I’m convinced now you have to either put it to off or default protection.
I am writing this to suggest that PrivacyGuides not recommend using the Secure DNS / DNS Over HTTPS feature on the browser recommendation and configuration page. The reason for this is because this feature causes DNS Leaks when using a VPN.
There is also the fact that all three VPNs recommended by Privacy Guides [Mullvad, ProtonVPN, and IVPN (page hosted by IVPN)] all specifically recommend to not use this feature.
Mullvad:
Firefox on desktop
To turn off DNS over HTTPS follow these steps:
- Click on the menu button and select Settings.
- Click on Privacy & Security in the left column.
- Scroll down to the bottom. Under Enable secure DNS, click on Off.
Portmaster
Portmaster hijacks DNS queries. Try to uninstall that.
Browser extensions
If you have installed a browser extension that can change the DNS, for example CIRA Canadian Shield, then turn that off.
Proton:
We therefore strongly recommend against using DoH (and the similar DNS over TLS standard) with Proton VPN . When using our apps, all DNS queries are sent through the VPN connection to our servers, and are thus securely encrypted without the need for DoH or DoT.
IVPN:
Mozilla Firefox
Select the menu button and go to Settings. In the Privacy & Security menu, scroll down to the Enable secure DNS using: section. Choose Off.
My only remaining interrogation is about router settings, which doesn’t seem to be covered in the three links of Mullvad/Proton/iVPN.
Could anyone answer this? If I want to configure DNS like NextDNS or 1.1.1.1 on my router, am I suceptible to DNS leak as well?
I’m always using a VPN, but some people in my household don’t want to (working on that 
). So I at least changed my DNS on my router, but would that give me a DNS leak risk?