DNS-over-HTTPS and WebRTC Leaks
Every time you visit a website, your browser makes a DNS lookup — a request that translates a domain name into an IP address. By default, this lookup happens in plain text over your internet connection, which means your internet provider can see every domain you visit, even when the pages themselves are encrypted over HTTPS.
At the same time, a browser feature called WebRTC — originally designed for video calls — can expose your real IP address to websites, even when you're using a VPN. This guide fixes both problems, step by step.
What to expect
- DNS-over-HTTPS encrypts your DNS queries so your ISP can't see what you look up
- Disabling WebRTC leaks stops websites from detecting your real IP behind a VPN
- Setup takes around 15 minutes in Firefox or Chrome
- Both fixes are free and require no extra software
1. Run the Leak Test First
Before changing any settings, check what your browser is currently exposing. This gives you a baseline so you can confirm the fix worked afterwards.
Check your current exposure
⏱ 2 min- Open the DNS & IP Leak Test tool in a new tab.
- The test runs automatically. Note the results in the WebRTC IP Leak and DNS Configuration sections.
- If WebRTC shows a public IP address, or DNS-over-HTTPS shows anything other than "Enabled by default", continue with this guide.
Keep this tab open. You'll return to it in Step 4 to confirm your changes worked.
2. Enable DNS-over-HTTPS
DNS-over-HTTPS (DoH) encrypts your DNS queries and sends them to a privacy-respecting resolver instead of your ISP's servers. The instructions differ slightly between browsers.
Firefox — Enable DNS-over-HTTPS
⏱ 3 minFirefox enables DoH by default in most countries, but the setting is worth verifying — and you can choose a stronger provider than the default.
- Type
about:preferences#privacyin the address bar and press Enter. - Scroll down to DNS over HTTPS.
- Make sure "Enable DNS over HTTPS using:" is selected (not "Off").
- From the dropdown, choose your preferred provider. The default is Cloudflare. For more options, see the provider comparison below.
Chrome — Enable Secure DNS
⏱ 3 min- Go to Settings (three dots → Settings).
- Click Privacy and security → Security.
- Scroll down to Advanced → Use secure DNS.
- Enable the toggle.
- Choose "With" and select a provider from the list, or enter a custom DoH URL.
Note: Chrome's "Automatic" mode only upgrades DNS queries if your current ISP supports DoH — many don't. Choose a specific provider to guarantee the protection.
Edge — Enable Secure DNS
⏱ 3 min- Go to Settings (three dots → Settings).
- Click Privacy, search, and services.
- Scroll to Security → Use secure DNS to specify how to lookup the network address for websites.
- Enable the toggle and choose a provider.
3. Fix WebRTC Leaks
WebRTC is a browser API that enables real-time features like video calls. As a side effect, it can reveal your real local and public IP address to websites — bypassing your VPN's IP masking entirely. The fix depends on your browser.
Firefox — Disable WebRTC
⏱ 2 minFirefox lets you disable WebRTC entirely through its advanced configuration page. This is the most reliable fix.
- Type
about:configin the address bar and press Enter. - Click "Accept the Risk and Continue".
- In the search bar, type
media.peerconnection.enabled. - Double-click the entry to toggle its value from true to false.
This disables WebRTC completely. If you use video calls in the browser (Google Meet, Jitsi, etc.), you'll need to re-enable it for those sessions — or use a desktop app instead.
media.peerconnection.ice.default_address_only in about:config and set it to true. This prevents local IP exposure but still allows public IPs to be used.
Chrome — Restrict WebRTC with uBlock Origin
⏱ 3 minChrome does not allow disabling WebRTC through settings. The most effective approach is uBlock Origin, which has a built-in WebRTC leak prevention option.
- Install uBlock Origin from the Chrome Web Store if you haven't already.
- Click the uBlock Origin icon in your toolbar → open the dashboard (the gear icon).
- Go to the Settings tab.
- Under Privacy, enable "Prevent WebRTC from leaking local IP addresses".
Note: This setting prevents local IP exposure. If you're using a VPN and want to verify your public IP isn't leaking, run the leak test again after applying this setting.
4. Verify Your Settings
Run the test again
⏱ 2 min- Go back to the DNS & IP Leak Test tab.
- Click Run test again.
- WebRTC IP Leak should now show "No IP addresses detected" or display the badge "Protected".
- DNS Configuration should show your DoH status as "Enabled by default" (Firefox) or show the provider you selected.
If public IPs still appear in the WebRTC section after applying the Firefox fix, double-check that media.peerconnection.enabled is set to false, not true. A page reload may also be needed after the change.
DoH Provider Comparison
All DoH providers encrypt your DNS queries from your ISP, but they differ in what they log, where they're based, and whether they filter content.
Cloudflare — 1.1.1.1
DoH URL: https://cloudflare-dns.com/dns-query
The default in Firefox. Fast and reliable. Cloudflare commits to deleting query logs within 24 hours and has had its no-logging claim independently audited by KPMG. Based in the US, which some users prefer to avoid for jurisdiction reasons. Does not filter content by default.
Mullvad — Recommended for privacy
DoH URL: https://doh.mullvad.net/dns-query
Operated by the same company behind the Mullvad VPN. Explicitly no-log, based in Sweden, and does not filter or redirect queries. No account or Mullvad subscription required to use the DNS resolver. A strong choice if you prioritise jurisdiction outside the US.
Google — 8.8.8.8
DoH URL: https://dns.google/dns-query
Fast and globally distributed. Google does log some DNS data and may use it for its advertising business. Not recommended if you're trying to reduce your exposure to Google's data collection.
Frequently Asked Questions
Does DNS-over-HTTPS hide my browsing from my ISP completely?
It hides the domain names you look up. Your ISP can still see which IP addresses you connect to — and in many cases IP addresses map back to specific services. DoH is a meaningful improvement, but it is not a substitute for a VPN if you want to hide the destinations of your traffic entirely.
Will disabling WebRTC break anything?
It will break browser-based video calls (Google Meet, Jitsi, Teams in the browser) and some peer-to-peer file sharing. If you use these services, you can re-enable WebRTC before the call and disable it again afterwards, or use dedicated desktop apps for video calls instead.
Do I need a VPN if I have DNS-over-HTTPS?
They solve different problems. DoH encrypts your DNS lookups. A VPN encrypts all your traffic and hides your IP address from the websites you visit. If you only want to hide your DNS queries from your ISP, DoH is sufficient. If you want to hide your IP address or your traffic from the websites you visit, you need a VPN.
Does Safari support DNS-over-HTTPS?
Not through browser settings. On macOS, you can enable DoH system-wide through a configuration profile or a third-party app, but Safari itself has no built-in DoH setting. This is one reason Firefox is recommended for privacy-conscious users on Mac.
My VPN claims to handle DNS automatically — do I still need this?
It depends on the VPN. Many VPNs route DNS through their own servers when their app is active, but the browser may still use its own DNS for queries initiated outside the VPN tunnel. Enabling DoH in your browser adds a second layer of protection that works independently of the VPN app.
Final Checklist
- ✓ Ran the DNS & IP Leak Test before making changes
- ✓ DNS-over-HTTPS enabled in your browser
- ✓ Chosen a privacy-respecting DoH provider (not Google)
- ✓ WebRTC disabled or restricted
- ✓ Ran the leak test again to confirm no leaks
- ✓ WebRTC result shows "Protected" or no public IPs
Want to go further?
The Complete Privacy Kit includes a VPN guide, Signal setup, 2FA, and more — the full picture beyond browser settings.
See the Complete Privacy Kit