.91 beta
3. Connect to a region - Netherlands)
4. launch 1.40.113
5. load browserleaks.com/dns on 1.40.113
6. confirmed "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown
7. load ipleak.net
8. confirmed "local" DNS-server addresses shown
9. switch the VPN region on beta to another region - Switzerland
10. reload browserleaks.com/dns
11. reload ipleak.net
12. confirmed still "local" DNS-server addresses shown

Step 3	Step 6	Step8	Step 9	Step 10	Step 12

Test Case 2: Fix verified using above steps on 1.41.91 - PASSED

1. Install 1.41.91
2. Followed above test steps
3. confirmed no "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown as all DNS queries are resolved by the VPN

ex	ex	ex	ex	ex	ex

Test Case 3: Automatically enabling DoH with VPN via brave://settings/security - Passed

1. launch Brave
2. Connect VPN to a region Germany
3. opened brave://settings/security
4. confirmed Use secure DNS * Determines how to connect to websites... is Toggled ON as a default
5. confirmed Use secure DNS * With Cloudflare (1.1.1.1) is chosen
6. confirm DNS works (and no leaks, per above tests)
7. disconnect BraveVPN
8. confirmed Use secure DNS * With your current service provider is checked
9. Select Use secure DNS *With your curent service provider while VPN is enabled
10. Confirmed an alert modal with warning message Turning off secure DNS... is shown

Step 5	Step 8	Step 9

Test Case 4: Confirm Cloudflare DNS servers (via IP addresses) - PASSED

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses:

C:\Users\mseel>tracert 162.158.83.212

Tracing route to 162.158.83.212 over a maximum of 30 hops

  1   142 ms   143 ms   143 ms  unn-212-102-43-120.cdn77.com [212.102.43.120]
  2   144 ms   149 ms   143 ms  unn-212-102-43-124.cdn77.com [212.102.43.124]
  3   143 ms   142 ms   143 ms  vl202.fra-itx7-core-2.cdn77.com [185.229.188.156]
  4   144 ms   143 ms   144 ms  vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13]
  5   143 ms   144 ms   144 ms  cloudflare-fra.cdn77.com [45.134.215.7]
  6   150 ms   143 ms   143 ms  162.158.84.53
  7   147 ms   145 ms   143 ms  162.158.83.212

Trace complete.

[stephendonner]

Verification PASSED using

Brave	1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	Windows 10 Version 21H2 (Build 19044.1806)

Reproduced the original issue using 1.40.113:

Original issue

1. purchase, set up, and connect to BraveVPN via account.brave.software using latest beta build (leave it open and connected)
2. launch latest release build (1.40.113)
3. load browserleaks.com/dns using release
4. confirm you see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
5. load ipleak.net using release
6. confirm you see "local" DNS-server addresses being discovered
7. switch the VPN region on beta to any other region
8. reload browserleaks.com/dns using release
9. reload ipleak.net using release
10. confirm you (still) see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

browserleaks.com/dns	ipleak.net

Core setup steps (to be run before each isolated test case)

• Remove any pre-existing BraveVPN configs you might already have via the Windows Network applet
• An ipconfig /release followed by an ipconfig/renew would also be good
• Reboot Windows (just to be sure)

Windows VPN panel	Remove BraveVPN config

---

Confirm pref default - PASSED

1. install 1.41.91 or later
2. launch Brave
3. open brave://settings/security
4. confirm Use secure DNS is toggled to ON by default
5. confirm the With your current service provider radio button is selected
6. confirm DNS resolution works (load any site)

IPv4 - PASSED

1. purchase, set up, and connect to VPN via account.brave.software (development; staging has known issues right now) using latest beta build (leave it open and connected)
2. load browserleaks.com/dns using beta
3. confirm you don't see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
4. load ipleak.net using beta
5. confirm you see don't "local" DNS-server addresses being discovered
6. switch the VPN region on beta to any other region
7. reload browserleaks.com/dns using beta
8. reload ipleak.net using beta
9. confirm you don't see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

browserleaks.com/dns	ipleak.net

IPv6 - PASSED

PRE-REQUISITE:
Ensure you have enabled IPv6 (in general, which DNS will also use) system-wide (hardware), on both your local ISP gateway/modem and/or your separate Wi-Fi router

1. purchase, set up, and connect to VPN via account.brave.software (development; staging has known issues right now) using latest beta build (leave it open and connected)
2. load browserleaks.com/dns using beta
3. confirm you don't see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
4. switch the VPN region on beta to any other region
5. reload browserleaks.com/dns using beta
6. confirm you don't see "local" (there might be additional ones from the connection reset) DNS-server IPs listed
7. confirm the DNS IP addresses listed are from Cloudflare

browserleaks.com/dns - AT&T IPv6 DNS resolvers	browserleaks.com/dns - Cloudflare (DoH) IPv6 DNS resolvers

Confirm Cloudflare DNS servers (via IP addresses) - PASSED

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses:

C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application          
λ tracert 172.68.209.35                                                
                                                                       
Tracing route to 172.68.209.35 over a maximum of 30 hops               
                                                                       
  1   184 ms   184 ms   184 ms  145.40.109.54                          
  2   186 ms   184 ms   185 ms  169.254.101.0                          
  3   184 ms   184 ms   184 ms  10.253.72.62                           
  4   186 ms   186 ms   184 ms  10.253.73.87                           
  5   197 ms   185 ms   186 ms  10.253.73.52                           
  6   185 ms   189 ms   203 ms  13335.syd.equinix.com [45.127.172.154] 
  7   199 ms   186 ms   186 ms  172.68.208.3                           
  8   185 ms   186 ms   186 ms  172.68.209.35                          
                                                                       
Trace complete. 
                                             
C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application          
λ nslookup 172.68.208.3                                                
Server:  one.one.one.one                                               
Address:  1.1.1.1                                                      
                                                                       
*** one.one.one.one can't find 172.68.208.3: Non-existent domain       

Looks like this is missing reverse DNS for the hostnames; https://1.1.1.1 is Cloudflare's DNS-resolver service.

Secure DNS, default - PASSED

1. new profile
2. launch Brave
3. open brave://settings/security
4. connect to BraveVPN using beta
5. open brave://settings/security
6. confirm Use secure DNS * With Cloudflare (1.1.1.1) is chosen
7. confirm DNS works (and no leaks, per above tests - this can piggy-backed on them)
8. disconnect BraveVPN
9. confirm Use secure DNS * With your current service provider is checked
10. confirm DNS works (not worried about leaks here, but good to double-check expectations)

brave://settings/security default	Use secure DNS - BraveVPN ON	Use secure DNS - BraveVPN OFF

Secure DNS, custom DoH provider - PASSED

With a working BraveVPN setup on beta:

1. change With Cloudflare (1.1.1.1) to With OpenDNS
2. re-run browserleaks.com/dns and ipleak.net tests
3. confirm no ISP/"local" DNS-server IP addresses listed
4. confirm they are listed as Cisco OpenDNS, LLC

browserleaks.com/dns	ipleak.net

Wireshark (protocol-level check, IPv4-only) - PASSED

Steps:

• launched Wireshark
• started recording traffic on the main Wi-fi adapter's interface
• typed dns and hit the -> to filter by dns
• ran the browserleaks.com/dns and ipleak.net tests from above
• checked Wireshark for any local-ISP (AT&T) DNS resolver IPs (IPv4 only)
• confirmed DNS lookups were using Cloudflare's DNS-over-HTTP (DoH) (1.1.1.1) and domain (IPv4) DNS lookups were not exposed

1.41.91 (beta)

browserleaks.com/dns	ipleak.net

1.40.113 (release)

browserleaks.com/dns	ipleak.net