root/etc/NetworkManager/conf.d/dhcp-hostname.conf

@@ -1,20 +1,12 @@
 # Do not send the system hostname to DHCP servers.
 #
-# By default NetworkManager includes the system hostname in DHCP
-# requests so the DHCP server can label leases or register dynamic DNS
-# records. Many networks do not use this information, and sending it
-# unnecessarily exposes device identity.
-#
-# Disabling this slightly improves privacy when joining unknown
-# networks, especially when MAC randomization is enabled.
+# Normally NetworkManager includes the hostname in DHCP requests so the
+# server can label leases or register dynamic DNS entries. Most networks
+# do not rely on this, and disabling it slightly reduces information
+# leaked about the device (especially when MAC randomization is used).
 #
 # Individual connections can override this if needed:
-#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes
-#   nmcli connection modify <connection> ipv6.dhcp-send-hostname yes
-
+#   nmcli connection modify <connection> ipv4.dhcp-send-hostname yes ipv6.dhcp-send-hostname yes
 [connection]
 ipv4.dhcp-send-hostname=false
-
-# Only applies on networks using DHCPv6. Most IPv6 networks use SLAAC
-# instead, in which case this setting has no effect.
 ipv6.dhcp-send-hostname=false

root/etc/NetworkManager/conf.d/ignore-auto-dns.conf

@@ -1,24 +1,10 @@
 # Ignore DNS servers advertised by networks (e.g. via DHCP).
 #
-# When enabled, NetworkManager will not automatically accept DNS servers provided
-# by the network. Instead the system will continue using DNS servers configured
-# globally (for example via systemd-resolved).
+# This makes NetworkManager refuse automatically provided DNS and lets
+# systemd-resolved fall back to the configured global resolvers instead.
 #
-# This is useful when you want to enforce a specific DNS provider such as Quad9
-# or Cloudflare regardless of the network you connect to. This is generally a much
-# better choice for privacy, as the advertised DNS providers from the network can
-# often lead to local DNS servers which the network admin can monitor for activity
-# tracking.
-#
-# WARNING:
-# Some environments rely on DHCP-provided DNS for internal name resolution (corporate
-# networks, captive portals, VPNs). Enabling this globally may break such environments
-# unless the connection overrides the setting.
-#
-# Per-connection override example:
-#   nmcli connection modify <connection> ipv4.ignore-auto-dns no
-#   nmcli connection modify <connection> ipv6.ignore-auto-dns no
-
+# Individual connections can override this:
+#   nmcli connection modify <connection> ipv4.ignore-auto-dns no ipv6.ignore-auto-dns no
 [connection]
 ipv4.ignore-auto-dns=true
 ipv6.ignore-auto-dns=true

root/etc/NetworkManager/conf.d/ipv6-privacy.conf

@@ -1,51 +0,0 @@
-[connection]
-
-# Generate the stable SLAAC IPv6 address using RFC7217 ("stable privacy").
-#
-# Normally IPv6 SLAAC can derive the interface identifier directly from
-# the device MAC address using the legacy EUI-64 scheme. This exposes the
-# hardware MAC inside the IPv6 address and allows long-term tracking.
-#
-# The "stable-privacy" mode instead derives the address from a secret
-# kernel seed and the network prefix. This produces a deterministic
-# address that stays stable within the same network but does not reveal
-# the device MAC address.
-ipv6.addr-gen-mode=stable-privacy
-
-
-# Enable RFC4941 temporary IPv6 addresses and prefer them for outbound
-# connections.
-#
-# These temporary addresses rotate periodically and are used for outgoing
-# traffic to reduce the ability of remote servers to track the device
-# across connections.
-#
-# The interface will still retain a stable address (generated above) for
-# inbound connections, but outgoing traffic will prefer the temporary
-# ones.
-#
-# Values:
-#   0 = disable temporary addresses
-#   1 = enable but prefer the stable address
-#   2 = enable and prefer temporary addresses
-ipv6.ip6-privacy=2
-
-
-# Use a per-connection DHCPv6 client identifier.
-#
-# When a network uses DHCPv6, the client must identify itself with a
-# DHCP Unique Identifier (DUID). By default NetworkManager generates a
-# single identifier derived from the system machine-id, meaning every
-# network sees the same persistent identifier.
-#
-# The "stable-uuid" mode instead generates a different identifier per
-# connection using the connection's stable-id and a host-specific secret.
-# Each network therefore sees a different DHCPv6 identity while still
-# receiving a stable identifier across reconnects.
-#
-# This prevents cross-network tracking while maintaining normal DHCPv6
-# lease behavior.
-#
-# Note: many IPv6 networks rely only on SLAAC and do not use DHCPv6, in
-# which case this setting has no effect.
-ipv6.dhcp-duid=stable-uuid

root/etc/NetworkManager/conf.d/llmnr-mdns.conf

@@ -1,39 +1,8 @@
-# Control link-local name resolution protocols for connections.
+# Disable link-local name resolution protocols.
 #
-# LLMNR (Link-Local Multicast Name Resolution) and mDNS (Multicast DNS)
-# allow hosts on the same local network to resolve hostnames without
-# using a traditional DNS server. They use multicast queries on the
-# local link and are commonly used for ad-hoc discovery (for example
-# resolving nearby machines or services).
-#
-# These protocols can leak hostnames to the local network and may allow
-# spoofing attacks on untrusted networks. For this reason they are often
-# disabled on laptops that regularly join public or unknown networks.
-#
-# NetworkManager can control these features per connection when the
-# active DNS plugin supports them (for example: dns-systemd-resolved).
-#
-# Values:
-#
-#   0 / "no"
-#       Disable the protocol entirely for the interface.
-#       No hostname registration and no multicast resolution.
-#
-#   1 / "resolve"
-#       Allow resolving hostnames via multicast queries but do not
-#       announce (register) this host's hostname on the network.
-#
-#   2 / "yes"
-#       Fully enable the protocol. The host registers its hostname and
-#       also performs multicast resolution.
-#
-# If the DNS backend does not support these protocols the settings have
-# no effect.
-#
-# Per-connection override examples:
-#   nmcli connection modify <connection> connection.llmnr resolve
-#   nmcli connection modify <connection> connection.mdns resolve
-
+# LLMNR and mDNS allow devices on the same LAN to resolve hostnames
+# without DNS. They are rarely needed on managed networks and can
+# expose system information to the local network.
 [connection]
-connection.llmnr=1
-connection.mdns=1
+connection.llmnr=0
+connection.mdns=0

root/etc/NetworkManager/conf.d/random_mac.conf

@@ -1,37 +1,15 @@
 [device-mac-randomization]
-# Randomize the MAC address used during WiFi scanning.
-#
-# When the system scans for nearby Wi-Fi networks it normally sends probe
-# frames containing its MAC address. Without randomization, nearby networks
-# could track the device even when it is not connected.
-#
-# This is already the default on most systems, but we set it explicitly.
+# "yes" is already the default for scanning
 wifi.scan-rand-mac-address=yes
 
 [connection-mac-randomization]
-# Default MAC address behavior for new connections.
-#
-# NetworkManager can replace the hardware MAC address with a randomized
-# one when activating connections. This helps prevent networks from
-# identifying and tracking the device.
-#
-# Possible values:
-#   permanent : use the hardware MAC
-#   preserve  : keep whatever MAC the interface already has
-#   stable    : randomize MAC once and associate it permanently with that network
-#   random    : Randomize MAC for every connection
-#
-# We randomize the MAC address for every Wi-Fi and Ethernet connection by default,
-# as it is the most privacy-respecting option and prevents the network from tracking
-# the device across reconnects (assuming everything else was configured to support
-# that protection too).
-#
-# If a specific network requires a stable MAC (for example when using
-# DHCP reservations on a home router), override it per connection. Generally, you
-# should prefer using stable for these purposes instead of permanent, as there's
-# no real advantage in giving away the actual hardware MAC, even if it's your own
-# network:
-#   nmcli connection modify <wifi-connection> wifi.cloned-mac-address stable
-#   nmcli connection modify <ethernet-connection> ethernet.cloned-mac-address stable
+# Randomize MAC for every ethernet connection
 ethernet.cloned-mac-address=random
-wifi.cloned-mac-address=random
+# Generate a random MAC for each WiFi and associate the two permanently
+wifi.cloned-mac-address=stable
+
+# Opions:
+# permanent: Use HardWare address
+# preserve: Don’t change the MAC address of the device upon activation
+# stable: Randomize once and associate it permanently with that network
+# random: Randomize MAC for every connection

root/etc/sysctl.d/40-ipv6-privacy.conf

@@ -1,27 +0,0 @@
-# Enable IPv6 temporary addresses (RFC 4941).
-#
-# On IPv6 networks using SLAAC (Stateless Address Autoconfiguration),
-# hosts automatically generate their own addresses from the advertised
-# network prefix. Normally this results in a single stable address that
-# remains constant for the duration of the connection.
-#
-# Temporary addresses add additional short-lived IPv6 addresses that are
-# periodically regenerated by the kernel. These addresses are preferred
-# for outgoing connections (for example web browsing) so that remote
-# services cannot reliably track a device by its stable IPv6 address.
-#
-# The stable address still exists and is used for:
-#   - inbound connections
-#   - local services
-#   - neighbor discovery
-#
-# Values:
-#   0 = disable temporary addresses
-#   1 = enable temporary addresses but prefer the stable address
-#   2 = enable temporary addresses and prefer them for outbound traffic
-#
-# "default" applies to interfaces created after boot, while "all"
-# applies the setting to existing interfaces as well.
-
-net.ipv6.conf.default.use_tempaddr = 2
-net.ipv6.conf.all.use_tempaddr = 2