Edit: (Since this is gaining traction elsewhere.) I'm not trying to shit on Brave. I'm just wanting to help protect end-users who may use Brave for it's Tor feature to do stuff over Tor that should only be done with the actual Tor browser. If you're using Brave you probably use it because you expect a certain level of privacy/anonymity. Piping .onion requests through DNS where your ISP or DNS provider can see that you made a request for an .onion site defeats that purpose.
I'm also no NetSec expert but you don't have to be to replicate this. I'm just a dude with some websites and projects and I'm not certain I would have taken notice of this if it wasn't reported to me by a partner on another project who witnessed this behavior when monitoring his local requests leaving his network. He'll be doing his own write-up and is more equipped to discuss this in length than me.
Testing out something that was noted a week or so ago, and wanting to replicate it for the purpose of this post.
Some of you know I'm working on an ad, tracker, and other BS blocking VPN service for an unrelated project to this site. Go to /f/incoghost (website) for more because I try to keep these things separated.
Anyhow, it was reported by a partner that Brave was leaking DNS requests for onion sites and I was able to confirm it at the time. Decided to spin up a VM with Brave and test with this site's Onion service (though it will do this for any .onion)
Feb 18 12:02:25: query[A] rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion from 104.244.xx.xxx
What this entry shows (simply) is that the request made for the domain rambleeeqrhty6s5jgefdfdtc6tfgg4jj6svr4jpgk4wjtg3qshwbaad.onion made it to the DNS server and is tagged with the IP of the requester, which in this case is just the test / dev VPN. This shouldn't happen. There isn't any reason for Brave to attempt to resolve a .onion domain through traditional means as it would with a regular clearnet site.
This is especially worrisome for those of you who use Brave browser from your normal residential IP and (for whatever reason) use the Tor feature built into the browser to access Tor sites. Your ISP or DNS provider will know that a request made to a specific Tor site was made by your IP. With Brave, your ISP would know that you accessed somesketchyonionsite.onion .
TL;DR: If you're going to use Tor, use the Tor Browser and not Brave. The Tor browser itself doesn't leak these requests like Brave does.
Edit: To clarify, the VPN service we're working on is no-logging but during this dev and testing period we're logging DNS requests while we work out the kinks in the blocklists. This has also allowed us to witness .onions being passed through which is a fault of Brave.
Edit 2: Screenshot: https://images2.imgbox.com/98/46/1i084PbC_o.png
That was me loading duckduckgo in a different container, with brave, while live fetching DNS requests made to the DNS server. I blurred out the non-onion requests. (Different VPN test location than in the above example so 209.x.x.x IP instead of the 104.x.x.x one in the original example.
EDIT 2: The mods of /r/privacy won't let this be posted. They say:
While we (vastly) prefer the Tor Browser over the Brave one, you'll need a better source than the one you found. Can you find something from a more widely recognized NetSec expert? Something along the lines of Bruce Schneier's blog or something at that level of credibility?
The problem with screenshots is that they can be faked, trivially. There are also a host of approaches that credible writers/reporters do in the NetSec space do before a line of text appears in print. It's this kind of journalism that we have to trust, since we humble Mods don't have the time or resources to vet. So, we'll need something better sourced. Sorry!
There are new posts everyday "warning" people of things that aren't legitimate, hence the caution. This is not a "security" subreddit. A moderator's job is to ensure that the subreddit doesn't devolve into conspiracy theories and misinformation. Security announcements should be vetted and confirmed, not independent claims that the mods have no time to independently verify.
I can post the steps on how to easily replicate this by using pi-hole on their local networks. Anyone is capable of verifying this.
Great. Please do so on r/brave, r/netsec, r/infosec, and other places where this is both directly relevant and appropriate to seek others confirmation. Once vetted by the community (and republished by professionals), you're welcome to post those official responses.
/r/brave is private, invite only. I posted on netsec and infosec so we'll see. I guess /r/privacy must love Brave and not allow anything against it since it's so god damned easy to verify this...
All you have to do to VERIFY that this is happening is A.) Use Brave B.) Go to an Onion site C.) Observe DNS traffic. Install Pi-Hole on a Raspberry Pi or in a Virtual Machine on your desktop and run your DNS requests through it for ease of use and you can verify it. Not sure why they're so hesitant to inform their subscribers of this.
Edit 3: Tested on both a Debian 10 and Ubuntu desktop. I'm not esteemed NetSec researcher and I'm not setting up a 100 different scenarios.