“Whoever controls the spice DNS, controls the universe” (image credit: OpenAI Dalle2)

The following article will provide a very brief overview of what DNS actually is, and what makes it “authoritative”. Then, I will discuss why you may choose to disregard its authority in some cases in order to have a better browsing experience and gain a bunch of superpowers using a service our team has built over the last 2 years. Strap yourself in.

What is DNS

First things first: what is DNS? DNS (Domain Name System) is a distributed “phone book” that maps (domain) names to IP addresses. When you enter hackernoon.com into your browser, it will query the router on your network for the IP address of hackernoon.com.

Your home router doesn’t perform any DNS resolution and forwards the request upstream to whatever DNS server is configured there. This could be your ISP or a 3rd party resolver like Cloudflare 1.1.1.1 or Google 8.8.8.8.

These resolvers are typically recursive in nature, meaning they reach out to the root DNS servers for the .com zone, and perform a recursive lookup against the authoritative DNS servers for the DNS zone (hackernoon), and then you finally get the IP(s) that hackernoon.com resolves to.

So your DNS query takes the following route (simplified view):

Your Device → Router → DNS Provider → Root Name Server → Authoritative Server → IP Address

Saul Goodman explains this best.

This process is fairly slow and can take ~1s, so typically the response is cached by the DNS provider for some period of time so the next lookup can be served from a cache.

Your browser will also cache the response for the duration of the TTL associated with a particular DNS record, so as not to initiate a DNS query every single time.

The responses that the authoritative DNS server emits are typically static. This means that any user, anywhere, asking any DNS server “where is hackernoon.com” will get the same response:

yegor@Work-Desktop:~$ dig +short hackernoon.com

172.67.69.96

104.26.11.89

104.26.10.89

There are some notable exceptions to this when it comes to CDNs, which will geo-code your source IP, and return variable results based on your location. A user in the UK will see different IPs than a user in the US.

This is done for performance reasons, so people in different countries connect to the nearby CDN location in order to reduce latency. That being said, you’re still bound by what the authoritative DNS server returns (or doesn’t).

The above flow is true for pretty much every single thing that you do online that communicates with a remote server. Every web resource you download, every API call you make, and every Git commit you do resolves a domain to an IP address that the authoritative DNS server returned.

What if you could disregard what the authoritative server tells you? What advantages (superpowers) does that have? Let’s dive in.

What is Control D

Control D, as you probably guessed, is a DNS service. It can do all the things your standard DNS provider can (resolve domains), but it can also do a lot more. Control D is a user-configurable DNS service that offers transparent proxies deployed on top of an anycast network, with exit locations in over 69 countries.

Sure, that all sounds impressive, but what does it ACTUALLY do?

When you get started with Control D, you will get a set of DNS resolvers that are unique to your account and can enforce your unique configuration. Think of it as your personal authoritative DNS server, for the entire Internet.

You can customize your configuration via a simple web interface, as there are no required apps to install to use the service. Control D supports multiple DNS protocols:

• Legacy IPv4/IPv6 - least secure, but most widely supported
• DNS-Over-HTTPS (DoH) - most secure, supported by modern OSes
• DNS-Over-TLS (DoT) - most secure, supported by modern OSes

The first protocol offers the best compatibility and can be used on any Internet connectable device. Legacy DNS is not encrypted, so it can be easily intercepted and manipulated by your ISP, or network administrator. The latter two offer you the best privacy and security, as your DNS queries are encrypted with TLS and cannot be intercepted or manipulated. Think of it as:

• Legacy = HTTP
• DoH/DoT = HTTPS

What’s the difference between DoH and DoT and which one is better? Honestly, just stick with DoH, as it operates on TCP port 443 and is indistinguishable from normal HTTPS traffic. DoT operates on a special port (853) and is easily detectable (and therefore easily blocked).

The advantages of DoT (less overhead and therefore faster resolution time) are debatable, and we have not seen them in practice. Mind you, on some platforms like Android, you have no choice but to use DoT, as DoH is not supported (but will be soon).

Once you configure one of the DNS resolvers on your device (router, computer, browser, phone) your DNS queries will be steered to the Control D network.

By default, if no settings are changed, Control D will behave like a standard DNS resolver, no different than Cloudflare, Google, or your local ISP.

Once you start fiddling with the knobs, you can do all kinds of neat things, by selectively disregarding authoritative DNS records and substituting your own.

• Block a category of sites (ads, or porn for example)
• Block malicious domains and non-malicious domains that point to malicious IPs
• Block a specific service (Facebook, or TikTok)
• Block a specific TLD, FQDN, subdomain, or a wildcard entry (i.e. server-*.domain.com)
• Spoof a service, TLD, FQDN, subdomain, or all DNS queries to a specific IP address of your choice (think a wildcard-supporting hosts file)
• Redirect a specific service through a proxy location (BBC iPlayer through London, for example)
• Redirect a specific TLD, FQDN, subdomain, or wildcard entry through a proxy location (All .ca domains get proxied through Toronto)
• Redirect all resolved DNS queries through a specific proxy location (there are over 100 cities to choose from)
• Override blocks enforced by category filters, or services
• Schedule any of the above behavior to kick in at a certain time of day
• A whole bunch more

TL;DR: Control D allows you to selectively disregard the authoritative DNS records associated with any domain you attempt to resolve (regardless of it actually existing in public DNS), and replace the answers with anything you want.

This can prevent the domain from loading by spoofing it to an IP of your choice (like 127.0.0.1), or to one of over 100 exit locations supported by Control D. Then, Control D will transparently proxy SNI (and some non-SNI) enabled traffic through servers in that location/country.

You can also block, spoof, and redirect ALL of your DNS queries by using the catchall "Default Rule".

Bad Use Cases

You wouldn’t use a hammer to perform dental surgery (hopefully) - every tool has its use case. The same applies here, so before we jump into why you should use a service like Control D, let's spend a moment talking about why you shouldn't.

Life Critical Anonymity

If you live in a country where freedom of speech is non-existent, or you are a whistleblower, dissident or political activist, you should not use Control D to stay safe online.

Despite Control D encrypting your DNS queries, even if you are using the proxy capabilities to spoof your location, the Server Name Indication (SNI)

TLS extension is still transmitted in plaintext. This means that on adversarial networks where this information is captured and filtered, Control D will not provide you any security benefits. It will not be able to unblock restricted sites, and your browsing history could still be captured by the network administrator.

If this is your particular use case, you are much better off using a trusted, no-logging VPN (shameless self-plug as Windscribe is our sister company). Do keep in mind that a VPN is not a magical security solution either, despite what you may have heard from your favorite YouTuber while they react to videos of people describing the taste of meat to vegetarians.

Their scripted “opinions” are worth less than the Zimbabwean dollar. A VPN is just one of the many tools that should be in your toolbelt if you care about these things. I could rant all day about this, but let’s move on.

BitTorrent

Control D will not affect the BitTorrent protocol. Since this is a P2P protocol, which does not rely on DNS, all your torrent activity will be in the clear. Control D offers an optional filter that will block all common torrent indexes and trackers, which will make the use of the BitTorrent protocol difficult on the network where Control D is deployed (and this Filter enabled), but it will not 100% eliminate all torrent activity.

If you wish to apply a layer of privacy to your torrent activities, you should use a VPN.

Gaming (Improvements)

Many people use VPNs for gaming in order to "improve ping" or mask their IP from trolls. The efficacy of this is debatable, but Control D is unlikely to help here. In fact, there is a good chance that if you redirect all your traffic to our proxies, it will break some games entirely.

We recommend disabling Control D functionality if you experience problems playing your favorite games. You can do this from the Services section of the control panel; simply find your game and create a BYPASS rule.

Actual Use Cases

So now that we got that out of the way, what CAN you use Control D for? The following list is not exhaustive but should give you an idea of the flexibility you can achieve.

Block Ads, Trackers, and Malware (and many other things)

Yes, you can use a browser extension like uBlock that will do a really good job blocking things in your browser (until January of 2023 anyway, when we all eat a Google turd sandwich).

However, this will just block ads in your favorite desktop browser. All tracking (and ad delivery) that happens outside of the browser (OS, installed programs, mobile applications, and browsers) will get through.

If you set up Control D inside the operating system, or on your router, all DNS queries that any application makes (including the browser) will query your personal resolver, and all your rules apply.

This means you can eliminate 99% of all ads and trackers (as well as 14 other categories)  from even loading on your devices. This effectively creates a network/system-wide ad block, which is highly effective.

With this in mind, you can block many other categories, including:

• Malware distributing, typosquatting, and phishing domains (if you accidentally click a shady link)
• Adult content (handy on networks with kids)
• Social networks (stop wasting time looking at your "feed")
• IoT telemetry (prevent your fridge from talking to servers in China)
• Gambling, Drugs, Dating sites (keep your vices in check)
• A whole bunch more

Help with Dev Efforts

You’re probably familiar with the host’s file, which allows you to define domain names that may not exist in public DNS. You can also use it to override the DNS responses that are in public DNS to point to your local dev machine or a remote dev server.

With Control D you can have a remote hosts file. This has several advantages:

• You can enforce the same host’s file on all your dev/test devices, including a mobile (or your smart toaster)
• Control D supports wildcards entries, so you can redirect all subdomains with a single rule
• Simulate regional access to your project from over 100 city-level locations

Eliminate Your Pi-Hole

Pi-Hole is a great tool to control your network, deploy custom blocklists, and have visibility on what is being resolved, but there are downsides:

• Pi-Hole only works on your home network – Control  D works on all networks, including cellular.
• You have to manage blocklists yourself – Our bespoke filters are built on top of community-maintained blocklists, with tens of thousands of false positives removed, based on feedback from 45M Windscribe users. We did all the work for you!
• Lack of advanced blocking – Pi-Hole only blocks domain names. Control D malware filter also blocks domains that resolve to malicious IPs from threat intelligence feeds.
• Lack of scheduling or flexibility – With Control D, your rules don't have to be static. They can change day to day, and be different on different devices.
• You have to run it yourself – Control D is deployed on top of a global anycast network, is available everywhere, including cellular networks, and supports Secure DNS protocols out of the box.

(Selectively) Spoof Your Location

Unlike a VPN, which sends all your activity to a single server in a chosen country, you have a lot more, well, control when you use Control D. Since it operates at the DNS layer, you can create all kinds of rules in your configuration to do all kinds of things.

Here is a silly example of 7 different websites seeing you in 7 different places, all at once:

You can instruct Control D to resolve different FQDNs through proxies in different countries, with as little as 3 clicks. When your browser asks to resolve a domain that has a rule, Control D will return a proxy IP instead of the true IP of the destination (disregarding the authoritative answer). It will read the SNI, and forward the end-to-end encrypted request to the site you wanted to load.

From here, we can get fancier. Instead of creating individual rules, you can create a folder of rules, and assign an action (block, redirect, or bypass) to it. Any domain you add to this folder will inherit and apply the chosen folder rule.

Don't want to make your own rules? That's where the Services section comes in. We've created rules for over 200 most common services online, and this list is always growing based on user requests.

With a single toggle switch, you can apply a chosen rule to a video streaming service, an audio service, a store, a tool, a social network, or a game.  Each service can be redirected through a unique location (or blocked entirely), so you can appear to be in 69 countries, all at once.

Lastly, you can redirect all your activity through the closest Control D Primary Location, if you don't care about the geolocation of your IP. This will have the best performance and supports IPv6 end-to-end.

Optionally, you can choose a specific exit location (city), which will double hop your traffic from the closest Control D Primary Location to a Windscribe VPN server in the chosen country. All of this is without having to install a VPN app.

You can use all 3 behaviors in parallel to create some very unique browsing profiles. The rule engine works as follows:

• Custom rules take precedence over everything
• Service rules are second in line, and are checked if there are no custom rules that match the DNS query
• Filters (which block things) are 3rd in-line and will match a domain if there is no overriding custom rule or Service rule
• Last in line is the Default Rule, which will, like the name suggests, match queries that aren't affected by any of the above

Parental/Productivity/Impulse Controls

The internet is full of distractions and outright harmful content. You may choose to block certain types of content at certain times of day (or all the time) so you can get stuff done, or prevent your kids from wasting time when they should be doing their homework.

Control D gives you the tools to block large categories of distractions (social networks and games) so you can concentrate on your school or work. You can also use the same tools to block harmful content like porn, drugs, and malware on your network if you have kids.

You can make these rules permanent, or time-based using the Scheduler. Here are some examples:

• Block social networks and games every Monday to Friday, and allow playtime on the weekends during certain hours
• Block porn, Reddit, and TikTok Monday to Friday 9 am to 5 pm so you can remain gainfully employed and boost your productivity
• British TV Fridays: Every Friday your Netflix and Disney+ shows British content
• Shopping Tuesday Mornings: All popular shopping sites are blocked every day except for 1hr on Tuesday morning. Then you can decide if you REALLY needed those $800 custom sock puppets you found at 3 am after a few drinks, and thought were super cool.

Unique Device Configurations

You're not limited to a single set of rules. Each account allows you to have up to 10 unique browsing profiles (configurations), and you can then create up to 10 devices and enforce your configurations using unique per-device DNS resolvers.

Your personal laptop and phone can have one profile,  your partner's iPad could use another, and your kids' phones can use the rest. Each physical device can be configured to access or block a unique set of filters, services, and custom rules.

Conclusion

As you can see, there's a lot you can achieve with Control D, and this article really only scratches the surface. I recommend you get yourself a trial account (no payment details required!) and play around with it - I think you will be pleasantly surprised. It's time to take back control of your Internet experience.

PS. The service is very much in active development, so if you have an idea or a suggestion, don’t hesitate to send us any and all feedback. We release new stuff weekly.