Update networkmanager privacy configs

2026-03-16 11:37:23 +00:00 · 2026-03-11 14:09:50 +01:00 · 2026-03-11 14:09:50 +01:00 · f854d71bfb
commit f854d71bfb
parent 72541252ab
6 changed files with 175 additions and 31 deletions
--- a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf
+++ b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf
@ -1,10 +1,26 @@
 # Ignore DNS servers advertised by networks (e.g. via DHCP).
 #
-# This makes NetworkManager refuse automatically provided DNS and lets
-# systemd-resolved fall back to the configured global resolvers instead.
+# When enabled, NetworkManager will not automatically accept DNS servers provided
+# by the network. Instead the system will continue using DNS servers configured
+# globally (for example via systemd-resolved).
 #
-# Individual connections can override this:
-#   nmcli connection modify <connection> ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no
-[connection]
-ipv4.ignore-auto-dns=true
-ipv6.ignore-auto-dns=true
+# This is useful when you want to enforce a specific DNS provider such as Quad9
+# or Cloudflare regardless of the network you connect to. This is generally a much
+# better choice for privacy, as the advertised DNS providers from the network can
+# often lead to local DNS servers which the network admin can monitor for activity
+# tracking.
+#
+# WARNING:
+# Some environments rely on DHCP-provided DNS for internal name resolution (corporate
+# networks, captive portals, VPNs). Enabling this globally may break such environments
+# unless the connection overrides the setting.
+#
+# Per-connection override example:
+#   nmcli connection modify <connection> ipv4.ignore-auto-dns no
+#   nmcli connection modify <connection> ipv6.ignore-auto-dns no
+
+[ipv4]
+ignore-auto-dns=true
+
+[ipv6]
+ignore-auto-dns=true