Randomized hostname protocol

Recommendations

Obviously a generic hostname is advisable, but in practice, there are limited other solutions available at present. One is to turn off any protocols that are not strictly necessary and which leak hostnames, particularly when insecure places are visited. This reduces the attack surface, but is impractical for certain protocols; for example, DHCP is necessary for Internet connectivity and many services depend on protocols such as mDNS. Another option is to use different hostnames for different purposes, rather than relying on a global hostname - this option is available on some OSes. Ultimately, a randomized hostname protocol is necessary to protect privacy, similar to methods utilized for MAC addresses.

What is a randomized hostname protocol?
Do kicksecure randomize it?

sudo hostname shows

localhost

1 Like

Related:

Which is blocked by:

MAC randomization is an extremely difficult technical challenge.

Neither is a priority for Kicksecure at this point due to:

So unless contributed, this won’t happen for a very long time.

Not at time of writing.

I think this would be edited ?
Latest Qubes sys-net do randomize mac by default .
Hostname aren’t sent by default due to missing /etc/hostname

hostname randomization section

It isn’t necessary to randomize the hostname when one can simply not leak it

I would revert this, allow sent it after its randomized.

Note: wont open new thread in qubes section due to relation to this topic

Updated wiki a bit just now.

Just because /etc/hostname doesn’t mean that there isn’t any hostname. Type:

hostname

result:

sys-net

If it’s sent or not needs different evidence.

I don’t know any of any OS’s that randomize the hostname?
Are you sure your not getting confused with containerization?

Yes, there is a debate on if sending the hostname or not makes you more unique.
TailsOS doesn’t send the hostname to mitigate “DHCP hostname leaks” but arguably sending a more generic hostname may look more normal.

I think MAC randomization should come with it enabled by default like Graphene already does.
Like @suse211213 mentioned about Qubes enabling it by default it could be implemented like they do.
Shipping it enabled by default and adding a patch to the Calamaris installer to disable the config file at install could also be another route.
However idk what that has to do with hostname randomization but it could be possibly added to Kicksecure depending on implementation.

Besides DHCP what else sends your hostname?
What sandboxing or containerization could mitigate it other then virtual machines?

That’s not an answer to “MAC randomization is an extremely difficult technical challenge.”

“like they do” doesn’t translate to a tested source code contributions compatible with Kicksecure.

As per image formats, Goals:

  • The differences in the code base for Live Systems vs. Installer Systems vs. Installed Systems should be reduced as much as possible.
  • Installer specific code should be as minimal as possible.

You would need to study the issue (MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic · Issue #184 · Kicksecure/security-misc · GitHub) and come up with solutions.

SSH doesn’t send the devices MAC Address at most it might send the hostname but good info about using network namespaces that might be useful for something in Kicksecure.

As far as I understand the issue related to

MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic

I believe they are referring to Installing Kicksecure as the OS on VPS server.
In this case I think Kicksecure should just NOT randomize Ethernet MAC addresses by commenting it out. Reason being most servers are wired in especially VPS, if you look at any server rack they aren’t going to be using wireless as that would create too much cross talk and you wouldn’t get optimized speeds.

#ethernet.cloned-mac-address=stable

Also like @anon24694737 said

This has to be set if you don’t want Network Manager to leak or revert back to permaddr cause Network Manger will.

Alternatively you could also set it to set a new mac everytime you reconnect in a session instead.

connection.stable-id=${CONNECTION}/${RANDOM}