From f854d71bfb0e39d2789f285ed6e37e60bfb85276 Mon Sep 17 00:00:00 2001
From: Peter Vacho <pvacho@monetplus.cz>
Date: Wed, 11 Mar 2026 14:09:50 +0100
Subject: [PATCH] Update networkmanager privacy configs

---
 .../NetworkManager/conf.d/dhcp-hostname.conf  | 25 +++++++----
 .../conf.d/ignore-auto-dns.conf               | 30 ++++++++++---
 .../NetworkManager/conf.d/ipv6-privacy.conf   | 39 +++++++++++++++++
 .../etc/NetworkManager/conf.d/llmnr-mdns.conf | 43 ++++++++++++++++---
 .../etc/NetworkManager/conf.d/random_mac.conf | 42 +++++++++++++-----
 root/etc/sysctl.d/40-ipv6-privacy.conf        | 27 ++++++++++++
 6 files changed, 175 insertions(+), 31 deletions(-)
 create mode 100644 root/etc/NetworkManager/conf.d/ipv6-privacy.conf
 create mode 100644 root/etc/sysctl.d/40-ipv6-privacy.conf

diff --git a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf
index 6c6ceed..d4bba83 100644
--- a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf
+++ b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf
@@ -1,12 +1,21 @@
 # Do not send the system hostname to DHCP servers.
 #
-# Normally NetworkManager includes the hostname in DHCP requests so the
-# server can label leases or register dynamic DNS entries. Most networks
-# do not rely on this, and disabling it slightly reduces information
-# leaked about the device (especially when MAC randomization is used).
+# By default NetworkManager includes the system hostname in DHCP
+# requests so the DHCP server can label leases or register dynamic DNS
+# records. Many networks do not use this information, and sending it
+# unnecessarily exposes device identity.
+#
+# Disabling this slightly improves privacy when joining unknown
+# networks, especially when MAC randomization is enabled.
 #
 # Individual connections can override this if needed:
-#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes
-[connection]
-ipv4.dhcp-send-hostname=false
-ipv6.dhcp-send-hostname=false
+#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes
+#   nmcli connection modify <connection> ipv6.dhcp-send-hostname yes
+
+[ipv4]
+dhcp-send-hostname=false
+
+[ipv6]
+# Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC
+# instead, in which case this setting has no effect.
+dhcp-send-hostname=false
diff --git a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf
index 665bc54..dbb259a 100644
--- a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf
+++ b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf
@@ -1,10 +1,26 @@
 # Ignore DNS servers advertised by networks (e.g. via DHCP).
 #
-# This makes NetworkManager refuse automatically provided DNS and lets
-# systemd-resolved fall back to the configured global resolvers instead.
+# When enabled, NetworkManager will not automatically accept DNS servers provided
+# by the network. Instead the system will continue using DNS servers configured
+# globally (for example via systemd-resolved).
 #
-# Individual connections can override this:
-#   nmcli connection modify <connection> ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no
-[connection]
-ipv4.ignore-auto-dns=true
-ipv6.ignore-auto-dns=true
+# This is useful when you want to enforce a specific DNS provider such as Quad9
+# or Cloudflare regardless of the network you connect to. This is generally a much
+# better choice for privacy, as the advertised DNS providers from the network can
+# often lead to local DNS servers which the network admin can monitor for activity
+# tracking.
+#
+# WARNING:
+# Some environments rely on DHCP-provided DNS for internal name resolution (corporate
+# networks, captive portals, VPNs). Enabling this globally may break such environments
+# unless the connection overrides the setting.
+#
+# Per-connection override example:
+#   nmcli connection modify <connection> ipv4.ignore-auto-dns no
+#   nmcli connection modify <connection> ipv6.ignore-auto-dns no
+
+[ipv4]
+ignore-auto-dns=true
+
+[ipv6]
+ignore-auto-dns=true
diff --git a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf
new file mode 100644
index 0000000..ce2c51c
--- /dev/null
+++ b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf
@@ -0,0 +1,39 @@
+# IPv6 address generation and privacy defaults.
+#
+# Most IPv6 networks use SLAAC (Stateless Address Autoconfiguration),
+# where the host generates its own IPv6 addresses based on the network
+# prefix advertised by the router.
+#
+# Two mechanisms influence how these addresses appear:
+#
+#   ipv6.addr-gen-mode
+#       Controls how the *stable* SLAAC address is generated.
+#
+#       stable-privacy:
+#           Generate a deterministic pseudorandom address derived from
+#           a kernel secret and the network prefix. This prevents the
+#           legacy EUI-64 mechanism from exposing the device's MAC
+#           address in the IPv6 address.
+#
+#   ipv6.ip6-privacy
+#       Enables RFC 4941 temporary IPv6 addresses. These are additional
+#       short-lived addresses that rotate periodically and are preferred
+#       for outbound connections to prevent remote tracking.
+#
+# With these settings a network interface will typically have:
+#
+#   - one stable pseudorandom IPv6 address
+#   - one or more temporary rotating addresses used for outbound traffic
+#
+# Note that temporary addresses do NOT replace the stable address. The
+# interface will still have one stable address used for inbound connections,
+# it will just use the temporary ones for outbound ones.
+#
+# Values for ipv6.ip6-privacy:
+#   0 = disable temporary addresses
+#   1 = enable but prefer the stable address
+#   2 = enable and prefer temporary addresses
+
+[connection]
+ipv6.addr-gen-mode=stable-privacy
+ipv6.ip6-privacy=2
diff --git a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf
index 676b15b..b3e4426 100644
--- a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf
+++ b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf
@@ -1,8 +1,39 @@
-# Disable link-local name resolution protocols.
+# Control link-local name resolution protocols for connections.
 #
-# LLMNR and mDNS allow devices on the same LAN to resolve hostnames
-# without DNS. They are rarely needed on managed networks and can
-# expose system information to the local network.
+# LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS)
+# allow hosts on the same local network to resolve hostnames without
+# using a traditional DNS server. They use multicast queries on the
+# local link and are commonly used for ad-hoc discovery (for example
+# resolving nearby machines or services).
+#
+# These protocols can leak hostnames to the local network and may allow
+# spoofing attacks on untrusted networks. For this reason they are often
+# disabled on laptops that regularly join public or unknown networks.
+#
+# NetworkManager can control these features per connection when the
+# active DNS plugin supports them (for example: dns-systemd-resolved).
+#
+# Values:
+#
+#   0 / "no"
+#       Disable the protocol entirely for the interface.
+#       No hostname registration and no multicast resolution.
+#
+#   1 / "resolve"
+#       Allow resolving hostnames via multicast queries but do not
+#       announce (register) this host's hostname on the network.
+#
+#   2 / "yes"
+#       Fully enable the protocol. The host registers its hostname and
+#       also performs multicast resolution.
+#
+# If the DNS backend does not support these protocols the settings have
+# no effect.
+#
+# Per-connection override examples:
+#   nmcli connection modify <connection> connection.llmnr resolve
+#   nmcli connection modify <connection> connection.mdns resolve
+
 [connection]
-connection.llmnr=0
-connection.mdns=0
+llmnr=1
+mdns=1
diff --git a/root/etc/NetworkManager/conf.d/random_mac.conf b/root/etc/NetworkManager/conf.d/random_mac.conf
index 23f07cf..b6f623e 100644
--- a/root/etc/NetworkManager/conf.d/random_mac.conf
+++ b/root/etc/NetworkManager/conf.d/random_mac.conf
@@ -1,15 +1,37 @@
 [device-mac-randomization]
-# "yes" is already the default for scanning
+# Randomize the MAC address used during WiFi scanning.
+#
+# When the system scans for nearby Wi-Fi networks it normally sends probe
+# frames containing its MAC address. Without randomization, nearby networks
+# could track the device even when it is not connected.
+#
+# This is already the default on most systems, but we set it explicitly.
 wifi.scan-rand-mac-address=yes
 
 [connection-mac-randomization]
-# Randomize MAC for every ethernet connection
+# Default MAC address behavior for new connections.
+#
+# NetworkManager can replace the hardware MAC address with a randomized
+# one when activating connections. This helps prevent networks from
+# identifying and tracking the device.
+#
+# Possible values:
+#   permanent : use the hardware MAC
+#   preserve  : keep whatever MAC the interface already has
+#   stable    : randomize MAC once and associate it permanently with that network
+#   random    : Randomize MAC for every connection
+#
+# We randomize the MAC address for every Wi-Fi and Ethernet connection by default,
+# as it is the most privacy-respecting option and prevents the network from tracking
+# the device across reconnects (assuming everything else was configured to support
+# that protection too).
+#
+# If a specific network requires a stable MAC (for example when using
+# DHCP reservations on a home router), override it per connection. Generally, you
+# should prefer using stable for these purposes instead of permanent, as there's
+# no real advantage in giving away the actual hardware MAC, even if it's your own
+# network:
+#   nmcli connection modify <wifi-connection> wifi.cloned-mac-address stable
+#   nmcli connection modify <ethernet-connection> ethernet.cloned-mac-address stable
 ethernet.cloned-mac-address=random
-# Generate a random MAC for each WiFi and associate the two permanently
-wifi.cloned-mac-address=stable
-
-# Opions:
-# permanent: Use HardWare address
-# preserve: Don’t change the MAC address of the device upon activation
-# stable: Randomize once and associate it permanently with that network
-# random: Randomize MAC for every connection
+wifi.cloned-mac-address=random
diff --git a/root/etc/sysctl.d/40-ipv6-privacy.conf b/root/etc/sysctl.d/40-ipv6-privacy.conf
new file mode 100644
index 0000000..6c4bb36
--- /dev/null
+++ b/root/etc/sysctl.d/40-ipv6-privacy.conf
@@ -0,0 +1,27 @@
+# Enable IPv6 temporary addresses (RFC 4941).
+#
+# On IPv6 networks using SLAAC (Stateless Address Autoconfiguration),
+# hosts automatically generate their own addresses from the advertised
+# network prefix. Normally this results in a single stable address that
+# remains constant for the duration of the connection.
+#
+# Temporary addresses add additional short-lived IPv6 addresses that are
+# periodically regenerated by the kernel. These addresses are preferred
+# for outgoing connections (for example web browsing) so that remote
+# services cannot reliably track a device by its stable IPv6 address.
+#
+# The stable address still exists and is used for:
+#   - inbound connections
+#   - local services
+#   - neighbor discovery
+#
+# Values:
+#   0 = disable temporary addresses
+#   1 = enable temporary addresses but prefer the stable address
+#   2 = enable temporary addresses and prefer them for outbound traffic
+#
+# "default" applies to interfaces created after boot, while "all"
+# applies the setting to existing interfaces as well.
+
+net.ipv6.conf.default.use_tempaddr = 2
+net.ipv6.conf.all.use_tempaddr = 2