for people using MAC randomization (debian 9 tmpl): you might want to avoid hostname leaks via DHCP too

[Joonas Lehtonen]

Hi,

if you setup MAC randomization via network manager in a debian 9
template as described here:
https://www.qubes-os.org/doc/anonymizing-your-mac-address/
you still leak your hostname.

Once your MAC address is randomized you might also want to prevent the
disclosure of your netvm's hostname to the network, since "sys-net"
might be a unique hostname (that links all your random MAC addresses and
the fact that you likely use qubes).

To prevent the hostname leak via DHCP option (12):
- start the debian 9 template
- open the file /etc/dhcpd/dhclient.conf
- in line number 15 you should see "send host-name = gethostname();"
- comment (add "#" at the beginning) or remove that line and store the file
- reboot your netvm

I tested the change via inspecting dhcp requests and can confirm that
the hostname is no longer included in dhcp requests.

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Thanks. Added as a comment:

https://github.com/QubesOS/qubes-issues/issues/938#issuecomment-292843628

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJY6wEhAAoJENtN07w5UDAwdI8P/2+Rl5K73adR4MiQAACLDpZj
jZl9YKskHKqBUMR+m0T2LkD2yw+cGpkOXiDjypTy2eYcsPqfbp0PZnggSK/9IpKM
ZjIjOmoYkm6dfp81HJbz8pqmlf6v2fEZ8CaeHqV6kZnxzlq1aqwwVwtMfrRH2Lqm
HMOA5Hlh+kCCysFC1DvoaJAOL+yv1HlC0lJsCtAVMw0pJadMxNXE8+JGywyeT1sY
OJ+VqOcp9sCqVta/jeWbLx/WzIjqkkDPDtVhuC9KC5uu0pg8zv76ah+nBoSbO5dO
Byvj91yMsCtaDFr684Yq8YlKJLFu2TSIBoUrh5/LHOPp1QYrpOTiSjSX1tTBAYd2
pk3Sid5XxoGabSPxMHT4VF0vCQktPp4WeXjy1oRAdTyZSjx8VF9oGrZQuFzP0Fey
2Zp4nYAKXjj5Ellf89ogxObiAqmZwyMCBerFfvSEnCrtWkxdMn+8s0b9pVf2ewNe
mKKW5YxyDVCpSlSmiewkUzLtihOOC7rzOanTt72ZxEpF6uwEiT8vA6V6uuEJKQrv
TkQaLaXB1UnSN7mxstRVu5gi53sX1n9znBbJLiQmNcRUv/+E63Uj1biP21caOqyZ
zmiffOUSUc72dJvnNsCVz9sfygTHLUKVybn5QQ0oEl1Zt4yeeFY7Cq860uEqr5lQ
a6JXYZkSDeL99PRgd61w
=noLw
-----END PGP SIGNATURE-----

[Joonas Lehtonen]

>> Once your MAC address is randomized you might also want to prevent the
>> disclosure of your netvm's hostname to the network, since "sys-net"
>> might be a unique hostname (that links all your random MAC addresses and
>> the fact that you likely use qubes).
>
>> To prevent the hostname leak via DHCP option (12):
>> - start the debian 9 template
>> - open the file /etc/dhcpd/dhclient.conf

sorry there is a typo in the file path:
correct file:
/etc/dhcp/dhclient.conf

>> - in line number 15 you should see "send host-name = gethostname();"
>> - comment (add "#" at the beginning) or remove that line and store the file
>> - reboot your netvm
>
>> I tested the change via inspecting dhcp requests and can confirm that
>> the hostname is no longer included in dhcp requests.
>
>
> Thanks. Added as a comment:
>
> https://github.com/QubesOS/qubes-issues/issues/938#issuecomment-292843628

thank you.

[Chris Laprise]

On 04/09/2017 06:25 PM, Joonas Lehtonen wrote:
> Hi,
>
> if you setup MAC randomization via network manager in a debian 9
> template as described here:
> https://www.qubes-os.org/doc/anonymizing-your-mac-address/
> you still leak your hostname.
>

I have seen reports this change in dhcp settings did not work[1], but
maybe that was a bug that was fixed.

Unfortunately, the effect of these measures is likely to be limited
until some changes are made for common NICs[2].



1.
https://serverfault.com/questions/557120/how-do-i-stop-a-linux-computer-from-sending-a-dhcp-hostname

2. https://arxiv.org/pdf/1703.02874v1.pdf

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[qubenix]

Andrew David Wong:

> On 2017-04-09 15:25, Joonas Lehtonen wrote:
>> Hi,
>
>> if you setup MAC randomization via network manager in a debian 9
>> template as described here:
>> https://www.qubes-os.org/doc/anonymizing-your-mac-address/
>> you still leak your hostname.
>
>> Once your MAC address is randomized you might also want to prevent the
>> disclosure of your netvm's hostname to the network, since "sys-net"
>> might be a unique hostname (that links all your random MAC addresses and
>> the fact that you likely use qubes).
>
>> To prevent the hostname leak via DHCP option (12):
>> - start the debian 9 template
>> - open the file /etc/dhcpd/dhclient.conf
>> - in line number 15 you should see "send host-name = gethostname();"
>> - comment (add "#" at the beginning) or remove that line and store the file
>> - reboot your netvm
>
>> I tested the change via inspecting dhcp requests and can confirm that
>> the hostname is no longer included in dhcp requests.
>
>
> Thanks. Added as a comment:
>
> https://github.com/QubesOS/qubes-issues/issues/938#issuecomment-292843628
>
>

Nice. I was just thinking about this after spending some time on my
routers interface. Thanks for the post!

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[qubenix]

qubenix:

After testing this, 'sys-net' still shows up on my router interface.

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[Dominique St-Pierre Boucher]

Did the same test and got the same result.

Anyone has a solution? I can always change my hostname for something else, but I would prefer not sending the hostname or finding a way to randomize it!!!

Dominique

[cooloutac]

On Monday, April 10, 2017 at 5:06:30 PM UTC-4, qubenix wrote:

if you are talking about always connecting to your own router I would do a static connection, my router won't know hostname unless I use DHCP. Not sure if this is the case for most routers or not. But its good not to use dhcp for other reasons too.

If you hop around public lans then this would be more of a hassle.

When I first started using qubes I too didn't like how it showed sys-net as hostname cause it would be obvious you are using Qubes. Changing name is ideal, a script to randomize it would be nice too.

[Unman]

Strange, because those instructions are standard for removing the
hostname - I set it as blank, rather than commenting out. If you sniff
the traffic you will see that the hostname is indeed no longer sent.

Why is it on your router interface?
My guess is that your router is returning the hostname that it has
associated with the MAC address. I've seen this happen when changing
hostname, and the DHCP server returns the *old* hostname as part of
the DHCP exchange. If you reboot the router and test again, you may find
that the issue goes away.

You could, of course, set a random hostname from rc.local on each boot of
sys-net.

unman

[qubenix]

Unman:

Confirmed. Router was "guessing" that I was 'sys-net', but not from MAC
(which is randomized). I believe it was using process of elimination
based on stored device hostnames (this is not public, devices are pretty
static). Since restarting the router, it give my pc the hostname of a
device which connected automatically to it (the only one it had to
"guess" from).

>
> You could, of course, set a random hostname from rc.local on each boot of
> sys-net.
>
> unman
>
>

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[cooloutac]

But why use dhcp if its a static home connection? I feel that is a security risk for other reasons and always disable it.

[qubenix]

cooloutac:

I haven't looked into the security risk for dhcp connection. I intend to
look into it and adjust accordingly. Thanks for the suggestion.

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[cooloutac]

yes for example consider your router unrusted even more so then the netcard on your pc. Imagine a hacker hijacks it, or someone just spoofs your router with a bad dhcp server. Things like changing dns route or inject something to your computer. dhclient has been found vulnerable many times for example. Remember shellshock was a trivial reverse shell.

[pete...@hushmail.com]

Is there a script to randomize hostname on each boot?

[qubenix]

pete...@hushmail.com:

>
> Is there a script to randomize hostname on each boot?
>

I think blank hostname is better than randomized. How would it be
randomized: dictionary words, rng, cycling popular hostnames, etc.? Your
randomization method may make you more identifiable than blank.

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[Reg Tiangha]

On 04/15/2017 01:06 PM, qubenix wrote:
> pete...@hushmail.com:
>> Is there a script to randomize hostname on each boot?
>>
> I think blank hostname is better than randomized. How would it be
> randomized: dictionary words, rng, cycling popular hostnames, etc.? Your
> randomization method may make you more identifiable than blank.
>

Dumb question here, but what's the difference between commenting the
line out of the .conf file vs explicitly setting it with a blank
hostname? Does it not result in the same thing? Or does simply
commenting it out still risk sending out a hostname of some kind in some
circumstances?

[qubenix]

Reg Tiangha:

I've got it commented out and it has always been blank on my tests.

--
qubenix
GPG: B536812904D455B491DCDCDD04BE1E61A3C2E500

[Dominique St-Pierre Boucher]

I was looking to use the Windows 10 naming patern for new computer:
DESKTOP-XXXXXXX (7 random alphanumeric character)

That would be Good

:)

Dominique