Fix NetworkManager privacy settings

root/etc/NetworkManager/conf.d/dhcp-hostname.conf

@@ -12,10 +12,9 @@
 #   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes
 #   nmcli connection modify <connection> ipv6.dhcp-send-hostname yes
 
-[ipv4]
+[connection]
-dhcp-send-hostname=false
+ipv4.dhcp-send-hostname=false
 
-[ipv6]
 # Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC
 # instead, in which case this setting has no effect.
-dhcp-send-hostname=false
+ipv6.dhcp-send-hostname=false

root/etc/NetworkManager/conf.d/ignore-auto-dns.conf

@@ -19,8 +19,6 @@
 #   nmcli connection modify <connection> ipv4.ignore-auto-dns no
 #   nmcli connection modify <connection> ipv6.ignore-auto-dns no
 
-[ipv4]
+[connection]
-ignore-auto-dns=true
+ipv4.ignore-auto-dns=true
-
+ipv6.ignore-auto-dns=true
-[ipv6]
-ignore-auto-dns=true

root/etc/NetworkManager/conf.d/ipv6-privacy.conf

@@ -1,39 +1,51 @@
-# IPv6 address generation and privacy defaults.
+[connection]
+
+# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy").
 #
-# Most IPv6 networks use SLAAC (Stateless Address Autoconfiguration),
+# Normally IPv6 SLAAC can derive the interface identifier directly from
-# where the host generates its own IPv6 addresses based on the network
+# the device MAC address using the legacy EUI-64 scheme. This exposes the
-# prefix advertised by the router.
+# hardware MAC inside the IPv6 address and allows long-term tracking.
 #
-# Two mechanisms influence how these addresses appear:
+# The "stable-privacy" mode instead derives the address from a secret
+# kernel seed and the network prefix. This produces a deterministic
+# address that stays stable within the same network but does not reveal
+# the device MAC address.
+ipv6.addr-gen-mode=stable-privacy
+
+
+# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound
+# connections.
 #
-#   ipv6.addr-gen-mode
+# These temporary addresses rotate periodically and are used for outgoing
-#       Controls how the *stable* SLAAC address is generated.
+# traffic to reduce the ability of remote servers to track the device
+# across connections.
 #
-#       stable-privacy:
+# The interface will still retain a stable address (generated above) for
-#           Generate a deterministic pseudorandom address derived from
+# inbound connections, but outgoing traffic will prefer the temporary
-#           a kernel secret and the network prefix. This prevents the
+# ones.
-#           legacy EUI-64 mechanism from exposing the device's MAC
-#           address in the IPv6 address.
 #
-#   ipv6.ip6-privacy
+# Values:
-#       Enables RFC 4941 temporary IPv6 addresses. These are additional
-#       short-lived addresses that rotate periodically and are preferred
-#       for outbound connections to prevent remote tracking.
-#
-# With these settings a network interface will typically have:
-#
-#   - one stable pseudorandom IPv6 address
-#   - one or more temporary rotating addresses used for outbound traffic
-#
-# Note that temporary addresses do NOT replace the stable address. The
-# interface will still have one stable address used for inbound connections,
-# it will just use the temporary ones for outbound ones.
-#
-# Values for ipv6.ip6-privacy:
 #   0 = disable temporary addresses
 #   1 = enable but prefer the stable address
 #   2 = enable and prefer temporary addresses
-
-[connection]
-ipv6.addr-gen-mode=stable-privacy
 ipv6.ip6-privacy=2
+
+
+# Use a per-connection DHCPv6 client identifier.
+#
+# When a network uses DHCPv6, the client must identify itself with a
+# DHCP Unique Identifier (DUID). By default NetworkManager generates a
+# single identifier derived from the system machine-id, meaning every
+# network sees the same persistent identifier.
+#
+# The "stable-uuid" mode instead generates a different identifier per
+# connection using the connection's stable-id and a host-specific secret.
+# Each network therefore sees a different DHCPv6 identity while still
+# receiving a stable identifier across reconnects.
+#
+# This prevents cross-network tracking while maintaining normal DHCPv6
+# lease behavior.
+#
+# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in
+# which case this setting has no effect.
+ipv6.dhcp-duid=stable-uuid

root/etc/NetworkManager/conf.d/llmnr-mdns.conf

@@ -35,5 +35,5 @@
 #   nmcli connection modify <connection> connection.mdns resolve
 
 [connection]
-llmnr=1
+connection.llmnr=1
-mdns=1
+connection.mdns=1