diff --git a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf index 6c6ceed..fe4b50e 100644 --- a/root/etc/NetworkManager/conf.d/dhcp-hostname.conf +++ b/root/etc/NetworkManager/conf.d/dhcp-hostname.conf @@ -1,12 +1,20 @@ # Do not send the system hostname to DHCP servers. # -# Normally NetworkManager includes the hostname in DHCP requests so the -# server can label leases or register dynamic DNS entries. Most networks -# do not rely on this, and disabling it slightly reduces information -# leaked about the device (especially when MAC randomization is used). +# By default NetworkManager includes the system hostname in DHCP +# requests so the DHCP server can label leases or register dynamic DNS +# records. Many networks do not use this information, and sending it +# unnecessarily exposes device identity. +# +# Disabling this slightly improves privacy when joining unknown +# networks, especially when MAC randomization is enabled. # # Individual connections can override this if needed: -# nmcli connection modify ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes +# nmcli connection modify ipv4.dhcp-send-hostname yes +# nmcli connection modify ipv6.dhcp-send-hostname yes + [connection] ipv4.dhcp-send-hostname=false + +# Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC +# instead, in which case this setting has no effect. ipv6.dhcp-send-hostname=false diff --git a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf index 665bc54..3cc3913 100644 --- a/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf +++ b/root/etc/NetworkManager/conf.d/ignore-auto-dns.conf @@ -1,10 +1,24 @@ # Ignore DNS servers advertised by networks (e.g. via DHCP). # -# This makes NetworkManager refuse automatically provided DNS and lets -# systemd-resolved fall back to the configured global resolvers instead. +# When enabled, NetworkManager will not automatically accept DNS servers provided +# by the network. Instead the system will continue using DNS servers configured +# globally (for example via systemd-resolved). # -# Individual connections can override this: -# nmcli connection modify ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no +# This is useful when you want to enforce a specific DNS provider such as Quad9 +# or Cloudflare regardless of the network you connect to. This is generally a much +# better choice for privacy, as the advertised DNS providers from the network can +# often lead to local DNS servers which the network admin can monitor for activity +# tracking. +# +# WARNING: +# Some environments rely on DHCP-provided DNS for internal name resolution (corporate +# networks, captive portals, VPNs). Enabling this globally may break such environments +# unless the connection overrides the setting. +# +# Per-connection override example: +# nmcli connection modify ipv4.ignore-auto-dns no +# nmcli connection modify ipv6.ignore-auto-dns no + [connection] ipv4.ignore-auto-dns=true ipv6.ignore-auto-dns=true diff --git a/root/etc/NetworkManager/conf.d/ipv6-privacy.conf b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf new file mode 100644 index 0000000..ac1ead4 --- /dev/null +++ b/root/etc/NetworkManager/conf.d/ipv6-privacy.conf @@ -0,0 +1,51 @@ +[connection] + +# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy"). +# +# Normally IPv6 SLAAC can derive the interface identifier directly from +# the device MAC address using the legacy EUI-64 scheme. This exposes the +# hardware MAC inside the IPv6 address and allows long-term tracking. +# +# The "stable-privacy" mode instead derives the address from a secret +# kernel seed and the network prefix. This produces a deterministic +# address that stays stable within the same network but does not reveal +# the device MAC address. +ipv6.addr-gen-mode=stable-privacy + + +# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound +# connections. +# +# These temporary addresses rotate periodically and are used for outgoing +# traffic to reduce the ability of remote servers to track the device +# across connections. +# +# The interface will still retain a stable address (generated above) for +# inbound connections, but outgoing traffic will prefer the temporary +# ones. +# +# Values: +# 0 = disable temporary addresses +# 1 = enable but prefer the stable address +# 2 = enable and prefer temporary addresses +ipv6.ip6-privacy=2 + + +# Use a per-connection DHCPv6 client identifier. +# +# When a network uses DHCPv6, the client must identify itself with a +# DHCP Unique Identifier (DUID). By default NetworkManager generates a +# single identifier derived from the system machine-id, meaning every +# network sees the same persistent identifier. +# +# The "stable-uuid" mode instead generates a different identifier per +# connection using the connection's stable-id and a host-specific secret. +# Each network therefore sees a different DHCPv6 identity while still +# receiving a stable identifier across reconnects. +# +# This prevents cross-network tracking while maintaining normal DHCPv6 +# lease behavior. +# +# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in +# which case this setting has no effect. +ipv6.dhcp-duid=stable-uuid diff --git a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf index 676b15b..605342b 100644 --- a/root/etc/NetworkManager/conf.d/llmnr-mdns.conf +++ b/root/etc/NetworkManager/conf.d/llmnr-mdns.conf @@ -1,8 +1,39 @@ -# Disable link-local name resolution protocols. +# Control link-local name resolution protocols for connections. # -# LLMNR and mDNS allow devices on the same LAN to resolve hostnames -# without DNS. They are rarely needed on managed networks and can -# expose system information to the local network. +# LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS) +# allow hosts on the same local network to resolve hostnames without +# using a traditional DNS server. They use multicast queries on the +# local link and are commonly used for ad-hoc discovery (for example +# resolving nearby machines or services). +# +# These protocols can leak hostnames to the local network and may allow +# spoofing attacks on untrusted networks. For this reason they are often +# disabled on laptops that regularly join public or unknown networks. +# +# NetworkManager can control these features per connection when the +# active DNS plugin supports them (for example: dns-systemd-resolved). +# +# Values: +# +# 0 / "no" +# Disable the protocol entirely for the interface. +# No hostname registration and no multicast resolution. +# +# 1 / "resolve" +# Allow resolving hostnames via multicast queries but do not +# announce (register) this host's hostname on the network. +# +# 2 / "yes" +# Fully enable the protocol. The host registers its hostname and +# also performs multicast resolution. +# +# If the DNS backend does not support these protocols the settings have +# no effect. +# +# Per-connection override examples: +# nmcli connection modify connection.llmnr resolve +# nmcli connection modify connection.mdns resolve + [connection] -connection.llmnr=0 -connection.mdns=0 +connection.llmnr=1 +connection.mdns=1 diff --git a/root/etc/NetworkManager/conf.d/random_mac.conf b/root/etc/NetworkManager/conf.d/random_mac.conf index 23f07cf..b6f623e 100644 --- a/root/etc/NetworkManager/conf.d/random_mac.conf +++ b/root/etc/NetworkManager/conf.d/random_mac.conf @@ -1,15 +1,37 @@ [device-mac-randomization] -# "yes" is already the default for scanning +# Randomize the MAC address used during WiFi scanning. +# +# When the system scans for nearby Wi-Fi networks it normally sends probe +# frames containing its MAC address. Without randomization, nearby networks +# could track the device even when it is not connected. +# +# This is already the default on most systems, but we set it explicitly. wifi.scan-rand-mac-address=yes [connection-mac-randomization] -# Randomize MAC for every ethernet connection +# Default MAC address behavior for new connections. +# +# NetworkManager can replace the hardware MAC address with a randomized +# one when activating connections. This helps prevent networks from +# identifying and tracking the device. +# +# Possible values: +# permanent : use the hardware MAC +# preserve : keep whatever MAC the interface already has +# stable : randomize MAC once and associate it permanently with that network +# random : Randomize MAC for every connection +# +# We randomize the MAC address for every Wi-Fi and Ethernet connection by default, +# as it is the most privacy-respecting option and prevents the network from tracking +# the device across reconnects (assuming everything else was configured to support +# that protection too). +# +# If a specific network requires a stable MAC (for example when using +# DHCP reservations on a home router), override it per connection. Generally, you +# should prefer using stable for these purposes instead of permanent, as there's +# no real advantage in giving away the actual hardware MAC, even if it's your own +# network: +# nmcli connection modify wifi.cloned-mac-address stable +# nmcli connection modify ethernet.cloned-mac-address stable ethernet.cloned-mac-address=random -# Generate a random MAC for each WiFi and associate the two permanently -wifi.cloned-mac-address=stable - -# Opions: -# permanent: Use HardWare address -# preserve: Don’t change the MAC address of the device upon activation -# stable: Randomize once and associate it permanently with that network -# random: Randomize MAC for every connection +wifi.cloned-mac-address=random diff --git a/root/etc/sysctl.d/40-ipv6-privacy.conf b/root/etc/sysctl.d/40-ipv6-privacy.conf new file mode 100644 index 0000000..6c4bb36 --- /dev/null +++ b/root/etc/sysctl.d/40-ipv6-privacy.conf @@ -0,0 +1,27 @@ +# Enable IPv6 temporary addresses (RFC 4941). +# +# On IPv6 networks using SLAAC (Stateless Address Autoconfiguration), +# hosts automatically generate their own addresses from the advertised +# network prefix. Normally this results in a single stable address that +# remains constant for the duration of the connection. +# +# Temporary addresses add additional short-lived IPv6 addresses that are +# periodically regenerated by the kernel. These addresses are preferred +# for outgoing connections (for example web browsing) so that remote +# services cannot reliably track a device by its stable IPv6 address. +# +# The stable address still exists and is used for: +# - inbound connections +# - local services +# - neighbor discovery +# +# Values: +# 0 = disable temporary addresses +# 1 = enable temporary addresses but prefer the stable address +# 2 = enable temporary addresses and prefer them for outbound traffic +# +# "default" applies to interfaces created after boot, while "all" +# applies the setting to existing interfaces as well. + +net.ipv6.conf.default.use_tempaddr = 2 +net.ipv6.conf.all.use_tempaddr = 2