Brave Leaks ISP DNS While Shields are Enabled

[Balachandarsmr]

Description

Brave leaks isp dns after enabling secure dns

Steps to reproduce

1. Select any custom dns provider under privacy settings
2. Go to https://browserleaks.com/dns
3. You will see your isp dns as well as selected custom dns server

Actual result

Expected result

Dns leak test supposed to hide isp dns while using custom dns over https server

Issue reproduces how often

Easily reproduced

Version/Channel Information:

• Can you reproduce this issue with the current Play Store version?
  No
• Can you reproduce this issue with the current Play Store Beta version?
  No
• Can you reproduce this issue with the current Play Store Nightly version?
  Yes

Device details

• Install type (ARM, x86): ARM 32 Bit
• Device type (Phone, Tablet, Phablet): Phone
• Android version: 8.1

Brave version

Nightly 1.18.41

Website problems only

• Does the issue resolve itself when disabling Brave Shields?
  Yes
• Does the issue resolve itself when disabling Brave Rewards?
  No
• Is the issue reproducible on the latest version of Chrome?
  No

Additional information

[bsclifton]

cc: @samartnik @mkarolin

[samartnik]

it works as expected with shields off, look like we excessively block some scripts on the website

[Balachandarsmr]

Secure dns detection works with shield @ https://ipleak.net/
https://www.dnsleaktest.com/
But not on other detection sites. Yes it's due shield.

[Balachandarsmr]

This bug is not fixed yet. Without shield secure dns works. But when shield is on brave leaks isp dns.

[jonathansampson]

This issue impacts Windows users as well. Enabling the same feature in another Chromium-based browser (e.g. Chrome, Opera) shows that Brave deviates from the pack. In Chrome and Opera, https://browserleaks.com/dns lists only the DNS provider configured in the Use Secure DNS browser settings. In Brave, both the user's ISP DNS and Secure DNS are listed.

Tested with the following build:

Brave	1.20.77 Chromium: 88.0.4324.79 (Official Build) nightly (64-bit)
Revision	bd1e9353659b2491dac971226a973ca3b5684a14-refs/branch-heads/4324@{#1520}
OS	Windows 10 OS Version 2009 (Build 19042.746)
JavaScript	V8 8.8.278
User Agent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.79 Safari/537.36
Command Line	"C:\Program Files (x86)\BraveSoftware\Brave-Browser-Nightly\Application\brave.exe" --enable-dom-distiller --disable-domain-reliability --no-pings --extension-content-verification=enforce_strict --extensions-install-verification=enforce --origin-trial-public-key=bYUKPJoPnCxeNvu72j4EmPuK7tr1PAC7SHh8ld9Mw3E=,fMS4mpO6buLQ/QMd+zJmxzty/VQ6B1EUZqoCU04zoRU= --sync-url=https://sync-v2.brave.com/v2 --lso-url=https://no-thanks.invalid --variations-server-url=https://variations.brave.com/seed --enable-features=LegacyTLSEnforced,WebUIDarkMode,WinrtGeolocationImplementation,AutoupgradeMixedContent,PrefetchPrivacyChanges,PasswordImport,ReducedReferrerGranularity --disable-features=PasswordCheck,NetworkTimeServiceQuerying,TextFragmentAnchor,AutofillEnableAccountWalletStorage,SafeBrowsingEnhancedProtection,SignedExchangeSubresourcePrefetch,PrivacySettingsRedesign,NotificationTriggers,WebOTP,IdleDetection,AutofillServerCommunication,TabHoverCards --flag-switches-begin --flag-switches-end

[jonathansampson]

I just tested on macOS, and had the same results as those mentioned above.

[fmarier]

Seems to affect all brave-core platforms. I was able to reproduce on Linux too after patching in the DoH settings.

[Bruce-Bane]

I have the DNS leaking problem. But router DNS is leaking too

I described everything here

https://community.brave.com/t/brave-leaking-dns-servers/191002

[stephendonner]

Verified using the testplan from both brave/brave-core#7731 and inline, here, with the (PRE-FIX) 1.21.50 build, compared to (POST-FIX) 1.20.103, on macOS Big Sur 11.2

_AT&T_ is my internet service provider ("ISP")/DNS-resolver service; Cloudflare is the DNS-over-HTTP ("DoH") provider chosen for this test.

PRE-fix Build:

Brave	1.20.103 Chromium: 88.0.4324.152 (Official Build) (x86_64)
Revision	6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}

• Verified in Wireshark there were UDP-based DNS-lookup leaks resolving tools.ietf.org

• Verified for the test sites whether 1) just Cloudflare ("DoH") 2) just A&T ("ISP") or 3) both AT&T & Cloudflare ("ISP" & "DoH") were detected:
  • https://www.dnsleaktest.com (Cloudflare)
  • https://www.expressvpn.com/dns-leak-test (AT&T)
  • https://browserleaks.com/dns (both AT&T & Cloudflare)
  • https://ipleak.net/ (Cloudflare)

POST-fix Build:

Brave	1.21.50 Chromium: 88.0.4324.152 (Official Build) beta (x86_64)
Revision	6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}
OS	macOS Version 11.2.1 (Build 20D74)

• Verified in Wireshark there were NO UDP-based DNS-lookup leaks resolving tools.ietf.org

• Verified, using the following sites, that only the DNS-over-HTTP (DoH) server was detected (that we didn't leak the ISP resolver -- AT&T, in my case):
  • https://www.dnsleaktest.com (Cloudflare)
  • https://www.expressvpn.com/dns-leak-test (Cloudflare)
  • https://browserleaks.com/dns (Cloudflare)
  • https://ipleak.net/ (Cloudflare)

---

Verification passed on

Brave	1.21.56 Chromium: 88.0.4324.152 (Official Build) dev (64-bit)
Revision	6579930fc53b4dc589c042bec9d0a3778326974d-refs/branch-heads/4324@{#2106}
OS	Ubuntu 18.04 LTS

Verified test plan from brave/brave-core#7731

Secure provider with current service provider:

Secure provider with Claudflare

[LaurenWags]

Removed QA Pass labels as this was uplifted to 1.20.x

[stephendonner]

Verified PASSED on 1.20.108 using the testplan #12575 (comment) again, on:

Brave | 1.20.108 Chromium: 88.0.4324.182 (Official Build) (64-bit)
Revision73ee5087001dcef33047c4ed650471b225dd8caf-refs/branch-heads/4324@{#2202}
OS | Windows 10 OS Version 2009 (Build 21318.1000)

Brave | 1.20.108 Chromium: 88.0.4324.182 (Official Build) (x86_64)
Revision | 73ee5087001dcef33047c4ed650471b225dd8caf-refs/branch-heads/4324@{#2202}
OS
macOS Version 11.2.1 (Build 20D74)

Windows 10

Case 1: Verified no DNS-lookup leaks for tools.ietf.org with Shields up

Case 2: Verified no local (AT&T in my case) ISP's DNS resolver leaked when using DoH (Cloudflare)

macOS 11.2.1 (Big Sur)

Case 1: Verified no DNS-lookup leaks for tools.ietf.org with Shields up

Case 2: Verified no local (AT&T in my case) ISP's DNS resolver leaked when using DoH (Cloudflare)

[kjozwiak]

Verification PASSED on Samsung Galaxy Tablet A running Android 11 using the following build:

1.20.108 CR: 88.0.4324.182

Cloudflare (1.1.1.1)	Open DNS	Google (Public DNS)	Quad9 (9.9.9.9)	Clean Browsing (Family Filter)

---

Verification PASSED on Samsung S10+ running Android 11 using the following build:

1.20.108 CR: 88.0.4324.182

Cloudflare (1.1.1.1)	Open DNS	Google (Public DNS)	Quad9 (9.9.9.9)	Clean Browsing (Family Filter)

---

Verification PASSED on Asus Zenfone (x86) running Android 6 using the following build:

1.20.108 CR: 88.0.4324.182

Google (Public DNS)	Cloudflare (1.1.1.1)	CleanBrowsing (Family Filter)	NextDNS	OpenDNS	Quad9 (9.9.9.9)