diff --git a/pc/ice_server_parsing.cc b/pc/ice_server_parsing.cc
index 9322fd12d4..896305c54b 100644
--- a/pc/ice_server_parsing.cc
+++ b/pc/ice_server_parsing.cc
@@ -220,6 +220,15 @@ RTCError ParseIceServerUrl(
   // GetServiceTypeAndHostnameFromUri should never give an empty hoststring
   RTC_DCHECK(!hoststring.empty());
 
+  // stun with ?transport (or any ?) is not valid.
+  if ((service_type == ServiceType::STUN ||
+       service_type == ServiceType::STUNS) &&
+      tokens.size() > 1) {
+    LOG_AND_RETURN_ERROR(
+        RTCErrorType::SYNTAX_ERROR,
+        "ICE server parsing failed: Invalid stun url with query parameters");
+  }
+
   int default_port = kDefaultStunPort;
   if (service_type == ServiceType::TURNS) {
     default_port = kDefaultStunTlsPort;
diff --git a/pc/ice_server_parsing_unittest.cc b/pc/ice_server_parsing_unittest.cc
index 4cb7c47b0b..4356b1efb0 100644
--- a/pc/ice_server_parsing_unittest.cc
+++ b/pc/ice_server_parsing_unittest.cc
@@ -188,6 +188,8 @@ TEST_F(IceServerParsingTest, ParseHostnameAndPort) {
   EXPECT_FALSE(ParseUrl("stun:/hostname"));  // / is not allowed
   EXPECT_FALSE(ParseUrl("stun:?hostname"));  // ? is not allowed
   EXPECT_FALSE(ParseUrl("stun:#hostname"));  // # is not allowed
+  // STUN explicitly forbids query parameters.
+  EXPECT_FALSE(ParseUrl("stun:hostname?transport=udp"));
 }
 
 // Test parsing the "?transport=xxx" part of the URL.