Windows 10 leaks DNS when using VPN by sending DNS to all network interfaces

Description

See https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1 for more information about why the "leak" happens (it's a Windows feature called Smart Multi-Homed Name Resolution).

Basically, Windows 10 will run multiple DNS queries (sending to multiple network interfaces) and it chooses the fastest response. Because of this behavior,

Brave ships with DNS over HTTPS enabled (defaulted to With your current service provider) which you can view on brave://settings/security
When changing DNS over HTTPS to use Cloudflare (1.1.1.1), it works as expected.

Possible solutions

We could detect if VPN is connected and enable this while connected (or make a preference for that behavior). That would only affect the browser though.
We could expose a preference (in Brave) to toggle the registry (HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the name DisableSmartNameResolution and a value set to anything except 0. If toggle is disabled, we can remove that value

Steps to Reproduce

Be on Windows
Have a VPN setup through the operating system (Windows key, type VPN settings, manually add one)
Connect to VPN
Visit https://browserleaks.com/dns and wait for test results

Actual result:

Some DNS queries will be resolved by the ISP 🙀

Expected result:

DNS queries should ALL be resolved by the VPN

Reproduces how often:

100%

We could expose a preference (in Brave) to toggle the registry (HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the name DisableSmartNameResolution and a value set to anything except 0. If toggle is disabled, we can remove that value

Please do not do this.

Browser should not mess with Windows Group Policy settings for at least two reasons:

It will be unreliable because the PC can be part of a domain, and domain GPO can overwrite the value.
It can break DNS queries in complex setups and leave users wondering why something suddenly doesn't work after installing Brave.

One possible solution would be to integrate a DNS client into Brave and then make that into an option (preferrably also controllable via Group Policy) so that you can choose not to use operating system DNS client. However, note that even then the DNS queries from such a built-in client can still be blocked or redirected by the firewall.

For example, on my home network I already rewrite all direct DNS queries from all network devices to use the firewall's caching DNS server, which in turn uses CloudFlare DNS to resolve those queries.

I believe that applications should not be adding this kind of functionality, because it is hostile to enterprise environment where it reduces visibility to network administrators (especially if said applications get compromised via extensions or other means) which will just lead to all the applications that enable and/or enforce DoH being banned.

Those are great points, @levicki - thanks for the input 😄 The best solution IMO for solving is to configure DoH.

We may try to ask users (when using VPN) to enable resolvers that aren't default in the interface and either offer a one click solution or deep link to the DoH section in settings

@bsclifton You are welcome.

Do note that if enabling DoH disables sending queries via Windows DNS client, then that could work for Brave.

However, that still leaves the OS DNS requests as well as a bunch of other application DNS requests, especially those based on Electron, or Microsoft Edge WebView2 which might use built-in DNS clients with their own preferred resolvers, again circumventing the VPN.

Finally, even disabling smart multi-homed resolution will only disable parallel DNS query on all network interfaces, but if DNS request fails it will still leak the query via LLMNR on all interfaces.

TL;DR -- privacy on the Internet is hard, doubly so if you aren't controlling the full stack from the OS to the router.

@spylogsster not sure if this is fixed on 1.41.33. I still see the local IP and local DNS leak through when I check on https://ipleak.net.

cc: @GeetaSarvadnya as she also repro'd the issue while testing on Windows. @brave/legacy_qa to try as well

Verification `PASSED` using

Brave	1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	Windows 11 Version 21H2 (Build 22000.778)

Reproduced the original issue using `1.40.113`:

Original issue

1. purchase, set up, and connect to `BraveVPN` via [`account.brave.software`](https://account.brave.software) using latest `beta` build (leave it open and connected) 2. launch latest `release` build (`1.40.113`) 3. load [browserleaks.com/dns](http://browserleaks.com/dns) using `release` 4. confirm you see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered 5. load [ipleak.net](http://ipleak.net/) using `release` 6. confirm you see "local" DNS-server addresses being discovered 7. switch the VPN region on `beta` to any other region 8. reload [browserleaks.com/dns](http://browserleaks.com/dns) using `release` 9. reload [ipleak.net](http://ipleak.net/) using `release` 10. confirm you (still) see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done) `browserleaks.com/dns` | `ipleak.net` ---------------------------|------------ ![release-browserleaks](https://user-images.githubusercontent.com/387249/177615621-6feea0d7-df6f-41e6-a179-94b3633397bd.png) | ![release-ipleak](https://user-images.githubusercontent.com/387249/177615656-c7d04791-0845-4b4c-80a2-e35e615a5065.png)

Confirm default-profile pref - `PASSED`

1. install `1.41.91` or later 2. launch Brave 3. open `brave://settings/security` 4. confirm `Use secure DNS` is toggled to `ON` by default 5. confirm the `With your current service provider` radio button is selected 6. confirm DNS resolution works (load any site) ![image](https://user-images.githubusercontent.com/387249/177633309-912ef9a0-64c1-4191-8957-7274bdba6e33.png)

IPv4 - `PASSED`

1. purchase, set up, and connect to VPN via [`account.brave.software`](https://account.brave.com`) (`development`; `staging` has known issues right now) using latest `beta` build (leave it open and connected) 2. load [`browserleaks.com/dns`](http://browserleaks.com/dns) using `beta` 3. confirm you don't see "local" (ISP, i.e. non-VPN-region) DNS-server addresses being discovered 4. load [`ipleak.net`](http://ipleak.net/) using `beta` 5. confirm you see don't "local" DNS-server addresses being discovered 6. switch the VPN region on `beta` to any other region 7. reload [`browserleaks.com/dns`](http://browserleaks.com/dns) using `beta` 8. reload [`ipleak.net`](http://ipleak.net/) using `beta` 9. confirm you don't see "local" (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done) `browserleaks.com/dns` | `ipleak.net` --------------------------|-------------- ![beta-browserleaks](https://user-images.githubusercontent.com/387249/177616047-c41dba70-b4f9-4771-8f33-f80a7d19e069.png) | ![beta-ipleak](https://user-images.githubusercontent.com/387249/177616070-3eb8221f-0c70-4600-a5ee-f62b180e1955.png)

Confirm Cloudflare DNS servers (via IP addresses) - `PASSED`

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses: ``` λ tracert 172.70.249.120 Tracing route to 172.70.249.120 over a maximum of 30 hops 1 148 ms 148 ms 151 ms unn-212-102-43-120.cdn77.com [212.102.43.120] 2 165 ms 157 ms 149 ms unn-212-102-43-125.cdn77.com [212.102.43.125] 3 149 ms 149 ms 150 ms vl203.fra-itx7-core-1.cdn77.com [185.229.188.158] 4 149 ms 150 ms 149 ms vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13] 5 165 ms 152 ms 150 ms cloudflare-fra.cdn77.com [45.134.215.7] 6 151 ms 150 ms 150 ms 172.70.248.3 7 149 ms 150 ms 149 ms 172.70.249.120 Trace complete. ```

`brave://settings/security` UI - `PASSED`

1. new profile 2. launch Brave 3. open `brave://settings/security` 4. connect to `BraveVPN` using `beta` 5. open `brave://settings/security` 6. confirm `Use secure DNS * With Cloudflare (1.1.1.1)` is chosen 7. confirm DNS works (and no leaks, per above tests - this can piggy-backed on them) 8. disconnect `BraveVPN` 9. confirm `Use secure DNS * With your current service provider` is checked 15. confirm DNS works (not worried about leaks here, but good to double-check expectations) `brave://settings/security default` | `Use secure DNS` - `BraveVPN` `ON` | `Use secure DNS` - `BraveVPN` `OFF` -------------------------------------|-----------------------------------------|----------------------------------------- ![image](https://user-images.githubusercontent.com/387249/177633660-1ff5d6f4-c516-4242-a860-7286eb35be4c.png) | ![cloudflare-settings](https://user-images.githubusercontent.com/387249/177616810-77170064-573e-4070-ba13-d2b0085ee6d9.png) | ![default-settings](https://user-images.githubusercontent.com/387249/177616781-7ebf7f10-52d1-4e3d-ac5f-34b6d486d57a.png)

Verification PASSED using

Brave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | Windows 11 Version 21H2 (Build 22000.739)

Test Case 1: Original issue reproduced on latest release build `1.40.113` - PASSED

**Steps:** 1. Install 1.41.91 2. Purchase and setup Brave VPN on `1.41.91 beta` 3. Connect to a region - `Netherlands`) 4. launch `1.40.113` 5. load `browserleaks.com/dns` on `1.40.113` 6. confirmed "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown 8. load `ipleak.net` 9. confirmed "local" DNS-server addresses shown 10. switch the VPN region on beta to another region - `Switzerland` 11. reload `browserleaks.com/dns` 12. reload `ipleak.net` 13. confirmed still "local" DNS-server addresses shown Step 3|Step 6|Step8|Step 9|Step 10|Step 12 ---|---|---|---|---|--- Step 3

Test Case 2: Fix verified using above steps on `1.41.91` - PASSED

1. Install 1.41.91 2. Followed above test steps 3. confirmed no "local" (ISP, i.e. non-VPN-region) DNS-server addresses shown as all DNS queries are resolved by the VPN ex|ex|ex|ex|ex|ex ---|---|---|---|---|--- Step 3

Test Case 3: Automatically enabling DoH with VPN via `brave://settings/security` - Passed

1. launch Brave 2. Connect VPN to a region `Germany` 3. opened `brave://settings/security` 4. confirmed `Use secure DNS * Determines how to connect to websites...` is Toggled `ON` as a default 5. confirmed `Use secure DNS * With Cloudflare (1.1.1.1)` is chosen 6. confirm DNS works (and no leaks, per above tests) 7. disconnect `BraveVPN` 8. confirmed `Use secure DNS * With your current service provider` is checked 9. Select `Use secure DNS *With your curent service provider` while VPN is enabled 10. Confirmed an alert modal with warning message `Turning off secure DNS...` is shown Step 5|Step 8|Step 9 ----|----|----

Test Case 4: Confirm Cloudflare DNS servers (via IP addresses) - PASSED

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses: ``` C:\Users\mseel>tracert 162.158.83.212 Tracing route to 162.158.83.212 over a maximum of 30 hops 1 142 ms 143 ms 143 ms unn-212-102-43-120.cdn77.com [212.102.43.120] 2 144 ms 149 ms 143 ms unn-212-102-43-124.cdn77.com [212.102.43.124] 3 143 ms 142 ms 143 ms vl202.fra-itx7-core-2.cdn77.com [185.229.188.156] 4 144 ms 143 ms 144 ms vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13] 5 143 ms 144 ms 144 ms cloudflare-fra.cdn77.com [45.134.215.7] 6 150 ms 143 ms 143 ms 162.158.84.53 7 147 ms 145 ms 143 ms 162.158.83.212 Trace complete. ```

Verification `PASSED` using

Brave	1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	Windows 10 Version 21H2 (Build 19044.1806)