NOT gonna happen...
Despite the fact that, in the best case scenario, using temporary IPv6 addresses does only
and in the worst case scenario
I still very much like the fact that a site that tries to collect my IPv6 information, only gets a temporary IPv6 address, that changes regularly. Assuming that similar techniques are used to collect IP information on other sites, it will at least make it more difficult for them, if they even have implemented analysis logic in their code to determine the different IP addresses all point to the same network (= my network).
I've worked very hard to get to a perfect (100%) result on this site and (10/10) on this site (long and hard due to my lack of IPv6 knowledge, I admit that)
I've been running tests, to enable the privacy extensions on Raspbian (the OS pihole is running on) for a few days now, and finally succeeded to get it working, the way I want it. I've updated the first entry of this topic with the settings I'm using.
I have applied these settings to my production system ( latest Raspberry Pi OS (32-bit) Lite / august 2020 / Linux raspberrypi 5.4.51-v7+ #1333 SMP Mon Aug 10 16:45:19 BST 2020 armv7l GNU/Linux), first impressions (ran some tests) are that everything appears to function as expected.
I have been running packet captures on my firewall, and can confirm all IPv6 port 53 traffic (unbound requests) is now using the global temporary dynamic
IPv6 address, which changes every 2 hours. I also verified if the global dynamic mngtmpaddr
IPv6 address, the permanent address of the system, is used, when connecting to the outside world; it's NOT, it only appears when I ping6 it internally, this to refresh the neighbour information on my router/firewall.
I also can confirm, as soon as the temporary IPv6 address changes, unbound immediately starts using the new address for all it's queries to the outside world (ran another packet capture).
I'm aware some (if not most) will call me paranoid (if not crazy), to implement this on my system. Why?
because I can, and most important, learn a lot... Will it make my life harder when something goes wrong? probably, but again, a great learning opportunity.
Down sides of implementing this? Of course. As discussed in this topic, (TL;DR) pihole-FTL doesn't cleanup the network
and network_addresses
table (will be solved in a future release). Even when using the MAXDBDAYS setting to a reasonable setting (I use 8) ,the table fills up rapidly (already have 35 entries after a fresh install of pihole, less than 24 hours ago). That's NOT new, I assume windows 10 users, that haven't disabled the privacy extensions, and have been using pihole -up
to get to the latest release of pihole, will have accumulated quite a lot of entries in those tables, since the database was first introduced (to the point where sqlite3 gets in trouble, performance wise???).
Will you change my mind, undoing the temporary address setup? NO, because (click the link), unless of course something goes horribly wrong in the next few days.