Thoughts on ControlD?

[Sveeno]

Hello!

 

We recently had ControlD reach out for a potential sponsored relationship with us. They are a DNS service that can block threats, unwanted content, malware, etc. They do a lot more as well such as customer filters and redirects.

 

I'm just wondering if anyone from our community has had any personal experience with their services. If so, I would appreciate any feedback!

 

*Please note that our team does our own research and testing around vetting sponsor products and services. However, we've found that soliciting feedback from the community can sometimes add something new to the conversation that we weren't aware of*

[Lightwreather]

fwiw, ControlD is from the people behind Windscribe. 

[FlyingPotato_is_taken]

Just don't make this a talking point:

 

vs.

 

 

Big claim that you can change your external IP-Address by using their DNS-server.

[Skipple]

We use BMC Control-D at my company for controlling and scheduling mainframe jobs and reports. Needless to say this product confused me greatly. Carry on. 

[yegor]

17 minutes ago, Skipple said:

We use BMC Control-D at my company for controlling and scheduling mainframe jobs and reports. Needless to say this product confused me greatly. Carry on. 

That's actually the "wrong" Control D. You're thinking https://docs.bmc.com/docs/productsupport/control-d

 

Also not to be confused with the Indian bloods glucose meter https://controld.in/

 

PS. I'm from the "real" Control D mentioned in the OG post. Had a lurking account here for a while. 

 

[Skipple]

4 minutes ago, yegor said:

That's actually the "wrong" Control D. You're thinking https://docs.bmc.com/docs/productsupport/control-d

 

Oh I'm aware. I was just very confused when I thoughts an extremely outdated mainframe scheduling software was trying to sponsor LTT.  

[yegor]

2 hours ago, FlyingPotato_is_taken said:

Just don't make this a talking point:

 

Big claim that you can change your external IP-Address by using their DNS-server.

This is a unique feature, that functions kinda like a "Smart" DNS service, except it can be enabled for all traffic, and you can selectively re-route any domain or service, via a proxy location in 69 countries, using Windscribe infrastructure, without actually using a VPN or having any software installed.

 

It's not a VPN, if you live in a place that has a high level of censorship and DPI, you shouldn't use this for life critical anonymity. We mention this on the sign up page. 

 

 

That being said, as the warning mentions, we're working on a novel feature where we'll be able to enable EncryptedClientHello for ALL traffic, not just websites that support it (which currently is <0.1%). With that in place, if you use DNS-over-HTTPS/TLS, and this feature, there is no cleartext over the wire for anything that uses DNS. Of course direct IP connections (like torrents) would not be affected by this. 

 

We also have handling for common non-SNI enabled traffic, like SMTP and IMAP servers, which can still be transparently proxied via Control D. 

 

[FlyingPotato_is_taken]

@yegor I understand this feature in such away: They (control D) "send" the DNS query through one of the geolocations and what they market here is that a region might get a different DNS response which is than provided to the user.

The end user device is still connecting from their location/IP to the server ("DNS result").

 

What bugs me isn't the general idea/technology. It is about the statement "change your external IP-Adress with ....".

[yegor]

1 hour ago, FlyingPotato_is_taken said:

@yegor I understand this feature in such away: They (control D) "send" the DNS query through one of the geolocations and what they market here is that a region might get a different DNS response which is than provided to the user.

The end user device is still connecting from their location/IP to the server ("DNS result").

 

What bugs me isn't the general idea/technology. It is about the statement "change your external IP-Adress with ....".

Well, not exactly. This works in the same way that if you used a VPN, and connected to.... Japan, the VPN server in Japan would resolve domain.com and provide local DNS responses. But since the request was spoofed to our anycast proxies, you connected to a proxy IP, not the final destination IP in A/AAAA records.

 

As a result, your IP is masked from the destination server. 

 

 

So when you visit a website, it will see your "new IP", despite there being no VPN involved. My ISP's IP (Beanfield) is masked. 

 

 

[FlyingPotato_is_taken]

@yegor Sounds interesting.

 

[Skipple]

7 hours ago, yegor said:

our anycast proxies

Sorry, just curious, are you affiliated with ControlD? 

[BourbonCrow]

i saw this post and i thought i add some thought it i just made the account only really been a lurker in the past, but you can find me on their discord with same user name i am not affiliated with them in any way.

 

I have been using their service since 2023-12-27 before that i was a NextDNS user functionality wise they are quite similar controlD do not have Web3 or CNAME flattening but neither of those are important for a DNS service to function and mojority of ppl would have 0 need for em or even know what they do.

 

- I prefer the ui of ControlD its alot esier to work with espeically when you wanna set up larger lists of own custom domains to either block or allow since you can import / export whole folders and just the fact that you can make folders is huge so you can organize your stuff

- they have a really good selection of popular 3rd party lists like Hagezi's lists(light,normal,pro,ultimate,TIF,Adguard, 1Hosts, Stevenblack, OISD (Basic, Full) and more..

-They also ofc have their own filters like Ads & Trackers (3 different levels), Adult Content, Click Bait, Crypto, Dating, Drugs, Dynamic DNS, File Hosting, Gambling, Goverment Sites, IoT Telemetry, Malware (3 differnt levels), New Domains, Phishingh, Social, Torrents and Piracy, URL Shorteners, VPN and DNS, Their own base filters i do not know what sources they use and i never been using them on their own but i am using some of them together with 3rd party lists so i cant really say much on how well they do cause i have always been running their own + Hagezi  but from what i can see in the Statistics their own filters are preforming well i had some minor false positives on their AI / Malware filter in the past and i reported those on their discord and they got fixed really fast, recently tho the malware filter have been better without false positives.

- The activity log is easy to filter through and find out what is the issue (if you would have one) i have this set up for my mom and grandma as well and there have been some domains  i had to whitelist for their profile to get some Swedish news site function to work cause its hosted by a ad network but it was no issue finding what it was and allowing it on their own profile without allowing it on mine since you can make a lot of profiles and set up a lot of devices to use 1 or 2 profile for each device

- You can also set how much logs you want to collect so if you want no logging, some logging, full logging and this can be set up per device and you can set storage location for logs to either NY USA, Amsterdam NL, Sydney AU and analytics data can be purged whenever you want.

- if you pay the full control subscription price you also get that thing mentioned above here where you can change the country location of your DNS querys i have not really used that so i cant comment on it cause its nothing i really need, it wont be as effective as a VPN and it use is limited to my understanding since its DNS based only but the option is there.

- they also have a command line tool for setting up a DNS forwarding proxy on windows, mac, linux, freeBSD, common routers (you can see the list of supported once on their github) and this dns forwareding proxy can be configured to be used with any DNS service you can set it up freely on your router and configure it to use google dns or whatever if you would like that you can also configure it to have a failover dns incase 1 is down. i REALLY like this software.

- you can also read their blog if you wanna see like the difference between their service and adguard or their service and nextdns they have blogposts about it

- my latency from sweden to their dns server is around 10ms... before they added a swedish server i had 30ms and that is still really good

 

Edit: - i forgot to mention they also have "services" where you can block specfiic services like youtube or facebook or tiktok or whatever, the categorys they got with how many services in each category is "audio (15), career (21), finance (105), gaming (25), hosting (76), news (45), recreation (16), shop (35), social (47), tools (65), vendors (150), video (301) at the time of writing this

 

not sure if i missed anything buti really like the service and im planning on keep using it and ppl can try it out if they are intrested they have refund if you dont like it just make sure you read the refund policy before you commit to paying anything so you know your time limitations and other restrictions for refunding.

 

if you have any questions i will try my best to answer them.

[Skiiwee29]

22 hours ago, yegor said:

That's actually the "wrong" Control D. You're thinking https://docs.bmc.com/docs/productsupport/control-d

 

Also not to be confused with the Indian bloods glucose meter https://controld.in/

 

PS. I'm from the "real" Control D mentioned in the OG post. Had a lurking account here for a while. 

 

 

11 hours ago, Skipple said:

Sorry, just curious, are you affiliated with ControlD? 

 

Yes, they have admitted they work for the company in question in a previous post. 

[Skipple]

6 hours ago, Skiiwee29 said:

Yes, they have admitted they work for the company in question in a previous post. 

It's not terribly important, but this should probably be disclosed on a post like this. 

[Skiiwee29]

10 minutes ago, Skipple said:

It's not terribly important, but this should probably be disclosed on a post like this. 

Doubt LMG knew that an employee of the brand was on the forum if I had to guess. That said, I don't think its a bad thing per say, but if they're here to represent the brand, then the user may way to look into applying for the Industry Affiliate tag to notate. 

[Askam]

I have been using Control D for myself and my family for over two years. It is a great service. The features are unique and the company is fun (almost dbrand levels of goof, but not quite). I think it would make a great LTT video because there is a lot of technicality here. Happy to provide more info.

 

I used to use NextDNS but Control D is continuously adding new features and as far as I can tell, NextDNS is just maintaining current functionality, they aren’t even updating their blocklists regularly. Control D also has a proxying service that can spoof your IP to a different country. 

 

There are various rules that can be enforced per domain, subdomain, source country, destination country, or Autonomous System:

- Block (blocks and can return 0.0.0.0; NXDOMAIN, REFUSED; custom IP; or custom block page)

- Bypass (typical DNS request where your IP is passed through and sites can see your true IP)

- Redirect (your IP is spoofed to one of their data centers; can be automatic based on anycast route, a specified location, or a custom IP)

 

These rules are enforced via filters, services, custom rules, and the default rule. 

- Filters are native and third party blocklists for ads, trackers, malware, phishing, and more. Importantly for my preferences, they support most of HaGeZi’s lists. 

- Services are grouped domains and subdomains that they have compiled so you can enforce a rule to an entire service. For example, if you are an Apple user, Apple’s services tend to work well enough with a VPN, but they do not work with Control D proxies. So, the Apple service allows me to apply a bypass rule to all Apple services so they continue to work. 

- Custom rules are individual domain, subdomain, source country, destination country, or Autonomous System rules that you create. 

- The default rule is the rule that is enforced if there are no filters, services, or custom rules for that response. IMO, the best setting for most people is auto which will spoof the location based on the best traffic route.

 

They support legacy DNS resolvers, DoH, DoH/3, DoT, and DoQ. From my experience, their DoH/3 support is great and does speed things up for my network. 

 

A few functional examples from my setup, though I have a lot more going on than this:

- I use DoH/3 on my mobile devices and DoT on my home network (Asus Merlin limitation). Since I am not using legacy IP addresses, Control D does not log the IP address of my requests. 

- I block requests to/from some countries, particularly ones that are notorious for having a lot of spam/malicious traffic.

- I redirect all traffic from outside of my country to where the destination server is. So, if the DNS answer is a server in Switzerland, Control D will spoof my location to Switzerland for that specific response. 

- I have my block response set to NXDOMAIN because Apple services, especially HomeKit, work better with that block response. 

- I have separate profiles for myself, spouse, and children. For my children, their default rule is set to Block and then I only allow the services that I allow them to use, like enforced safe search YouTube.

 

There are a lot more little features like custom TTL, profile lock, enforcing two profiles linearly, etc.

 

A few things that I consider to be negatives about the service:

- Responses are based on anycast and that cannot be changed. NextDNS’s default is anycast but then allows you to pick a specific server if you want to. Control D does not allow you to pick a server. So, if your traffic happens to be routing weirdly, there is nothing you can do. 

- I wish their website had PWA support. If you like to more aggressively block things like I do, I am frequently visiting the site to make config changes. I wish I could do that more easily on mobile with a PWA. 

- When traffic is spoofed to another location, it is still possible for the destination to know your IP if they inspect SNI. I have not encountered a streaming service or any other site that has done this to my knowledge but technically it is possible. Additionally, your ISP will see where you are connecting. Both of these issues will be solved when they support Encrypted Client Hello. This is on their roadmap and I am very excited for this feature. 

- I wish I could be alerted somehow for certain type of blocks like malware and spyware on all my devices. This is also on their roadmap. 

[Skipple]

1 hour ago, Skiiwee29 said:

Doubt LMG knew that an employee of the brand was on the forum if I had to guess. That said, I don't think its a bad thing per say, but if they're here to represent the brand, then the user may way to look into applying for the Industry Affiliate tag to notate. 

Totally agree. Not a bad thing, but should be disclosed.

[someotherbird]

All in all, an okay DNS service. I use them on some of my personal devices, on others I use different service. Location Italy.

 

Pros: 

• Good selection of third-party block lists and a nicely curated list of blockable services.
• They listen to their users and improve their service accordingly.
• Helpful configuration guides.
• Improved resolution round-trip time in Europe, from 70+ ms to ~30 ms.

Cons:

• Nice but confusing UI; it has improved but is still bloated and sometimes confusing to navigate.
• The biggest con, in my opinion, is the lack of PoPs (servers) around the world. I know they always say that geographical location is not always the most important factor, but it can still impact performance, and stability of the network overall.
• They frequently have outages, whether from DDoS attacks or other causes. It is annoying when DNS is down while working. I've never experienced outage from other 3rd party DNS services.

[yegor]

7 hours ago, someotherbird said:

All in all, an okay DNS service. I use them on some of my personal devices, on others I use different service. Location Italy.

 

Pros: 

• Good selection of third-party block lists and a nicely curated list of blockable services.
• They listen to their users and improve their service accordingly.
• Helpful configuration guides.
• Improved resolution round-trip time in Europe, from 70+ ms to ~30 ms.

Cons:

• Nice but confusing UI; it has improved but is still bloated and sometimes confusing to navigate.
• The biggest con, in my opinion, is the lack of PoPs (servers) around the world. I know they always say that geographical location is not always the most important factor, but it can still impact performance, and stability of the network overall.
• They frequently have outages, whether from DDoS attacks or other causes. It is annoying when DNS is down while working. I've never experienced outage from other 3rd party DNS services.

 

To address the cons:

• New + updated UI is being worked on now, that addresses some of the concerns we've heard. Some people find UI confusing because its not exactly like NextDNS (something they switched from). There are reasons for that, and something you have to get used to as UIs cannot be the same because Control D works differently from other DNS services. https://blog.controld.com/control-d-vs-nextdns/
• What specific POP is missing for you? https://controld.com/network
• DDOS attacks against the network by unknown parties are quite annoying, and we've spend a LOT of time rebuilding the anti-abuse system, which is in production now and appears to be highly effective. Any outages that resulted from previous attacks were not global, and affected a small portion of users in some geographic regions (mostly Europe, where the attacks always seems to originate). 

[Sveeno]

Thanks everyone for the responses! It looks like we're good to proceed here, so I'm going to lock the thread.