diff --git a/external/bsd/dhcpcd/dist/hooks/15-timezone b/external/bsd/dhcpcd/dist/hooks/15-timezone
index ac04c652f1b2..3d5173286335 100644
--- a/external/bsd/dhcpcd/dist/hooks/15-timezone
+++ b/external/bsd/dhcpcd/dist/hooks/15-timezone
@@ -42,6 +42,6 @@ BOUND6|RENEW6|REBIND6|REBOOT6|INFORM6)
 	;;
 esac
 
-if $if_up; then
+if $if_configured && $if_up; then
  	set_zoneinfo
 fi
diff --git a/external/bsd/dhcpcd/dist/hooks/30-hostname.in b/external/bsd/dhcpcd/dist/hooks/30-hostname.in
index b515e4c13789..abeb36967221 100644
--- a/external/bsd/dhcpcd/dist/hooks/30-hostname.in
+++ b/external/bsd/dhcpcd/dist/hooks/30-hostname.in
@@ -153,6 +153,6 @@ BOUND6|RENEW6|REBIND6|REBOOT6|INFORM6)
 	;;
 esac
 
-if $if_up && [ "$reason" != ROUTERADVERT ]; then
+if $if_configured && $if_up && [ "$reason" != ROUTERADVERT ]; then
 	set_hostname
 fi
diff --git a/external/bsd/dhcpcd/dist/src/control.c b/external/bsd/dhcpcd/dist/src/control.c
index e704df7fed8d..71405ed1673e 100644
--- a/external/bsd/dhcpcd/dist/src/control.c
+++ b/external/bsd/dhcpcd/dist/src/control.c
@@ -274,9 +274,11 @@ control_handle_unpriv(void *arg)
 }
 
 static int
-make_path(char *path, size_t len, const char *ifname, sa_family_t family)
+make_path(char *path, size_t len, const char *ifname, sa_family_t family,
+    bool unpriv)
 {
 	const char *per;
+	const char *sunpriv;
 
 	switch(family) {
 	case AF_INET:
@@ -289,8 +291,13 @@ make_path(char *path, size_t len, const char *ifname, sa_family_t family)
 		per = "";
 		break;
 	}
+	if (unpriv)
+		sunpriv = ifname ? ".unpriv" : "unpriv.";
+	else
+		sunpriv = "";
 	return snprintf(path, len, CONTROLSOCKET,
-	    ifname ? ifname : "", ifname ? per : "", ifname ? "." : "");
+	    ifname ? ifname : "", ifname ? per : "",
+	    sunpriv, ifname ? "." : "");
 }
 
 static int
@@ -303,10 +310,7 @@ make_sock(struct sockaddr_un *sa, const char *ifname, sa_family_t family,
 		return -1;
 	memset(sa, 0, sizeof(*sa));
 	sa->sun_family = AF_UNIX;
-	if (unpriv)
-		strlcpy(sa->sun_path, UNPRIVSOCKET, sizeof(sa->sun_path));
-	else
-		make_path(sa->sun_path, sizeof(sa->sun_path), ifname, family);
+	make_path(sa->sun_path, sizeof(sa->sun_path), ifname, family, unpriv);
 	return fd;
 }
 
@@ -346,9 +350,12 @@ control_start1(struct dhcpcd_ctx *ctx, const char *ifname, sa_family_t family,
 	}
 #endif
 
-	if ((fmode & S_UNPRIV) != S_UNPRIV)
+	if ((fmode & S_PRIV) == S_PRIV)
 		strlcpy(ctx->control_sock, sa.sun_path,
 		    sizeof(ctx->control_sock));
+	else
+		strlcpy(ctx->control_sock_unpriv, sa.sun_path,
+		    sizeof(ctx->control_sock_unpriv));
 	return fd;
 }
 
@@ -360,7 +367,9 @@ control_start(struct dhcpcd_ctx *ctx, const char *ifname, sa_family_t family)
 #ifdef PRIVSEP
 	if (IN_PRIVSEP_SE(ctx)) {
 		make_path(ctx->control_sock, sizeof(ctx->control_sock),
-		    ifname, family);
+		    ifname, family, false);
+		make_path(ctx->control_sock_unpriv, sizeof(ctx->control_sock),
+		    ifname, family, true);
 		return 0;
 	}
 #endif
@@ -371,11 +380,7 @@ control_start(struct dhcpcd_ctx *ctx, const char *ifname, sa_family_t family)
 	ctx->control_fd = fd;
 	eloop_event_add(ctx->eloop, fd, control_handle, ctx);
 
-	if (ifname == NULL &&
-	    (fd = control_start1(ctx, NULL, AF_UNSPEC, S_UNPRIV)) != -1)
-	{
-		/* We must be in master mode, so create an unprivileged socket
-		 * to allow normal users to learn the status of dhcpcd. */
+	if ((fd = control_start1(ctx, ifname, family, S_UNPRIV)) != -1) {
 		ctx->control_unpriv_fd = fd;
 		eloop_event_add(ctx->eloop, fd, control_handle_unpriv, ctx);
 	}
@@ -414,8 +419,7 @@ control_stop(struct dhcpcd_ctx *ctx)
 	if (IN_PRIVSEP_SE(ctx)) {
 		if (ps_root_unlink(ctx, ctx->control_sock) == -1)
 			retval = -1;
-		if (ctx->options & DHCPCD_MASTER &&
-		    control_unlink(ctx, UNPRIVSOCKET) == -1)
+		if (ps_root_unlink(ctx, ctx->control_sock_unpriv) == -1)
 			retval = -1;
 		return retval;
 	} else if (ctx->options & DHCPCD_FORKED)
@@ -434,7 +438,7 @@ control_stop(struct dhcpcd_ctx *ctx)
 		eloop_event_delete(ctx->eloop, ctx->control_unpriv_fd);
 		close(ctx->control_unpriv_fd);
 		ctx->control_unpriv_fd = -1;
-		if (control_unlink(ctx, UNPRIVSOCKET) == -1)
+		if (control_unlink(ctx, ctx->control_sock_unpriv) == -1)
 			retval = -1;
 	}
 
diff --git a/external/bsd/dhcpcd/dist/src/defs.h b/external/bsd/dhcpcd/dist/src/defs.h
index de3abfcd7872..151dc62ff07d 100644
--- a/external/bsd/dhcpcd/dist/src/defs.h
+++ b/external/bsd/dhcpcd/dist/src/defs.h
@@ -29,7 +29,7 @@
 #define CONFIG_H
 
 #define PACKAGE			"dhcpcd"
-#define VERSION			"9.3.2"
+#define VERSION			"9.3.3"
 
 #ifndef PRIVSEP_USER
 # define PRIVSEP_USER		"_" PACKAGE
@@ -60,10 +60,7 @@
 # define PIDFILE		RUNDIR "/%s%s%spid"
 #endif
 #ifndef CONTROLSOCKET
-# define CONTROLSOCKET		RUNDIR "/%s%s%ssock"
-#endif
-#ifndef UNPRIVSOCKET
-# define UNPRIVSOCKET		RUNDIR "/unpriv.sock"
+# define CONTROLSOCKET		RUNDIR "/%s%s%s%ssock"
 #endif
 #ifndef RDM_MONOFILE
 # define RDM_MONOFILE		DBDIR "/rdm_monotonic"
diff --git a/external/bsd/dhcpcd/dist/src/dhcpcd.h b/external/bsd/dhcpcd/dist/src/dhcpcd.h
index 97d7a322e725..e18919de5771 100644
--- a/external/bsd/dhcpcd/dist/src/dhcpcd.h
+++ b/external/bsd/dhcpcd/dist/src/dhcpcd.h
@@ -180,6 +180,7 @@ struct dhcpcd_ctx {
 	int control_unpriv_fd;
 	struct fd_list_head control_fds;
 	char control_sock[sizeof(CONTROLSOCKET) + IF_NAMESIZE];
+	char control_sock_unpriv[sizeof(CONTROLSOCKET) + IF_NAMESIZE + 7];
 	gid_t control_group;
 
 	/* DHCP Enterprise options, RFC3925 */
diff --git a/external/bsd/dhcpcd/dist/src/if-options.h b/external/bsd/dhcpcd/dist/src/if-options.h
index a73ba0d2b83a..689d9344ba9e 100644
--- a/external/bsd/dhcpcd/dist/src/if-options.h
+++ b/external/bsd/dhcpcd/dist/src/if-options.h
@@ -91,7 +91,7 @@
 #define DHCPCD_IPV6RS			(1ULL << 31)
 #define DHCPCD_IPV6RA_REQRDNSS		(1ULL << 32)
 #define DHCPCD_PRIVSEP			(1ULL << 33)
-#define DHCPCD_UNPRIV			(1ULL << 34)
+#define DHCPCD_CONFIGURE		(1ULL << 34)
 #define DHCPCD_IPV4			(1ULL << 35)
 #define DHCPCD_FORKED			(1ULL << 36)
 #define DHCPCD_IPV6			(1ULL << 37)
@@ -180,6 +180,8 @@
 #define O_INACTIVE		O_BASE + 47
 #define O_MUDURL		O_BASE + 48
 #define O_MSUSERCLASS		O_BASE + 49
+#define O_CONFIGURE		O_BASE + 50
+#define O_NOCONFIGURE		O_BASE + 51
 
 extern const struct option cf_options[];
 
diff --git a/external/bsd/dhcpcd/dist/src/ipv4ll.c b/external/bsd/dhcpcd/dist/src/ipv4ll.c
index fee115f25069..93898109f7ab 100644
--- a/external/bsd/dhcpcd/dist/src/ipv4ll.c
+++ b/external/bsd/dhcpcd/dist/src/ipv4ll.c
@@ -228,6 +228,8 @@ ipv4ll_not_found(struct interface *ifp)
 #endif
 		loginfox("%s: using IPv4LL address %s",
 		  ifp->name, inet_ntoa(state->pickedaddr));
+	if (!(ifp->options->options & DHCPCD_CONFIGURE))
+		goto run;
 	if (ia == NULL) {
 		if (ifp->ctx->options & DHCPCD_TEST)
 			goto test;
@@ -252,6 +254,7 @@ test:
 		return;
 	}
 	rt_build(ifp->ctx, AF_INET);
+run:
 	astate = arp_announceaddr(ifp->ctx, &ia->addr);
 	if (astate != NULL)
 		astate->announced_cb = ipv4ll_announced_arp;
@@ -281,7 +284,8 @@ ipv4ll_defend_failed(struct interface *ifp)
 	struct ipv4ll_state *state = IPV4LL_STATE(ifp);
 
 	ipv4ll_freearp(ifp);
-	ipv4_deladdr(state->addr, 1);
+	if (ifp->options->options & DHCPCD_CONFIGURE)
+		ipv4_deladdr(state->addr, 1);
 	state->addr = NULL;
 	rt_build(ifp->ctx, AF_INET);
 	script_runreason(ifp, "IPV4LL");
@@ -373,7 +377,8 @@ ipv4ll_start(void *arg)
 	if (ia != NULL && ia->addr_flags & IN_IFF_DUPLICATED) {
 		state->pickedaddr = ia->addr; /* So it's not picked again. */
 		repick = true;
-		ipv4_deladdr(ia, 0);
+		if (ifp->options->options & DHCPCD_CONFIGURE)
+			ipv4_deladdr(ia, 0);
 		ia = NULL;
 	}
 #endif
@@ -431,7 +436,8 @@ ipv4ll_drop(struct interface *ifp)
 
 	state = IPV4LL_STATE(ifp);
 	if (state && state->addr != NULL) {
-		ipv4_deladdr(state->addr, 1);
+		if (ifp->options->options & DHCPCD_CONFIGURE)
+			ipv4_deladdr(state->addr, 1);
 		state->addr = NULL;
 		dropped = true;
 	}
@@ -442,7 +448,8 @@ ipv4ll_drop(struct interface *ifp)
 
 		TAILQ_FOREACH_SAFE(ia, &istate->addrs, next, ian) {
 			if (IN_LINKLOCAL(ntohl(ia->addr.s_addr))) {
-				ipv4_deladdr(ia, 0);
+				if (ifp->options->options & DHCPCD_CONFIGURE)
+					ipv4_deladdr(ia, 0);
 				dropped = true;
 			}
 		}
@@ -534,7 +541,8 @@ ipv4ll_handleifa(int cmd, struct ipv4_addr *ia, pid_t pid)
 	else if (ia->addr_flags & IN_IFF_DUPLICATED) {
 		logerrx("%s: DAD detected %s", ifp->name, ia->saddr);
 		ipv4ll_freearp(ifp);
-		ipv4_deladdr(ia, 1);
+		if (ifp->options->options & DHCPCD_CONFIGURE)
+			ipv4_deladdr(ia, 1);
 		state->addr = NULL;
 		rt_build(ifp->ctx, AF_INET);
 		ipv4ll_found(ifp);
diff --git a/external/bsd/dhcpcd/dist/src/route.c b/external/bsd/dhcpcd/dist/src/route.c
index 83bc37c77731..80c238504448 100644
--- a/external/bsd/dhcpcd/dist/src/route.c
+++ b/external/bsd/dhcpcd/dist/src/route.c
@@ -713,6 +713,8 @@ rt_build(struct dhcpcd_ctx *ctx, int af)
 #endif
 
 	RB_TREE_FOREACH_SAFE(rt, &routes, rtn) {
+		if (!(rt->rt_ifp->options->options & DHCPCD_CONFIGURE))
+			continue;
 #ifdef BSD
 		if (rt_is_default(rt) &&
 		    if_missfilter(rt->rt_ifp, &rt->rt_gateway) == -1)
@@ -771,7 +773,6 @@ rt_build(struct dhcpcd_ctx *ctx, int af)
 		}
 	}
 
-
 getfail:
 	rt_headclear(&routes, AF_UNSPEC);
 	rt_headclear(&kroutes, AF_UNSPEC);