Brave Browser

Brave Browser is fixing a privacy issue that leaks the Tor onion URL addresses you visit to your locally configured DNS server, exposing the dark web websites you visit.

Brave is Chromium-based browser that has been modified with privacy in mind, including a built-in ad blocker, tight data controls, and a built-in Tor browser mode to browse the web anonymously.

Websites located on Tor use onion URL addresses that users can only access through the Tor network. For example, DuckDuckGo’s Tor address is https://3g2upl4pq6kufc4m.onion/ and the New York Time’s address is https://www.nytimes3xbfgragh.onion/.

To access Tor onion URLs, Brave added a ‘Private Window with Tor‘ mode that acts as a proxy to the Tor network. When you attempt to connect to an onion URL, your request is proxied through volunteer-run Tor nodes who make the request for you and send back the returned HTML.

Brave's Private Windows with Tor browsing mode
Brave’s Private Windows with Tor browsing mode

Due to this proxy implementation, Brave’s Tor mode does not directly provide the same level of privacy as using the Tor Browser.

Brave’s leaks Tor DNS requests

When using Brave’s Tor mode, it should forward all requests to the Tor proxies and not send any information to any non-Tor Internet devices to increase privacy.

However, a bug in Brave’s ‘Private window with Tor’ mode is causing the onion URL for any Tor address you visit to also be sent as a standard DNS query to your machine’s configured DNS server.

This bug was first reported in a Reddit post and later confirmed by James Kettle, the Director of Research at PortSwigger.

BleepingComputer has also verified the claims by using Wireshark to view DNS traffic while using Brave’s Tor mode.

As you can see in the video below, when visiting the DuckDuckGo and NY Times’ onion URLs in Brave’s Tor browser mode, the browser also performed DNS queries to our locally configured DNS server, Google’s public servers at IP address

Brave is aware of this bug as it was reported on their GitHub project page eighteen days ago, and developers have already created a fix.

This issue is caused by Brave’s CNAME decloaking ad-blocking feature that blocks third-party tracking scripts that use CNAME DNS records to impersonate a first-party script.

To prevent Tor URLs from being sent to configured DNS servers, Brave has disabled the CNAME adblocking feature when in the Tor browsing mode.

“Per discussion on slack with @bridiver and @iefremov, we came to a conclusion that disabling CNAME adblock for Tor would be best option now. Considering in order to make DoH route through Tor, we need to remove LOAD_BYPASS_PROXY for dns transaction but it might introduce dns and proxy code looping when we need to resolve proxy name,” the Brave developers explained in the reported issue.

This fix was originally expected to roll out in the Brave Browser Beta 1.21.x but Brave Browser developer Yan Zhu tweeted that a hotfix will be uplifted to the next Stable version.