If files in RPMs are marked %config or %config(noreplace)¹, running something like dnf update or yum update will not touch (modified) configuration files, but leave the old ones in place and create .rpmsave or .rpmnew files instead.
Is it possible to tell dnf, … to always replace all configuration files, discarding changes and forcing updates of all files?
No, dnf or yum has no options I am aware of to alter what the %config directive in the spec says. Packaging convention around RPM is to assume the user intended edits.
Find those .rpmnew and .rpmsave files. Those with ".rpmnew", or without ".rpmsave", are from the updated package.
A more complete check, including changed files that haven't been updated yet, can be done with rpm verify options. rpm -qaV --configfiles will look at all installed package config files for differences.
If unintended edits are happening, consider locking things down. Remove write file permissions on files. Remove interactive user access by people into systems, especially privileged.
