Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Windows 10 leaks DNS when using VPN by sending DNS to all network interfaces

See original GitHub issue

Description

See https://medium.com/@ValdikSS/beware-of-windows-10-dns-resolver-and-dns-leaks-5bc5bfb4e3f1 for more information about why the “leak” happens (it’s a Windows feature called Smart Multi-Homed Name Resolution).

Basically, Windows 10 will run multiple DNS queries (sending to multiple network interfaces) and it chooses the fastest response. Because of this behavior,

Brave ships with DNS over HTTPS enabled (defaulted to With your current service provider) which you can view on brave://settings/security
When changing DNS over HTTPS to use Cloudflare (1.1.1.1), it works as expected.

Possible solutions

We could detect if VPN is connected and enable this while connected (or make a preference for that behavior). That would only affect the browser though.
We could expose a preference (in Brave) to toggle the registry (HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient). If toggle is enabled, we can disable Smart Multi-Homed Name Resolution by creating a DWORD key with the name DisableSmartNameResolution and a value set to anything except 0. If toggle is disabled, we can remove that value

Steps to Reproduce

Be on Windows
Have a VPN setup through the operating system (Windows key, type VPN settings, manually add one)
Connect to VPN
Visit https://browserleaks.com/dns and wait for test results

Actual result:

Some DNS queries will be resolved by the ISP 🙀

Expected result:

DNS queries should ALL be resolved by the VPN

Reproduces how often:

100%

Issue Analytics

State:
Created a year ago
Comments:7 (2 by maintainers)

Top GitHub Comments

1reaction

MadhaviSeelamcommented, Sep 28, 2022

Verification PASSED using

Brave | 1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
-- | --
Revision | a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS | Windows 11 Version 21H2 (Build 22000.739)

Test Case 1: Original issue reproduced on latest release build `1.40.113` - PASSED

Steps:

Install 1.41.91
Purchase and setup Brave VPN on 1.41.91 beta
Connect to a region - Netherlands)
launch 1.40.113
load browserleaks.com/dns on 1.40.113
confirmed “local” (ISP, i.e. non-VPN-region) DNS-server addresses shown
load ipleak.net
confirmed “local” DNS-server addresses shown
switch the VPN region on beta to another region - Switzerland
reload browserleaks.com/dns
reload ipleak.net
confirmed still “local” DNS-server addresses shown

Step 3	Step 6	Step8	Step 9	Step 10	Step 12

Test Case 2: Fix verified using above steps on `1.41.91` - PASSED

Install 1.41.91
Followed above test steps
confirmed no “local” (ISP, i.e. non-VPN-region) DNS-server addresses shown as all DNS queries are resolved by the VPN

ex	ex	ex	ex	ex	ex

Test Case 3: Automatically enabling DoH with VPN via `brave://settings/security` - Passed

launch Brave
Connect VPN to a region Germany
opened brave://settings/security
confirmed Use secure DNS * Determines how to connect to websites... is Toggled ON as a default
confirmed Use secure DNS * With Cloudflare (1.1.1.1) is chosen
confirm DNS works (and no leaks, per above tests)
disconnect BraveVPN
confirmed Use secure DNS * With your current service provider is checked
Select Use secure DNS *With your curent service provider while VPN is enabled
Confirmed an alert modal with warning message Turning off secure DNS... is shown

Step 5	Step 8	Step 9

Test Case 4: Confirm Cloudflare DNS servers (via IP addresses) - PASSED

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses:

C:\Users\mseel>tracert 162.158.83.212

Tracing route to 162.158.83.212 over a maximum of 30 hops

  1   142 ms   143 ms   143 ms  unn-212-102-43-120.cdn77.com [212.102.43.120]
  2   144 ms   149 ms   143 ms  unn-212-102-43-124.cdn77.com [212.102.43.124]
  3   143 ms   142 ms   143 ms  vl202.fra-itx7-core-2.cdn77.com [185.229.188.156]
  4   144 ms   143 ms   144 ms  vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13]
  5   143 ms   144 ms   144 ms  cloudflare-fra.cdn77.com [45.134.215.7]
  6   150 ms   143 ms   143 ms  162.158.84.53
  7   147 ms   145 ms   143 ms  162.158.83.212

Trace complete.

1reaction

stephendonnercommented, Jul 7, 2022

Verification `PASSED` using

Brave	1.41.91 Chromium: 103.0.5060.114 (Official Build) beta (64-bit)
Revision	a1c2360c5b02a6d4d6ab33796ad8a268a6128226-refs/branch-heads/5060@{#1124}
OS	Windows 11 Version 21H2 (Build 22000.778)

Reproduced the original issue using `1.40.113`:

Original issue

purchase, set up, and connect to BraveVPN via account.brave.software using latest beta build (leave it open and connected)
launch latest release build (1.40.113)
load browserleaks.com/dns using release
confirm you see “local” (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
load ipleak.net using release
confirm you see “local” DNS-server addresses being discovered
switch the VPN region on beta to any other region
reload browserleaks.com/dns using release
reload ipleak.net using release
confirm you (still) see “local” (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

`browserleaks.com/dns`	`ipleak.net`

Confirm default-profile pref - `PASSED`

install 1.41.91 or later
launch Brave
open brave://settings/security
confirm Use secure DNS is toggled to ON by default
confirm the With your current service provider radio button is selected
confirm DNS resolution works (load any site)

IPv4 - `PASSED`

purchase, set up, and connect to VPN via account.brave.software (development; staging has known issues right now) using latest beta build (leave it open and connected)
load browserleaks.com/dns using beta
confirm you don’t see “local” (ISP, i.e. non-VPN-region) DNS-server addresses being discovered
load ipleak.net using beta
confirm you see don’t “local” DNS-server addresses being discovered
switch the VPN region on beta to any other region
reload browserleaks.com/dns using beta
reload ipleak.net using beta
confirm you don’t see “local” (there might be additional ones from the connection reset) DNS-server addresses (additional protocol-layer checks using Wireshark etc. can be done)

`browserleaks.com/dns`	`ipleak.net`

Confirm Cloudflare DNS servers (via IP addresses) - `PASSED`

Confirm that while connected to VPN, you are using Cloudflare DNS servers, by trace-routing to their IP addresses:

λ tracert 172.70.249.120

Tracing route to 172.70.249.120 over a maximum of 30 hops

  1   148 ms   148 ms   151 ms  unn-212-102-43-120.cdn77.com [212.102.43.120]
  2   165 ms   157 ms   149 ms  unn-212-102-43-125.cdn77.com [212.102.43.125]
  3   149 ms   149 ms   150 ms  vl203.fra-itx7-core-1.cdn77.com [185.229.188.158]
  4   149 ms   150 ms   149 ms  vl1101.fra-eq5-edge-1.cdn77.com [185.229.188.13]
  5   165 ms   152 ms   150 ms  cloudflare-fra.cdn77.com [45.134.215.7]
  6   151 ms   150 ms   150 ms  172.70.248.3
  7   149 ms   150 ms   149 ms  172.70.249.120

Trace complete.

`brave://settings/security` UI - `PASSED`

new profile
launch Brave
open brave://settings/security
connect to BraveVPN using beta
open brave://settings/security
confirm Use secure DNS * With Cloudflare (1.1.1.1) is chosen
confirm DNS works (and no leaks, per above tests - this can piggy-backed on them)
disconnect BraveVPN
confirm Use secure DNS * With your current service provider is checked
confirm DNS works (not worried about leaks here, but good to double-check expectations)