Private DNS on Android 9 using Cloudflare

Android 9 - also known as Android Pie - comes with many new features but most importantly full support for DNS over TLS. DNS over TLS is a way of encrypting what is normally clear text traffic, similar to the difference between HTTP and HTTPS when browsing websites. This is fantastic from a security perspective but DNS providers are still playing catch up.

This setting has three options: Off, Automatic and Private DNS provider hostname. I’m working off the assumption that Off disables the setting entirely, Automatic attempts to use DNS over TLS with whatever resolver you’ve using falling back to plaintext if it fails and Private DNS provider hostname changes your DNS setting and forces you to use DNS over TLS with the configured host. I’m not really sure how this setting works given you have to put a hostname in instead of an IP address, but hey.

Thankfully Cloudflare operate a public resolver that supports DNS over TLS and metrics say they’re generally the fastest ! We can’t just use in the Private DNS provider hostname field since it isn’t a hostname so we’re forced to use This resolves to both and which is much the same as how and work - Google’s public DNS service.

Its just 5 easy steps to set it up:

  1. Open up your settings app
  2. Go to Network & Internet
  3. Toggle Advanced at the bottom and click Private DNS
  4. Select Prviate DNS provider hostname and put in the field
  5. Done!

DNS over TLS setting

Now all your DNS queries are being encrypted before being sent to Cloudflare! You can confirm this behaviour by using something like a DNS leak test .

If you want to read more about DNS over TLS/HTTPS the website has some great information.

Photo by Chaz McGregor on Unsplash .