The Problem With "Private Browsing"
Incognito mode doesn't make you private online — it only clears local browser history. Your ISP still sees your DNS queries. Websites still log your IP address. Advertisers still build behavioral profiles. True privacy requires a layered approach addressing each leak point separately.
This guide walks through a practical, achievable privacy stack for everyday users.
Layer 1: Encrypted DNS
Your DNS queries reveal every domain you visit. Encrypting them is the single highest-impact privacy change most people can make.
- DNS-over-HTTPS (DoH): Enable in your browser (Chrome, Firefox, Edge all support it natively) or at the OS level on Windows 11 and Android.
- NextDNS: A configurable DoH service with a free tier. You get query logs, per-device rules, and threat blocking — all without running your own server.
- AdGuard Home (self-hosted): Run your own DNS resolver on a Raspberry Pi. Queries never leave your network until they hit your chosen upstream DoH provider.
Layer 2: Browser-Level Privacy Tools
Even with encrypted DNS, websites can track you through cookies, fingerprinting, and third-party scripts.
uBlock Origin
Install it on every browser. Enable the EasyPrivacy and uBlock Filters – Privacy lists. With Advanced Mode enabled, block all third-party scripts globally and whitelist trusted sites manually. This single extension eliminates the majority of cross-site tracking.
Firefox with Enhanced Tracking Protection
Firefox's "Strict" tracking protection mode blocks cross-site cookies, fingerprinters, and tracking pixels by default. Combined with uBlock Origin, it's a formidable combination. Consider these additional Firefox settings:
- Set
network.http.referer.XOriginPolicyto2inabout:configto strip referrer headers cross-site. - Enable HTTPS-Only Mode under Privacy settings.
- Use Multi-Account Containers to isolate Google, Facebook, and other tracking-heavy sites into separate cookie jars.
Privacy Badger
Developed by the EFF, Privacy Badger learns which domains track you across sites and blocks them dynamically — complementing static filter lists with behavioral analysis.
Layer 3: System-Level Privacy Settings
Your operating system sends telemetry that bypasses browser controls entirely.
Windows
- Go to Settings → Privacy & Security and disable Diagnostic Data, Activity History, and Advertising ID.
- Consider running a tool like O&O ShutUp10++ (free) to apply dozens of privacy tweaks in one pass.
macOS
- Under System Settings → Privacy & Security, review which apps have access to Location, Contacts, and Microphone.
- Disable Analytics & Improvements sharing under Privacy settings.
Layer 4: VPN — When to Use One
A VPN shifts DNS query visibility from your ISP to the VPN provider — it doesn't eliminate DNS exposure. Use a VPN when:
- You're on public Wi-Fi (cafes, airports, hotels).
- You want to hide traffic from your ISP specifically.
- You need an IP address in a different region.
Look for providers with a verified no-logs policy and that support DNS leak protection. A VPN without encrypted DNS configured inside it may still leak DNS queries to your ISP.
The Recommended Minimum Stack
| Layer | Tool | Cost |
|---|---|---|
| DNS Encryption | NextDNS (free tier) or Cloudflare DoH | Free |
| Browser Ad/Tracker Blocking | uBlock Origin | Free |
| Browser Choice | Firefox with Strict ETP | Free |
| OS Telemetry Reduction | Manual settings review | Free |
| Public Wi-Fi Protection | Reputable VPN (paid) | Varies |
Final Thought
Privacy is not binary. Every layer you add meaningfully reduces your exposure. Start with encrypted DNS and uBlock Origin today — those two steps alone will dramatically reduce the amount of data collected about your browsing habits.