Closed bsclifton closed 2 years ago
We could expose a preference (in Brave) to toggle the registry (
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the nameDisableSmartNameResolution
and a value set to anything except 0. If toggle is disabled, we can remove that value
Please do not do this.
Browser should not mess with Windows Group Policy settings for at least two reasons:
One possible solution would be to integrate a DNS client into Brave and then make that into an option (preferrably also controllable via Group Policy) so that you can choose not to use operating system DNS client. However, note that even then the DNS queries from such a built-in client can still be blocked or redirected by the firewall.
For example, on my home network I already rewrite all direct DNS queries from all network devices to use the firewall's caching DNS server, which in turn uses CloudFlare DNS to resolve those queries.
I believe that applications should not be adding this kind of functionality, because it is hostile to enterprise environment where it reduces visibility to network administrators (especially if said applications get compromised via extensions or other means) which will just lead to all the applications that enable and/or enforce DoH being banned.
Those are great points, @levicki - thanks for the input 😄 The best solution IMO for solving is to configure DoH.
We may try to ask users (when using VPN) to enable resolvers that aren't default in the interface and either offer a one click solution or deep link to the DoH section in settings
@bsclifton You are welcome.
Do note that if enabling DoH disables sending queries via Windows DNS client, then that could work for Brave.
However, that still leaves the OS DNS requests as well as a bunch of other application DNS requests, especially those based on Electron, or Microsoft Edge WebView2 which might use built-in DNS clients with their own preferred resolvers, again circumventing the VPN.
Finally, even disabling smart multi-homed resolution will only disable parallel DNS query on all network interfaces, but if DNS request fails it will still leak the query via LLMNR on all interfaces.
TL;DR -- privacy on the Internet is hard, doubly so if you aren't controlling the full stack from the OS to the router.
@spylogsster not sure if this is fixed on 1.41.33. I still see the local IP and local DNS leak through when I check on https://ipleak.net
.
cc: @GeetaSarvadnya as she also repro'd the issue while testing on Windows. @brave/legacy_qa to try as well
PASSED
usingBrave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit) |
---|---|
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124} |
OS | Windows 11 Version 21H2 (Build 22000.778) |
1.40.113
:PASSED
PASSED
PASSED
brave://settings/security
UI - PASSED
Verification PASSED
using
Brave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | Windows 11 Version 21H2 (Build 22000.739)
1.40.113
- PASSED1.41.91
- PASSEDbrave://settings/security
- PassedPASSED
usingBrave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit) |
---|---|
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124} |
OS | Windows 10 Version 21H2 (Build 19044.1806) |
1.40.113
:PASSED
PASSED
PASSED
PASSED
Secure DNS
, default - PASSED
Secure DNS
, custom DoH provider - PASSED
PASSED
Description
See https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1 for more information about why the "leak" happens (it's a Windows feature called
Smart Multi-Homed Name Resolution
).Basically, Windows 10 will run multiple DNS queries (sending to multiple network interfaces) and it chooses the fastest response. Because of this behavior,
With your current service provider
) which you can view on brave://settings/securityCloudflare (1.1.1.1)
, it works as expected.Possible solutions
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
). If toggle is enabled, we can disableSmart Multi-Homed Name Resolution
by creating a DWORD key with the nameDisableSmartNameResolution
and a value set to anything except 0. If toggle is disabled, we can remove that valueSteps to Reproduce
VPN settings
, manually add one)Actual result:
Some DNS queries will be resolved by the ISP 🙀
Expected result:
DNS queries should ALL be resolved by the VPN
Reproduces how often:
100%