- Prevent overblocking by utilizing the law of diminishing returns (e.g., using sane, quality blocklists).
- Pass the girlfriend test with few exceptions. These deviations are documented throughout the guide.
Create an account, or take advantage of Control D's free resolvers.
Once you create an account, you will have a Profile. This will either be one of the pre-made profiles with example rules or a blank customizable profile.
💡 Since your Profile already exists when you create a new account, you only need to create your first Device and enforce this Profile to get up and running. This automatically generates the DNS resolvers while keeping things simple — associating one Profile to one Device.
Profiles are divided into Filters, Services, Custom Rules, and Profile Options.
To create a profile, select the big green + button at https://controld.com/dashboard/profiles.
You'll be asked for a Profile Name and given a list of Options. See Profile Options to decide which ones to enable.
Endpoints (formerly Devices) enforce profiles. Every device is assigned to a profile.
To create a device, select the big green + button at https://controld.com/dashboard/devices and add the devices that you use.
When adding a new Device, you must select its type from one of the following categories: desktop or mobile OS, smart TV OS, web browser, or router.
While the device type does not impact the assigned DNS resolvers, it determines the setup guide and automatic configuration steps displayed later. The automated setup is recommended for most beginners.
💡 A few well-chosen filters provide comprehensive protection.
Filters, or blocklists, prevent select websites from resolving. They primarily target ads, trackers, and malicious sites.
All filters are updated every 15-30 minutes.
Control D maintains these filters. Some filters have multiple modes (Relaxed, Balanced, Strict).
These are popular community maintained filters. Hundreds of volunteers contribute to these lists in the open-source community.
While most DNS blocklists aggregate their entries from other sources, they do not include their source's allowlist. They must manually build an allowlist over time. Therefore, when it comes to protecting yourself, adding multiple 3rd party lists does not provide substantial benefits. Rather, it only increases your chances of false positives.
The key is to choose reputable filters that balance breadth with accuracy. Ultimately, false positives can disrupt legitimate traffic, so quality is preferable over quantity when selecting blocklists.
I strongly recommend Hagezi's DNS lists for his:
- sensible allowlist (doesn't overblock = smooth browsing experience)
- quick handling of false positives (within the same day, if not sooner)
- unique entries combined with respected community filters like OISD, Steven Black, and other sources
You can choose other 3rd party lists, but they aren't needed.
I have three builds below, using a combination of both native and 3rd party filters:
- The first build, Basic, allows for seamless browsing while still blocking ads, trackers, and malicious sites.
- The second build, Hardened, increases defenses against trackers and malicious sites.
- A third build, Aggressive, goes further but with a higher chance of false positives.
These are only suggestions. Feel free to mix and match.
| Build | Native | 3rd Party |
|---|---|---|
| Basic | Malware (Relaxed) Phishing |
Hagezi's DNS - Normal Hagezi's DNS - TIF |
| Hardened | Dynamic DNS Malware (Balanced) New Domains (Last Week)1 Phishing |
Hagezi's DNS - Pro Hagezi's DNS - TIF |
| Aggressive | Clickbait Dynamic DNS IoT Telemetry Malware (Strict)2 New Domains (Last Month)1 Phishing |
Hagezi's DNS - Pro Plus Hagezi's DNS - TIF |
1 Blocking newly registered domains (NRDs) may cause false positives occasionally. Be selective when adding NRDs to your allowlist; and, if you do, NEVER give sensitive information to a NRD.
2 Strict mode may be especially prone to false positives. Drop down to Balanced mode if false positives frequently disrupt browsing.
Not all ads can be blocked at the DNS level. You will need an ad blocker to block what's leftover.
This is because not all ads come from third-party domains. Some ads come directly from the site you're visiting, like YouTube. DNS blockers stop the resolution of a domain, and content blockers filter page content.
- Find web browser and ad blocker recommendations to easily install a lightweight ad blocker.
- Want to block more with your ad blocker? Check out my custom filter lists.
Services allows you to customize blocking and allowing sites and apps at a granular level.
To access Services, go to https://controld.com/dashboard/profiles > Edit > Services.
You can use Services to create easy exceptions.
For example, let's say you want to block all social media except Instagram:
- Enable the Social filter on your Profile to block all social media sites (Profile > Edit > Filters > Social).
- Go to Services (Profiles > Edit > Services).
- Open the Social category and toggle Instagram.
- Create a Bypass rule to allow Instagram.
Now you can still access Instagram while blocking other social media services.
Alternatively, you can use Services to block only specific social media sites rather than the whole category.
In this scenario, you only want to block TikTok and Facebook:
- Go to Services (Profiles > Edit > Services).
- Open the Social category and toggle Facebook.
- This will allow you to create a Block rule to block Facebook.
- Repeat 2 and 3 for TikTok.
This way, you can still access all social media companies except Facebook and TikTok.
As you can see, Services help you tailor your blocking to your specific needs, and it's easier than hunting down and copying + pasting URLs to your Custom Rules.
Custom Rules allows you to organize domains into groups.
To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
You can create folders to categorize domains, then apply rules to those domains.
Alternatively, you can assign one rule to an entire folder. That rule will then apply to all domains within that folder.
I advise that you do this when creating two folders, an Allowlist and a Denylist, and then add domains to them as needed.
Domains added to the Allowlist folder will always resolve.
To create an allowlist:
- Under the desired profile, add the folder by clicking the big green
+button. - Select Folder.
- Under Folder Name, type
Allowlist. - Toggle Folder Rule.
- Under Select Rule, select the middle option Bypass.
Domains added to the Denylist folder entries are always blocked.
To create an denylist:
- Under the desired profile, add the folder by clicking the big green
+button. - Select Folder.
- Under Folder Name, type
Denylist. - Toggle Folder Rule.
- Under Select Rule, make sure Block is selected.
📝 Note that Control D disables iCloud Private Relay by default (read more).
Disable
Enable in (Relaxed Mode) for Aggressive profiles.
Disable
Enable for Kids profile.
Disable
Enable for Kids profile.
Enable
DNS Rebind Protection prevents malicious requests from bypassing security measures on your device. For example, if you visit google.com and it resolves to a private IP address like 10.0.0.1, DNS Rebind Protection would block access. This stops attackers from using rebinding techniques to access private networks and endpoints that should not be publicly reachable.
Enable
💡 Control D sits between you and the upstream DNS servers, giving it full control over your DNS records. This reduces the value of DNSSEC's authentication.
DNSSEC is a security protocol that enhances DNS by using digital signatures to verify the authenticity and integrity of DNS data. The protocol cryptographically signs DNS records using public key cryptography, allowing the DNS resolver to verify that the DNS responses they receive are valid and from the authoritative source, rather than being manipulated by attackers.
DNS over HTTPS (DoH) and similar protocols do not eliminate the need for DNSSEC to validate the integrity of DNS data. However, when using a service like Control D that can modify DNS records based on user-defined rules, there is little added benefit to enabling DNSSEC validation.
Control D also states that DNSSEC1 requires a separate DNS resolver and cache, which impacts performance.
1 At this time, DNSSEC validation and EDNS Client Subnet (ECS) are grouped together in this settings.
💡 Increasing the TTL values caches DNS records for longer periods, which minimizes queries and optimizes performance.
Every DNS record has a time-to-live (TTL) value that determines how long devices cache the record before requesting an update from the DNS server. This caching reduces DNS queries and can improve performance.
Below are possible values to use for DNS caching, measured in seconds.
| Value | Duration |
|---|---|
60 |
1 minute |
300 |
5 minutes |
3600 |
1 hour |
28800 |
8 hours |
43200 |
12 hours |
86400 |
24 hours |
Enable
Default value: 10 (10 seconds)
Recommended value: 60 (1 minute)
Block TTL increases the time-to-live for DNS records blocked by Control D. A higher value means fewer DNS lookups for blocked requests, but also a longer delay between unblocking a domain and it becoming accessible.
💡 The less aggressive your Profile is, the more comfortable you may be setting this to a higher value.
Enable
Default value: 20 (20 seconds)
Recommended value: 300 (5 minutes)
A redirect rule spoofs the domain to a proxy location or alternate IP address. Redirect TTL increases the time-to-live for DNS redirected by a Service, Custom Rule, or the Default Rule. A higher value means fewer DNS lookups, but also a longer delay between changing locations and the new location settings taking effect on a Device.
Enable
Default value: 60 (1 minute)
Recommended value: 3600 (1 hour) or 86400 (24 hours)
Bypass TTL increases the time-to-live for DNS records that were not blocked or redirected (i.e. 'normal' requests), and passed to the upstream resolver. A higher value means fewer DNS lookups, but can cause websites to break if set beyond 24 hours.
This is where you can get creative. What you name the profiles doesn't matter much; what matters is the options you will enable with each profile.
For example, you may create two profiles, and then later link devices to one of the two profiles:
- Hardened (for web browsers, computer, smartphone): more nuanced protection with greater risk of false positives.
- Relaxed (for router, smart TV): set-and-forget; low chance of false positives.
Are you managing DNS for just you? Then you may need only one or two profiles. Your family? Then maybe three or four profiles.
If you have kids, you might have:
- Administrator (you the administrator; stronger settings)
- Adults (spouse, grandparents; slightly relaxed settings)
- Kids (with parental controls active)
Or a combination of the two approaches:
- Hardened: heightened security and privacy options, since you're maintaining the DNS and don't mind troubleshooting (for web browsers, computer, smartphone)
- Relaxed: balance of security and privacy options (for smart TV, your spouse's devices)
- Kids: same as Relaxed but with parental controls active
- Basic: legacy resolver, security options, but minimal privacy filters (for router)
You get the idea.
Remember that devices enforce profiles.
You can add as many Devices as you'd like. I have a Device created for each web browser I use, and one for my phone, computer, smart TV, and router.
Let's use the profile names from earlier. You might have:
| Device Name | Enforced Profile |
|---|---|
| Firefox | Hardened |
| Chrome | Hardened |
| iPhone | Hardened |
| Wife's iPhone | Relaxed |
| Wife's Mac | Relaxed |
| Susie's iPad | Kids |
| Living Room TV | Basic |
| Router | Basic |
If desired, Control D allows enforcing two profiles on a single device. Multiple linked profiles allow you to enforce rules from two profiles simultaneously when using a device.
💡 You can read more on advance rule logic in the docs.
Wildcard rules allow you to block a wide spectrum of domains without listing them separately. This format is what Control D uses in their blocklists.
Control D can block subdomains by adding wildcards like *.domain.com to your Denylist. Blocking *.domain.com prevents access to all subdomains of domain.com without blocking the root domain itself.
For instance, adding *.analytics.com to the Denylist stops requests to subdomains like tracking.analytics.com or metrics.analytics.com while still allowing access to the main analytics.com site.
🗺️ To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
Control D allows you to import and export folders from other users under Custom Rules.
To download a folder:
- Click the link.
- On Github, select the
...button in the top-right corner. - Click Download.
- On Control D - Custom Rules, select the
...icon. - Click Upload Folder.
You may want to add a folder to block certain TLDs and IDNs.
Hagezi has compiled folders for you to easily import into Control D, such as:
I created a folder to block IP addresses from certain countries (see Geo Custom Rules). These countries have high rates of cybercrime or state-sponsored spyware activity. This folder excludes or disables rules affecting countries with high server traffic from other nations, such as the Netherlands and Israel.
After importing the folder, review the list and disable certain rules if they affect your region or travel destinations.
Want to share your folder? You can export it by clicking the ... button in a folder and selecting Download Rules.
A redirect rule proxies all domains associated with a Service to a location or IP address you specify.
| Category | Service | Destination |
|---|---|---|
| Finance | Citi | Dallas, US |
| News | The New York Times | New York, US |
| Tools | Bing | Charlotte, US |
⚠️ Technical Limitations
- Websites or apps employing legacy security protocols might not be accessible when attempting to bypass geo-restrictions. The redirect rule requires Server Name Indication (SNI), which is not supported in these older standards. This prevents the bypassing method from functioning as intended.
- Currently, the unencrypted SNI allows ISPs and network admins to see your visited sites when analyzing traffic with Deep Packet Inspection (DPI). Encrypted Client Hello (ECH) is coming but it's not widely used yet.
- Control D is not a VPN; it will not bypass government restrictions.
Control D provides a simple and effective way to use DNS-based traffic redirection for popular services
- To access services, go to https://controld.com/dashboard/profiles > Edit > Services.
- Choose a category.
- Select the third icon (globe).
- Choose a proxy location.
🛠️ This feature is still in beta.
Geo Custom Rules (GCRs) allow you to create custom rules based on the geo-location data of source and destination IPs for DNS queries. These rules allow you to redirect, block, or bypass domains that resolve to IPs in the chosen country.
GCRs start with the formats below, followed by a two-letter ISO country code.
| Symbol | Definition |
|---|---|
@ |
Domains resolve to an IP address in a destination country. |
!@ |
Domains do not resolve to an IP address in a destination country. |
I recommend you put all these rules in their own folder:
- To access Custom Rules, go to https://controld.com/dashboard/profiles > Edit > Custom Rules.
- Under the desired profile, add the folder by clicking the big green
+button. - Select Folder.
- Under Folder Name, type
Geo Custom Rules. - Click Add Folder.
Let's assume you only want to block DNS queries to domains that resolve to servers in countries with known cybersecurity threats like Russia or China.
You would create the following two rules @RU and @CN both with a block rule, to stop anything that resolves to a Russian or Chinese IP.
| Rule | Symbol | Country | Description |
|---|---|---|---|
| Block | @ |
RU |
Block domains that resolve to a Russian IP address. |
| Block | @ |
CN |
Block domains that resolve to a Chinese IP address. |
Result: Web requests that would resolve in those countries are blocked.
💡 I created a folder called Potentially Malicious IPs to block countries with high suspected state-sponsored spyware activity or cybercrime rates. If you live outside the U.S. or travel internationally, you should review the list after importing.
So let's say you're a real glutton for punishment and want to limit your network connections to only the United States and Canada. Control D can understand multiple !@ block rules, if you want to limit your DNS resolutions to a handful of countries.
You would use !@US and !@CA both with a block rule, to prevent any DNS resolutions to domains outside of these countries.
| Rule | Symbol | Country | Description |
|---|---|---|---|
| Block | !@ |
US |
Block domains that don't resolve to a United States IP address. |
| Block | !@ |
CA |
Block domains that don't resolve to a Canadian IP address. |
Result: DNS resolutions are blocked unless the domains resolve to servers located in the United States or Canada.
null geo), then your site navigation will break. In other words, when you say !@US = block, the null geo matches this rule since the IP addresses not explicitly labeled U.S. (i.e. the IP address has a missing country code in the database).
You can use a redirect rule to resolve to IPs in the chosen country.
| Rule | Location Override | Symbol | Country | Description |
|---|---|---|---|---|
| Redirect | Mexico City, MX | @ |
MX |
Redirect domains that resolve to an IP address in Mexico through a Mexican proxy server. |
Result: You're essentially browsing the internet as if you were physically located in Mexico.
In this example, let's assume you live in the United States. You can automatically redirect non-US IP addresses through a proxy.
| Rule | Location Override | Symbol | Country | Description |
|---|---|---|---|---|
| Redirect | New York, US | !@ |
US |
Redirect domains that don't resolve to a United States IP address through a New York proxy server. |
Result: You route any requests originating outside the United States through a proxy server located in New York.
null geo), then Control D will redirect the request to the proxy. In other words, even if a request originates from the U.S., but it is not labeled as such in the dataset, the null geo matches this rule since the IP addresses not explicitly labeled as from the U.S. (i.e. the IP address has a missing country code in the database).
This setup is useful if you have the Default Rule set to redirect (read more) and want to make exceptions, to resolve certain requests without a proxy.
| Rule | Symbol | Country | Description |
|---|---|---|---|
| Bypass | @ |
US |
Domains with a United States IP address are resolved normally. |
Result: All requests are redirected through a proxy via the Default Rule except domains with a United States IP address.
The inverse of this is similar to the chart in Example 4.
📝 You can also make rules for source IPs, not just destination. Read the docs if you're curious.
