Advanced networking

Advanced networking

The initial setup during the system preparation may be sufficient for the basic configuration tasks. However, time synchronization1 and enhanced privacy requires a more advanced setup:

  1. Switch to a #Network Manager with:
    1. #IPv6 privacy
    2. MAC address randomization
  2. Use chrony for #Time synchronization
  3. #Securing DNS via:
    1. #DNSSEC for validating DNS queries
    2. #DNS over TLS for encrypting DNS traffic

Network manager

First of all an utility for controlling network related tasks is desirable. The NetworkManager can easily, yet extensively manage wireless and wired ethernet2 interfaces. I install the networkmanager package:

sudo pacman -Sy networkmanager

The DHCP client, which is integrated in the NetworkManager can cause issues in big wireless networks such as eduroam. For this reason, I install the dhclient as an alternative:

sudo pacman -Sy dhclient

For switching, I create a /etc/NetworkManager/conf.d/dhcp-client.conf file:

/etc/NetworkManager/conf.d/dhcp-client.conf
[main]
dhcp=dhclient

IPv6 privacy

To prevent MAC address leakage of my interfaces, I enable the IPv6 Privacy Extensions for NetworkManager. I create the file /etc/NetworkManager/conf.d/ipv6-privacy.conf containing:

/etc/NetworkManager/conf.d/ipv6-privacy.conf
[connection]
ipv6.ip6-privacy=2

MAC address randomization

Additionally, with MAC address randomization enabled my physical MAC address is never leaked during layer 2 communication. I create the file /etc/NetworkManager/conf.d/rand-mac-address.conf:

/etc/NetworkManager/conf.d/rand-mac-address.conf
[device-mac-randomization]
# "yes" is already default, but let's be safe
wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
# randomize MAC for each connection
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

Starting NetworkManager

I disable and stop the Systemd-networkd service which has been configured in the #Networking section of system preparation:

sudo systemctl stop systemd-networkd.service
sudo systemctl disable systemd-networkd.service

Afterwards I enable and start the NetworkManager to take over control:

sudo systemctl enable NetworkManager.service
sudo systemctl start NetworkManager.service

The existing wired configuration of the system preparation should be detected and connect automatically. I remove the configuration file afterwards to ensure that Systemd-networkd cannot interfere with the NetworkManager:

sudo rm /etc/systemd/network/20-wired.network

Time synchronization

Synchronizing the system clock can happen via internet by using the Network Time Protocol3 (NTP). The chrony NTP client is a roaming friendly alternative to the reference implementation ntp. I install the chrony package via:

sudo pacman -Sy chrony

NTS

The time synchronization can apply Transport Layer Security4 (TLS) by using NTS servers. I edit the /etc/chrony.conf file to use a nearby NTS server and a fallback:

/etc/chrony.conf
server ptbtime1.ptb.de offline nts
server nts1.time.nl offline nts

Starting chrony

I disable and stop Systemd-timesyncd to prevent any conflicts:

sudo systemctl disable systemd-timesyncd.service
sudo systemctl stop systemd-timesyncd.service

Afterwards I enable and start the chronyd.service using these commands:

sudo systemctl enable chronyd.service
sudo systemctl start chronyd.service

And I check the configured NTP servers via:

chronyc -N 'sources -a -v'

NetworkManager dispatcher

Additionally, chrony can automatically go into online/offline mode depending on the connection state when using a NetworkManager dispatcher script. Install the networkmanager-dispatcher-chrony package from the AUR:

yay -Sy networkmanager-dispatcher-chrony

I enable and start the NetworkManager-dispatcher.service afterwards:

sudo systemctl enable NetworkManager-dispatcher.service
sudo systemctl start NetworkManager-dispatcher.service

Securing DNS

The DNS5 is used to map IP addresses to domain names. DNS traffic from and to your computer is unencrypted by default and leaks information about the sites you visit in your web browser or can be used to identify which operating system you are running, for example. Read more background information on this topic in the Privacy and security section in the Arch Wiki article about Domain name resolution.

DNSSEC

I create /etc/systemd/resolved.conf.d/dnssec.conf with the following content to enable DNSSEC for DNS query validation in Systemd-resolved:

/etc/systemd/resolved.conf.d/dnssec.conf
[Resolve]
DNSSEC=true

DNS over TLS

Additionally, to use TLS for encrypting the DNS traffic between my host and the DNS server I create /etc/systemd/resolved.conf.d/dns_over_tls.conf to enable DNS over TLS (DoT) for Systemd-resolved by containing:

/etc/systemd/resolved.conf.d/dns_over_tls.conf
[Resolve]
DNS=176.9.93.198#dnsforge.de
DNSOverTLS=yes
⚠️
The DNS server must support DNS over TLS. Otherwise all requests will fail. A list of censorship-free DNS servers can be found at DNS Checker.

Afterwards I restart the systemd-resolved.service to activate the changes:

sudo systemctl restart systemd-resolved.service

I check if the new DNS server is used and +DNSoverTLS is listed in Protocols in the output of the following command:

resolvectl status

Known bugs

Some applications (such as Firefox or LibreWolf, Thunderbird and other) read the file /etc/hosts instead of using Systemd’s resolver6. To prevent resolving localhost over the network I add the following lines to /etc/hosts:

127.0.0.1        localhost
::1              localhost
127.0.1.1        arch-studio24

Remember to change arch-studio24 to your hostname!

Next up is the Xfce desktop guide describing how to install and setup a desktop environment.


  1. Time synchronization in the ArchWiki ↩︎

  2. Ethernet in the Wikipedia ↩︎

  3. Network Time Protocol in the Wikipedia ↩︎

  4. Transport Layer Security in the Wikipedia ↩︎

  5. Domain Name System in the Wikipedia ↩︎

  6. The localhost is resolved over the network section of the Network configuration article in the ArchWiki ↩︎

Last updated on