Android 9 - also known as Android Pie - comes with many new features but most importantly full support for DNS over TLS. DNS over TLS is a way of encrypting what is normally clear text traffic, similar to the difference between HTTP and HTTPS when browsing websites. This is fantastic from a security perspective but DNS providers are still playing catch up.
This setting has three options: Off, Automatic and Private DNS provider hostname. I'm working off the assumption that Off disables the setting entirely, Automatic attempts to use DNS over TLS with whatever resolver you've using falling back to plaintext if it fails and Private DNS provider hostname changes your DNS setting and forces you to use DNS over TLS with the configured host. I'm not really sure how this setting works given you have to put a hostname in instead of an IP address, but hey.
Thankfully Cloudflare operate a public resolver that supports DNS over TLS and metrics say they're generally the fastest! We can't just use
220.127.116.11 in the Private DNS provider hostname field since it isn't a hostname so we're forced to use
1dot1dot1dot1.cloudflare-dns.com. This resolves to both
18.104.22.168 which is much the same as how
22.214.171.124 work - Google's public DNS service.
Its just 5 easy steps to set it up:
1dot1dot1dot1.cloudflare-dns.comin the field
Now all your DNS queries are being encrypted before being sent to Cloudflare! You can confirm this behaviour by using something like a DNS leak test.
If you want to read more about DNS over TLS/HTTPS the 126.96.36.199 website has some great information.