Control D Revisited - jmcglock
I feel like I switch my DNS provider at least once a month. It has been a while since I tried out Control D. The last time out, I had issues with speed and reliability. But hey, let’s give it another spin.
So what is Control D?
Control D is a customizable DNS filtering and traffic redirection platform. It can do all the things your standard DNS resolver can (resolve domains to IP addresses), but it can also do a lot more. Think of it as your personal Authoritative DNS resolver for the entire Internet that gives you granular control over what domains get resolved, redirected or blocked.
~ docs.controld.com
Ok. So it’s very similar to Next DNS, Pihole, or AdGuard Home. The feature that stands out is “Traffic Redirection”:
Unlike other DNS filtering platforms, where you have just two choices: allow or block, Control D has a 3rd option, which allows you to redirect any domain name, service or app, entire TLD, or all browsing activity via transparent proxies. There are over 100 exit locations to choose from. This feature masks the end-user IP address from the destination.
~ docs.controld.com
Very cool! So this is essentially a VPN. Well… Not exactly.
Only works for Internet traffic that uses DNS - direct IP connections will go direct. May break protocols that don't support SNI. ECH support is on the horizon, but until then, SNI is cleartext and so your ISP or network administrator can still see what sites you visit if they perform Deep Packet Inspection (DPI) on the network.
~ controld.com/teleport
Ok well at least it is a half of a VPN. Let’s move on to things that I like about Control D.
There are a lot of innovative features that I like in this product.
Profiles - Profiles are policies, or rather collections of rules and behaviors you want to enforce on a set of physical devices. I created a profile for each of my VLANs.
Safe Search - This feature allows you to enable Safe Search on all search engines that support it. Enabling it will prevent these search engines from showing NSFW content. Search engines that don't support this will be blocked.
Auto Authorize IP - This Device Setting controls whether Control D will auto-learn (and log) all source IPs that interact with a Secure DNS resolver. Perfect for if your IP is dynamic or if you are using Control D on your phone.
Expose IP via DNS - This is a unique feature that allows Control D to function as a Dynamic DNS service when you use a Secure DNS (DNS-over-HTTPS/TLS) supporting Device. In the past I have used NoIP (which worked fine).
Some honorable mentions are, block individual services and apps, create custom redirect rules, use private DNS on Android (huge IMHO), block internet on a schedule, and easy setup using a one liner.
Having mentioned the easy, one liner install, let’s talk about why I will not be using Control D.
It does not work well with Unifi. 😞
I decided to use Control D across my entire home network.
According to their docs, it should be simple. All I needed to do apparently was to run that easy one liner install command.
I ran the one liner:
sh -c 'sh -c "$(curl -sL https://api.controld.com/dl)" -s RESOLVER_ID_HERE'Install succeeded! Great!
I was happy with the service for a few days. By my measurements, it was operating as good if not a little better than Next DNS.
Until one day, I decided to spin up a minecraft server and port forward the default port so my friends could play. When I clicked all the buttons in the Unifi UI to do this, everything appeared to be good. Until I got a weird error:
Ok. I thought, this has to be a Unifi problem. Let’s do some digging on reddit.
After hours, the only thing that seemed to work for people was to reset the UDM Pro and to restore from a backup.
I reset the UDM Pro (several times because the dang thing would error out every single time I tried to setup), and restored from a backup. Same errors.
I SSHed in to my UDM Pro. Enjoy my terminal history with comments.
1 03/01/24 00:05:07 sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl)" -s <profile> forced' # I installed Control D 2 03/01/24 00:26:48 cat /var/log/messages # Reddit told me to look at the logs 3 03/01/24 00:31:41 cat /tmp/dnsmasq.conf.d-b9fc_86b9_5dfb_9287//zzzctrld.conf # I saw logs complaining about Control D dnsmasq.conf.d file 4 03/01/24 00:31:47 sudo nano /tmp/dnsmasq.conf.d-b9fc_86b9_5dfb_9287//zzzctrld.conf # I tried to edit the file with nano. 😞 No nano installed. 5 03/01/24 00:31:56 vim /tmp/dnsmasq.conf.d-b9fc_86b9_5dfb_9287//zzzctrld.conf # The logs were complaining about "Line 6" which did not exist in the file. I pasted the contents of the file into VS Code to see if any weird characters were there. There were not. 6 03/01/24 11:24:14 sudo reboot # I rebooted the device to see if that would fix the issue. It did not. 7 09/01/24 20:37:10 cat /var/log/messages 8 09/01/24 20:39:57 ubnt-systool fwupdate https://fw-download.ubnt.com/data/unifi-dream/1b7c-UDMPRO-3.2.9-7b68270c-15e0-4a06-a020-4b31e5f565a7.bin # I let it sit for a few days with the error. Finally i got mad and I updated the firmware manually to see if that would fix the issue. It did not. 9 09/01/24 20:43:44 clear 10 09/01/24 20:44:39 cat /tmp/dnsmasq.conf.d-3285_6ab7_826d_ee6d//zzzctrld.conf 11 09/01/24 20:44:49 sudo nano /tmp/dnsmasq.conf.d-3285_6ab7_826d_ee6d//zzzctrld.conf 12 09/01/24 20:44:52 vim /tmp/dnsmasq.conf.d-3285_6ab7_826d_ee6d//zzzctrld.conf 13 09/01/24 20:46:22 sudo ctrld uninstall # I uninstalled Control D. 14 09/01/24 20:46:31 sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl)" -s <profile> forced' # I reinstalled Control D. 15 09/01/24 20:46:57 cd /data/controld/ctrld # I went to the Control D directory. 16 09/01/24 20:46:59 cd /data/controld 17 09/01/24 20:47:00 ls 18 09/01/24 20:47:16 sudo ctrld 19 09/01/24 20:47:18 ./ctrld 20 09/01/24 20:47:24 ./ctrld service 21 09/01/24 20:47:29 ./ctrld service start 22 09/01/24 20:48:20 ./ctrld uninstall # I uninstalled Control D again. 23 09/01/24 20:48:31 cd 24 09/01/24 20:49:08 sh -c "$(curl -sL https://nextdns.io/install)" # I installed NextDNS. 25 09/01/24 20:49:50 nextdns activate 26 09/01/24 20:49:54 nextdns restart 27 09/01/24 20:50:21 sudo reboot # I rebooted the device to see if that would fix the issue. It did not. 28 09/01/24 20:53:40 sh -c "$(curl -sL https://nextdns.io/install)" 29 09/01/24 20:54:46 reboot 30 09/01/24 20:56:34 ping google.com # I tried to ping Google to see if I had internet access. 31 09/01/24 20:57:27 sh -c "$(curl -sL https://nextdns.io/install)" 32 09/01/24 20:57:30 sudo su 33 09/01/24 20:57:33 sh -c "$(curl -sL https://nextdns.io/install)" 34 09/01/24 20:58:24 sh -c "$(curl -sL https://nextdns.io/install)" # I was unable to install NextDNS since I apparently could not resolve the domain. # I went into the Unifi Dream Machine Pro UI and changed the "Internet" DNS server to 1.1.1.1 instead of "Auto". This fixed the issue. 35 09/01/24 20:59:03 nextdns activate 36 09/01/24 20:59:06 nextdns log 37 09/01/24 20:59:13 nextdns log 38 09/01/24 20:59:21 nextdns start 39 09/01/24 20:59:29 nextdns log # After I fixed the DNS issue, I was able to install NextDNS and change the DNS server back to "Auto".And that is why I won’t be using Control D (at least on my UDM Pro).
The experience above was very frustrating, especially because I wanted to like Control D! It worked great on my Pixel. It worked great on my Macbook Pro. It worked ok on my UDM Pro (besides breaking a lot of functionality).
Overall, it seems like its a great product. IMHO it still has a little ways to go before I would recomend it.
Cheers,
Joe
ncG1vNJzZmiinZi0rbvCpGWsrZKowaKvymeaqKVfpXyku82tqaikXZl6s7HVoqqirJWZ