Recently Google released Android P, or Android Pie for the culinary-inclined, to Pixel users. The latest version of Android comes with an impressive roster of new features. What tickles our tentacles the most is Private DNS Mode, a feature that enables DNS over TLS for Android Pie users. By default, Android Pie encrypts all your DNS traffic with DNS over TLS, adding an additional layer of security to your Android device. However, in order to make use of it, you need a DNS provider that supports DNS over TLS.

Oh hey, that's us!

We placed our bets on DNS over TLS last year when we built Tenta DNS, a modern, and secure DNS over TLS recursive resolver that is open source on Github. With Android Pie's Private DNS Mode and Tenta DNS, DNS queries sent from your device are encrypted, closing yet another crack through which eavesdroppers can spy on you.

How to enable Tenta DNS on your Pixel device

1. Go to Settings > Network & internet > Advanced > Private DNS.
2. Select the Private DNS provider hostname option.
3. Enter opennic.tenta.io and tap Save.
4. Test the configuration with this extensive Browser Privacy Test tool.

What Is DNS over TLS anyway, and why should you care?

Domain name system (DNS) servers translate human web address that you type into the browser (the domain name) to computer language (the IP address). DNS servers are essential for getting online, but they're also a major security risk. That's because your traffic over an unencrypted channel, such as your favorite coffee shop's open Wi-Fi network, can get hijacked.

Imagine planning your weekend fishing trip at your neighborhood café. When you visit your favorite fishing site, your computer reaches out to the DNS server. But you're on an unencrypted channel, so thieves intercept it and you're redirected to a fake site that the attackers have control of. On that fake site, all of your information is now monitored. They have you by the bait and tackles.

Fortunately, there are technologies available that offer security to protect you against such attacks. DNSSEC (Domain Name System Security Extensions) is a suite of extensions that provide origin authentication of DNS data, authenticated denial of existence and data integrity. That means when you visit masterbaitonline.com, DNSSEC verifies that the site you requested is the site you're shown.

However, DNSSEC does not provide privacy. That's where TLS comes in. Transport Layer Security (TLS) is a cryptographic protocol that provides security over a network. Websites use TLS to secure communication between servers and browsers. But TLS alone can't provide authenticity. No one knows you're looking for rods, but you also might not be looking for them on the real masterbaitonline.com. You might even be seeing something very different than what you had in mind.

DNS over TLS is the union of DNS security and the TLS protocol. With this security protocol, queries are sent encrypted over TLS and the answers are authentic. When you ask the DNS server "What is address for masterbaitonline.com?," you can be assured that the answer will be correct and both your question and the DNS server's answer will be encrypted.

And now that you've taken care of your equipment, you can move on to safely booking your cabin at oldmanshaven.com.