Fix NetworkManager privacy settings

root/etc/NetworkManager/conf.d/dhcp-hostname.conf

@@ -1,12 +1,20 @@
 # Do not send the system hostname to DHCP servers.
 #
-# Normally NetworkManager includes the hostname in DHCP requests so the
+# By default NetworkManager includes the system hostname in DHCP
-# server can label leases or register dynamic DNS entries. Most networks
+# requests so the DHCP server can label leases or register dynamic DNS
-# do not rely on this, and disabling it slightly reduces information
+# records. Many networks do not use this information, and sending it
-# leaked about the device (especially when MAC randomization is used).
+# unnecessarily exposes device identity.
+#
+# Disabling this slightly improves privacy when joining unknown
+# networks, especially when MAC randomization is enabled.
 #
 # Individual connections can override this if needed:
-#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes
+#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes
+#   nmcli connection modify <connection> ipv6.dhcp-send-hostname yes
+
 [connection]
 ipv4.dhcp-send-hostname=false
+
+# Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC
+# instead, in which case this setting has no effect.
 ipv6.dhcp-send-hostname=false

root/etc/NetworkManager/conf.d/ignore-auto-dns.conf

@@ -1,10 +1,24 @@
 # Ignore DNS servers advertised by networks (e.g. via DHCP).
 #
-# This makes NetworkManager refuse automatically provided DNS and lets
+# When enabled, NetworkManager will not automatically accept DNS servers provided
-# systemd-resolved fall back to the configured global resolvers instead.
+# by the network. Instead the system will continue using DNS servers configured
+# globally (for example via systemd-resolved).
 #
-# Individual connections can override this:
+# This is useful when you want to enforce a specific DNS provider such as Quad9
-#   nmcli connection modify <connection> ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no
+# or Cloudflare regardless of the network you connect to. This is generally a much
+# better choice for privacy, as the advertised DNS providers from the network can
+# often lead to local DNS servers which the network admin can monitor for activity
+# tracking.
+#
+# WARNING:
+# Some environments rely on DHCP-provided DNS for internal name resolution (corporate
+# networks, captive portals, VPNs). Enabling this globally may break such environments
+# unless the connection overrides the setting.
+#
+# Per-connection override example:
+#   nmcli connection modify <connection> ipv4.ignore-auto-dns no
+#   nmcli connection modify <connection> ipv6.ignore-auto-dns no
+
 [connection]
 ipv4.ignore-auto-dns=true
 ipv6.ignore-auto-dns=true

root/etc/NetworkManager/conf.d/ipv6-privacy.conf

@@ -0,0 +1,51 @@
+[connection]
+
+# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy").
+#
+# Normally IPv6 SLAAC can derive the interface identifier directly from
+# the device MAC address using the legacy EUI-64 scheme. This exposes the
+# hardware MAC inside the IPv6 address and allows long-term tracking.
+#
+# The "stable-privacy" mode instead derives the address from a secret
+# kernel seed and the network prefix. This produces a deterministic
+# address that stays stable within the same network but does not reveal
+# the device MAC address.
+ipv6.addr-gen-mode=stable-privacy
+
+
+# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound
+# connections.
+#
+# These temporary addresses rotate periodically and are used for outgoing
+# traffic to reduce the ability of remote servers to track the device
+# across connections.
+#
+# The interface will still retain a stable address (generated above) for
+# inbound connections, but outgoing traffic will prefer the temporary
+# ones.
+#
+# Values:
+#   0 = disable temporary addresses
+#   1 = enable but prefer the stable address
+#   2 = enable and prefer temporary addresses
+ipv6.ip6-privacy=2
+
+
+# Use a per-connection DHCPv6 client identifier.
+#
+# When a network uses DHCPv6, the client must identify itself with a
+# DHCP Unique Identifier (DUID). By default NetworkManager generates a
+# single identifier derived from the system machine-id, meaning every
+# network sees the same persistent identifier.
+#
+# The "stable-uuid" mode instead generates a different identifier per
+# connection using the connection's stable-id and a host-specific secret.
+# Each network therefore sees a different DHCPv6 identity while still
+# receiving a stable identifier across reconnects.
+#
+# This prevents cross-network tracking while maintaining normal DHCPv6
+# lease behavior.
+#
+# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in
+# which case this setting has no effect.
+ipv6.dhcp-duid=stable-uuid

root/etc/NetworkManager/conf.d/llmnr-mdns.conf

@@ -1,8 +1,39 @@
-# Disable link-local name resolution protocols.
+# Control link-local name resolution protocols for connections.
 #
-# LLMNR and mDNS allow devices on the same LAN to resolve hostnames
+# LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS)
-# without DNS. They are rarely needed on managed networks and can
+# allow hosts on the same local network to resolve hostnames without
-# expose system information to the local network.
+# using a traditional DNS server. They use multicast queries on the
+# local link and are commonly used for ad-hoc discovery (for example
+# resolving nearby machines or services).
+#
+# These protocols can leak hostnames to the local network and may allow
+# spoofing attacks on untrusted networks. For this reason they are often
+# disabled on laptops that regularly join public or unknown networks.
+#
+# NetworkManager can control these features per connection when the
+# active DNS plugin supports them (for example: dns-systemd-resolved).
+#
+# Values:
+#
+#   0 / "no"
+#       Disable the protocol entirely for the interface.
+#       No hostname registration and no multicast resolution.
+#
+#   1 / "resolve"
+#       Allow resolving hostnames via multicast queries but do not
+#       announce (register) this host's hostname on the network.
+#
+#   2 / "yes"
+#       Fully enable the protocol. The host registers its hostname and
+#       also performs multicast resolution.
+#
+# If the DNS backend does not support these protocols the settings have
+# no effect.
+#
+# Per-connection override examples:
+#   nmcli connection modify <connection> connection.llmnr resolve
+#   nmcli connection modify <connection> connection.mdns resolve
+
 [connection]
-connection.llmnr=0
+connection.llmnr=1
-connection.mdns=0
+connection.mdns=1

root/etc/NetworkManager/conf.d/random_mac.conf

@@ -1,15 +1,37 @@
 [device-mac-randomization]
-# "yes" is already the default for scanning
+# Randomize the MAC address used during WiFi scanning.
+#
+# When the system scans for nearby Wi-Fi networks it normally sends probe
+# frames containing its MAC address. Without randomization, nearby networks
+# could track the device even when it is not connected.
+#
+# This is already the default on most systems, but we set it explicitly.
 wifi.scan-rand-mac-address=yes
 
 [connection-mac-randomization]
-# Randomize MAC for every ethernet connection
+# Default MAC address behavior for new connections.
+#
+# NetworkManager can replace the hardware MAC address with a randomized
+# one when activating connections. This helps prevent networks from
+# identifying and tracking the device.
+#
+# Possible values:
+#   permanent : use the hardware MAC
+#   preserve  : keep whatever MAC the interface already has
+#   stable    : randomize MAC once and associate it permanently with that network
+#   random    : Randomize MAC for every connection
+#
+# We randomize the MAC address for every Wi-Fi and Ethernet connection by default,
+# as it is the most privacy-respecting option and prevents the network from tracking
+# the device across reconnects (assuming everything else was configured to support
+# that protection too).
+#
+# If a specific network requires a stable MAC (for example when using
+# DHCP reservations on a home router), override it per connection. Generally, you
+# should prefer using stable for these purposes instead of permanent, as there's
+# no real advantage in giving away the actual hardware MAC, even if it's your own
+# network:
+#   nmcli connection modify <wifi-connection> wifi.cloned-mac-address stable
+#   nmcli connection modify <ethernet-connection> ethernet.cloned-mac-address stable
 ethernet.cloned-mac-address=random
-# Generate a random MAC for each WiFi and associate the two permanently
+wifi.cloned-mac-address=random
-wifi.cloned-mac-address=stable
-
-# Opions:
-# permanent: Use HardWare address
-# preserve: Don’t change the MAC address of the device upon activation
-# stable: Randomize once and associate it permanently with that network
-# random: Randomize MAC for every connection

root/etc/sysctl.d/40-ipv6-privacy.conf

@@ -0,0 +1,27 @@
+# Enable IPv6 temporary addresses (RFC 4941).
+#
+# On IPv6 networks using SLAAC (Stateless Address Autoconfiguration),
+# hosts automatically generate their own addresses from the advertised
+# network prefix. Normally this results in a single stable address that
+# remains constant for the duration of the connection.
+#
+# Temporary addresses add additional short-lived IPv6 addresses that are
+# periodically regenerated by the kernel. These addresses are preferred
+# for outgoing connections (for example web browsing) so that remote
+# services cannot reliably track a device by its stable IPv6 address.
+#
+# The stable address still exists and is used for:
+#   - inbound connections
+#   - local services
+#   - neighbor discovery
+#
+# Values:
+#   0 = disable temporary addresses
+#   1 = enable temporary addresses but prefer the stable address
+#   2 = enable temporary addresses and prefer them for outbound traffic
+#
+# "default" applies to interfaces created after boot, while "all"
+# applies the setting to existing interfaces as well.
+
+net.ipv6.conf.default.use_tempaddr = 2
+net.ipv6.conf.all.use_tempaddr = 2