Implement OpenVPN style DNS resolving

[bsclifton]

Description

Basically, Windows can leak your ISP due to Smart Multi-Homed Name Resolution (even when you're on VPN). This is a feature of Windows and is expected behavior. See https://github.com/brave/brave-browser/issues/22163 for full details.

We had attempted a solution using DNS over HTTP (see https://github.com/brave/brave-core/pull/13434) but there were a few issues. See https://github.com/brave/brave-browser/issues/25488 where we want to back this pull request and logic out.

The example shared by @bridiver can be found here: https://github.com/OpenVPN/openvpn/blob/d92075e0ae6dba84a2e30e4ec12ca29250945371/src/openvpn/block_dns.c

This will block the other adapters (that Smart Multi-Homed Name Resolution would dispatch to) while Brave is open - meaning it will apply to all programs running on the device (instead of only queries made within Brave). A good test would be to hit https://browserleaks.com/dns from another browser when connected using the OpenVPN work-around

More context and details available to Brave employees by reading the security re-review here: https://github.com/brave/security/issues/1029

Test cases

Start Brave, check browserleaks.com/dns shows your real location in any browser

• Connect VPN
  • check browserleaks.com/dns shows only VPN country locations, in all browsers
  • check TaskManager or Windows services should show brave_vpn_helper.exe and launched service
• Disconnect VPN and check browserleaks.com/dns
  • check TaskManager Details tab should not show brave_vpn_helper.exe launched
  • browserleaks.com/dns works and shows your real location in all browsers

Start Brave, check browserleaks.com/dns shows your real location in any browser

• Connect VPN
  • check browserleaks.com/dns shows VPN’s country locations only in all browsers
• Close Brave
  • check browserleaks.com/dns shows VPN’s country locations only in all browsers
• Start Brave it should show connected VPN
• Disconnect VPN and check browserleaks.com/dns
  • check TaskManager Details tab should not show brave_vpn_helper.exe launched after 10 seconds
  • browserleaks.com/dns works and shows your real location in all browsers

Install Brave without admin permissions,

• check the helper vpn service was not registered (check list of services in the system)
• setup and connect Brave VPN
• check browserleaks.com/dns in Brave, it should not show the DNS leak because the browser should fallback to DoH overriding.

Install Brave as admin

• setup and connect Brave VPN
• check the helper service is launched..
• kill helperservice executable in TaskManager
• check the service automatically restarted after crash
• repeat few times to kill it again and check the service will be restarted 3 times in total
• after killing the service 4 time it should not be restarted again.
• disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen.

Install Brave as admin

• setup and connect Brave VPN
• check the helper service is launched..
• disconnect and connect vpn quickly
• check the helper service is launched and dns data protected.

IPv6 test: VPN OFF

• Navigate to https://test-ipv6.com/
• IPv6 should be ON VPN ON
• Navigate to https://test-ipv6.com/
• IPv6 should be OFF Through test
• VPN OFF
  • Ping the ip 2001:470:1:18::223:250 it should respond without packet loss
• VPN ON
  • Ping the ip 2001:470:1:18::223:250, it should not trasmit any response
• VPN OFF
  • Ping the ip 2001:470:1:18::223:250 it should respond without packet loss

• Install Brave as admin
  • Setup and connect Brave VPN
  • check the helper service is launched..
  • crash service and check crash reports from the service created inside BraveSoftware\%channel%\User Data\Crashpad\reports
  • Check reports will be uploaded to backtrace.io
  • check the service will be uninstalled with the browser

[bsclifton]

Needs discussion; marking as blocked for now

This is not a blocker for the release though

[stephendonner]

Removing blocked label as it's implemented, with QA/Yes and a provided testplan.

[stephendonner]

Verification PASSED using

Brave	1.50.91 Chromium: 111.0.5563.64 (Official Build) beta (64-bit)
Revision	c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995}
OS	Windows 10 Version 22H2 (Build 19045.2728)

Admin-installed Brave - PASSED

Brave VPN Helper-service dynamic launching - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. click on the `VPN` button 4. toggle VPN to `Connected` 5. press `ctrl` + `alt` + `del` 6. click on `Task Manager` 7. confirm the presence of `Brave VPN Helper` service processes 8. disconnect and reconnect `Brave VPN` 9. confirm you see the processes disappear and then re-appear `Brave VPN` `ON` | `Brave VPN` `OFF`| `Brave VPN` `ON` ----------|-----------|---------  |  | 

Brave VPN Helper-service process kill & respawn - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `BraveVPN` 4. open the `Task Manager` via `ctrl` + `alt` + `del` 5. look for the `Brave Beta Vpn Service` process 6. kill the helper service executable by clicking `End task` in `Task Manager` 7. confirm the service automatically restarts after crash 8. repeat a few times to kill it again and check the service will be restarted 3 times in total 9. after killing the service the 4th time, it should not be restarted again 10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen. `screencast` | `browserleaks.com/dns` | `brave://settings/security` ------------|--------------------------|-----------------------------  |  | 

Crash reporting - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. open `Registry Editor` 3. look for `Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService` 4. edit the `ImagePath` string to be `"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me` (or similar) 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. context click on one of the column headings 9. toggle `Command line` on 10. look for the `brave_vpn_helper.exe` process that's launched with `--type=crashpad-handler` 11. toggle `Brave VPN` to `Disconnected` 12. toggle `Brave VPN` to `Connected` 13. confirm the `brave_vpn_helper.exe` process disappears from the `Task Manager` (as it crashed) 14. open `C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports` 15. confirm crash-report .dmp (dump) files populate the above folder for each crash 16. grab a `.dmp` filename 17. load `https://brave.sp.backtrace.io/` 18. enter basic auth 19. set the filters to `upload_file_minidump` `equal_to` `dump-filename` (without the `.dmp` extension) 20. press `enter` 21. confirm crash-dump report loads example | example | example | example ---------|----------|---------|---------  |  |  |

---

Non-admin installed Brave

DoH fallback - PASSED

1. double-click on the appropriate `beta` build's ` installer 2. when prompted by Windows to allow the app to make changes, click `No` 3. click `Yes` on the `Brave-Browser-Beta can be installed without administrator privileges. Continue?` dialog 4. configure `Brave VPN` 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. ensure there's no `Brave VPN Helper` service/process running 9. load `https://browserleaks.com/dns` 10. confirm under `ISP` your local ISP's DNS resolvers aren't shown (should be Cloudflare) 11. open `brave://settings/security` 12. confirm it says `This setting is locked by BraveVPN while it is connected`, under `Use Secure DNS` `Task Manager`| `browserleaks.com/dns` | `brave://settings/security` ----------|----------|-------------  |  | 

---

IPv6 Connectivity- PASSED

test-ipv6.com - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `Brave VPN` 4. load `https://test-ipv6.com` 5. confirm you receive a score, in red, of `0/10` 6. disconnect from `Brave VPN` 7. reload the URL 8. confirm you receive a score, in green, of `10/10` `VPN off` | `VPN on` ---------|----------  | 

ipv6-test.com - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `Brave VPN` 4. load `https://ipv6-test.com` 5. confirm `IPv6` reads `Not supported` under `IPv6 connectivity` 6. disconnect from `Brave VPN` 7. reload `https://ipv6-test.com` 8. confirm `IPv6` reads `Supported` `VPN off` | `VPN on` ---------|---------  | 

IPv6 address reachability (ping) - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. with `Brave VPN` `Disconnected`, ping `2001:470:1:18::223:250` 4. confirm it responds to all pings, with 0% packet loss 5. connect to `BraveVPN` 6. ping `2001:470:1:18::223:250` 7. confirm it drops all packets, with 100% loss `VPN off` | `VPN on` ---------|--------  | 

[spylogsster]

one more PR for crashes autoupload https://github.com/brave/brave-core/pull/17074

[stephendonner]

Verification IN-PROGRESS using

Brave	1.50.93 Chromium: 111.0.5563.64 (Official Build) beta (64-bit)
Revision	c710e93d5b63b7095afe8c2c17df34408078439d-refs/branch-heads/5563@{#995}
OS	Windows 11 Version 21H2 (Build 22000.1641)

Admin-installed Brave - PENDING

Brave VPN Helper-service dynamic launching - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. click on the `VPN` button 4. toggle VPN to `Connected` 5. press `ctrl` + `alt` + `del` 6. click on `Task Manager` 7. confirm the presence of `Brave VPN Helper` service processes 8. disconnect and reconnect `Brave VPN` 9. confirm you see the processes disappear and then re-appear `Brave VPN` `ON` | `Brave VPN` `OFF`| `Brave VPN` `ON` ----------|-----------|--------- ||

Brave VPN Helper-service process kill & respawn - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `BraveVPN` 4. open the `Task Manager` via `ctrl` + `alt` + `del` 5. look for the `Brave Beta Vpn Service` process 6. kill the helper service executable by clicking `End task` in `Task Manager` 7. confirm the service automatically restarts after crash 8. repeat a few times to kill it again and check the service will be restarted 3 times in total 9. after killing the service the 4th time, it should not be restarted again 10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen. `screencast` | `browserleaks.com/dns` | `brave://settings/security` ------------|--------------------------|-----------------------------

Crash reporting - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. open `Registry Editor` 3. look for `Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService` 4. edit the `ImagePath` string to be `"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me` (or similar) 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. context click on one of the column headings 9. toggle `Command line` on 10. look for the `brave_vpn_helper.exe` process that's launched with `--type=crashpad-handler` 11. toggle `Brave VPN` to `Disconnected` 12. toggle `Brave VPN` to `Connected` 13. confirm the `brave_vpn_helper.exe` process disappears from the `Task Manager` (as it crashed) 14. open `C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports` 15. confirm crash-report .dmp (dump) files populate the above folder for each crash 16. grab a `.dmp` filename 17. load `https://brave.sp.backtrace.io/` 18. enter basic auth 19. set the filters to `upload_file_minidump` `equal_to` `dump-filename` (without the `.dmp` extension) 20. press `enter` 21. confirm crash-dump report loads example | example | example | example ---------|----------|---------|---------

---

Non-admin installed Brave

DoH fallback - PENDING

1. double-click on the appropriate `beta` build's ` installer 2. when prompted by Windows to allow the app to make changes, click `No` 3. click `Yes` on the `Brave-Browser-Beta can be installed without administrator privileges. Continue?` dialog 4. configure `Brave VPN` 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. ensure there's no `Brave VPN Helper` service/process running 9. load `https://browserleaks.com/dns` 10. confirm under `ISP` your local ISP's DNS resolvers aren't shown (should be Cloudflare) 11. open `brave://settings/security` 12. confirm it says `This setting is locked by BraveVPN while it is connected`, under `Use Secure DNS` `Task Manager`| `browserleaks.com/dns` | `brave://settings/security` ----------|----------|-------------

---

IPv6 Connectivity- PENDING

test-ipv6.com - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `Brave VPN` 4. load `https://test-ipv6.com` 5. confirm you receive a score, in red, of `0/10` 6. disconnect from `Brave VPN` 7. reload the URL 8. confirm you receive a score, in green, of `10/10` `VPN off` | `VPN on` ---------|----------

ipv6-test.com - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `Brave VPN` 4. load `https://ipv6-test.com` 5. confirm `IPv6` reads `Not supported` under `IPv6 connectivity` 6. disconnect from `Brave VPN` 7. reload `https://ipv6-test.com` 8. confirm `IPv6` reads `Supported` `VPN off` | `VPN on` ---------|---------

IPv6 address reachability (ping) - PENDING

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. with `Brave VPN` `Disconnected`, ping `2001:470:1:18::223:250` 4. confirm it responds to all pings, with 0% packet loss 5. connect to `BraveVPN` 6. ping `2001:470:1:18::223:250` 7. confirm it drops all packets, with 100% loss `VPN off` | `VPN on` ---------|--------

[stephendonner]

Removing QA Pass-Win64 as this also needs to be verified on Windows 11.

[stephendonner]

Removing QA Pass-Win64 as this also needs to be verified on Windows 11.

Something's wrong with my installation/setup on Windows 11, so I logged https://github.com/brave/brave-browser/issues/29217.

[stephendonner]

@MadhaviSeelam do you have bandwidth to take this, since my personal Windows 11 installation is neither true release (it's a preview release) nor acting right, per the above issue? Thanks!

[MadhaviSeelam]

Verification PASSED using

Brave | 1.50.110 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Admin-installed Brave - PASSED

Brave VPN Helper-service dynamic launching - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. click on the `VPN` button 4. toggle VPN to `Connected` 5. press `ctrl` + `alt` + `del` 6. click on `Task Manager` 7. confirm the presence of `Brave VPN Helper` service processes 8. disconnect and reconnect `Brave VPN` 9. confirm you see the processes disappear and then re-appear `Brave VPN` `ON` | `Brave VPN` `OFF`| `Brave VPN` `ON` ----------|-----------|--------- ||

Brave VPN Helper-service process kill & respawn - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `BraveVPN` 4. open the `Task Manager` via `ctrl` + `alt` + `del` 5. look for the `Brave Beta Vpn Service` process 6. kill the helper service executable by clicking `End task` in `Task Manager` 7. confirm the service automatically restarts after crash 8. repeat a few times to kill it again and check the service will be restarted 3 times in total 9. after killing the service the 4th time, it should not be restarted again 10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen. `screencast` https://user-images.githubusercontent.com/98358127/230138286-51fe834e-2cf1-4e26-b173-dbe1dda14d03.mp4 `browserleaks.com/dns` | `brave://settings/security` ------------|-------------------------- |

Crash reporting - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. open `Registry Editor` 3. look for `Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BraveBetaVpnService` 4. edit the `ImagePath` string to be `"C:\Program Files\BraveSoftware\Brave-Browser-Beta\Application\111.1.50.94\brave_vpn_helper.exe" --crash-me` (or similar) 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. context click on one of the column headings 9. toggle `Command line` on 10. look for the `brave_vpn_helper.exe` process that's launched with `--type=crashpad-handler` 11. toggle `Brave VPN` to `Disconnected` 12. toggle `Brave VPN` to `Connected` 13. confirm the `brave_vpn_helper.exe` process disappears from the `Task Manager` (as it crashed) 14. open `C:\ProgramData\BraveSoftware\BraveBetaVpnService\Crashpad\reports` 15. confirm crash-report .dmp (dump) files populate the above folder for each crash 16. grab a `.dmp` filename 17. load `https://brave.sp.backtrace.io/` 18. enter basic auth 19. set the filters to `upload_file_minidump` `equal_to` `dump-filename` (without the `.dmp` extension) 20. press `enter` 21. confirm crash-dump report loads example | example | example ----------|---------|--------- || https://user-images.githubusercontent.com/98358127/230162213-37c93ce6-2945-40f0-89fa-c5421f955a91.mp4

---

Non-admin installed Brave

DoH fallback - PASSED

1. double-click on the appropriate `beta` build's ` installer 2. when prompted by Windows to allow the app to make changes, click `No` 3. click `Yes` on the `Brave-Browser-Beta can be installed without administrator privileges. Continue?` dialog 4. configure `Brave VPN` 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. ensure there's no `Brave VPN Helper` service/process running 9. load `https://browserleaks.com/dns` 10. confirm under `ISP` your local ISP's DNS resolvers aren't shown (should be Cloudflare) 11. open `brave://settings/security` 12. confirm it says `This setting is locked by BraveVPN while it is connected`, under `Use Secure DNS` `Task Manager`| `browserleaks.com/dns` | `brave://settings/security` ----------|----------|------------- ||

[GeetaSarvadnya]

Verification PASSED on

Brave | 1.50.114 Chromium: 112.0.5615.49 (Official Build) (64-bit)
-- | --
Revision | bd2a7bcb881c11e8cfe3078709382934e3916914-refs/branch-heads/5615@{#936}
OS | Windows 11 Version 22H2 (Build 22621.1413)

Admin-installed Brave

Brave VPN Helper-service dynamic launching - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. click on the `VPN` button 4. toggle VPN to `Connected` 5. press `ctrl` + `alt` + `del` 6. click on `Task Manager` 7. confirm the presence of `Brave VPN Helper` service processes 8. disconnect and reconnect `Brave VPN` 9. confirm you see the processes disappear and then re-appear **_VPN ON_** Brave VPN service | Brave VPN helper process | VPN ON ---------------------|-----------|---------  |  |  **_VPN OFF_** VPN OFF | Brave VPN service ---------------------|-----------  | 

Brave VPN Helper-service process kill & respawn - PASSED

Steps: 1. (with Brave VPN installed as Admin, and configured) 2. launch Brave 3. connect to `BraveVPN` 4. open the `Task Manager` via `ctrl` + `alt` + `del` 5. look for the `BraveVpnService` process under service in task manager 6. kill the helper service executable by clicking `End task` in `Task Manager` 7. confirm the service automatically restarts after crash 8. repeat a few times to kill it again and check the service will be restarted 3 times in total 9. after killing the service the 4th time, it should not be restarted again 10. disconnect/Connect VPN again from Brave Browser and check it uses overridden DoH instead of VPN service. DNS leak should not happen. Example | Example | Example | Example ----------|-----------|-----------|----------  |  |  | 

Non-admin installed Brave

DoH fallback - PASSED

1. double-click on the appropriate `beta` build's ` installer 2. when prompted by Windows to allow the app to make changes, click `No` 3. click `Yes` on the `Brave-Browser-Beta can be installed without administrator privileges. Continue?` dialog 4. configure `Brave VPN` 5. launch Brave 6. connect to `Brave VPN` 7. press `ctrl` + `alt` + `del` to open `Task Manager` 8. ensure there's no `Brave VPN Helper` service/process running 9. load `https://browserleaks.com/dns` 10. confirm under `ISP` your local ISP's DNS resolvers aren't shown (should be Cloudflare) 11. open `brave://settings/security` 12. confirm it says `This setting is locked by BraveVPN while it is connected`, under `Use Secure DNS` `Task Manager`| `browserleaks.com/dns` | `brave://settings/security` ----------|----------|-------------  |  | 

---