At the bottom of DNS resolvers page under criteria, it says that in order to be featured on the website, DNS resolver needs to support DNSSEC.
ControlD’s Free DNS doesn’tsupport or verify DNSSEC records as it was confirmed to me by ControlD’s customer service, redditors on their subreddit and Barry support bot on their site.
I asked why does ControlD pass DNSSEC tests if it’s not supported and apparently it’s because the resolver forwards whatever DNS records they get to the user without verifying their authenticity. This means if someone does DNS manipulation, users of ControlD might not be protected from it.
I also asked why not support DNSSEC; they answered because of compatibility reasons and think it’s no longer needed due to DoH, DoT standards (which are actually supposed to protect you from snooping, not DNS manipulation). They also mentioned how they already manipulate with DNS records anyway through various blocklists.
Paid users have option to enable/disable DNSSEC, though I’m not sure if it’s enabled or disabled by default. Bot specifically mentions that if you need/want DNSSEC support that you should subscribe to their paid service.
Their documentation even says “If you use Secure DNS protocols like DNS-over-HTTPS or DNS-over-TLS, DNSSEC provides virtually no value. Your DNS requests cannot be intercepted or spoofed by anyone.”
That’s actually not true because DoH/DoT protects you from snooping on your DNS queries, not from DNS spoofing or manipulation.
ControlD does “support” DNSSEC, so not exactly against criteria, users on their service have option to enable it. Or if it’s against criteria, you have to change it so it doesn’t leave option to confuse more (not just this, you some other criteria is also confusing such as on mobile browsers or search engines, seems like favoritism)
“Control D Free DNS” doesn’t support it, and yet it’s recommended. The suggestion in this post seems to be that we should remove “Control D Free DNS” under “Recommended Providers”, not that “Control D” under “Cloud Based DNS Filtering” should be removed. I do think we should add a warning there though
I think I emailed them or read somewhere that the ControlD Free DNS is using or being checked for DNSSEC on their servers or something like that. I’m currently using DNS over TLS (DOT) using the Free Hagezi DNS Pro resolver which appears to be using DNSSEC using the following tests:
Read my first post. It passes DNSSEC tests because it forwards whatever DNS records it gets, but doesn’tverify if they are valid. Here’s the answer from Barry.
Paid DNS providers are practically free ($20/year), so I don’t really get why anyone would use these free ones, apart from Cloudflare. They’re so much slower, and the biggest benefits are only with the paid options. Maybe I’m missing something, and ControlD doesn’t even let you create an account with a VPN on, plus it’s incredibly slow, at least within the EU. I’d personally steer clear.
It’s quite fast for me, but that’s not the point of this thread. The point is a DNS resolver is recommended despite not fitting the set criteria, and I think we should revise that.
Ahmm. Yeah, $20 a year doesn’t seem like a lot until you count in all your other subscriptions. I’ve seen numbers thrown about between 600 to 1000 a year lost to subscriptions on average. So the cost can really accumulate.
Also, a lot of people live pay check to pay check, and while funding services instead of being the product is a good thing, privacy shouldn’t be something only the wealthy should enjoy.
Not to mention control D does not seem to have extensive regional pricing, and $20 USD can be a significant portion of someone’s paycheck in some parts of the world.
If ControlD free tier is not up to snuff then just only recommend the paid option, I really don’t see the problem with that.
@user211 and @Superman At that point, I’d definitely trust encrypted Cloudflare more, and you’d blend into a much larger crowd than by using ControlD, which also works incredibly fast pretty much everywhere in the world.
edit. My bad, a typo there. I was trying to say Cloudflare is incredibly quick, which is why I pushed it so hard.
Don’t look at the ping only, look at the response time of the DNS server as well. Ping is just one part of equation and I’d even say response time of DNS is more important factor. It tells you how fast does DNS server resolve your queries.
You could have 1ms ping to a DNS server and it could take 100ms to resolve your query. Just because it has 1ms ping, doesn’t mean it’s the fastest.
I’m curious too for an update. This thread explaining the lack of DNSSEC on ControlD’s free DNS servers have me looking deep for an alternative. I like having a good block list like ControlD’s Hegazi Pro list so I’ve been evaluating my needs which is tracker protection, malware protection and ad protection in that order. After emailing back and forth I’ve settled on MullVad’s free encrypted servers especially after looking at the block lists they use ( GitHub - mullvad/dns-blocklists: Lists and configuration for our DNS blocking service ). Just received an email today from them confirming DNSSEC. My next choice would be Cloudflare which don’t have block lists but would be great if you’re using Pi-Hole with good block lists. Anyway, I’ve rambled on enough. Just waiting to see if there’s an update to having ControlD on the list. They’re fantastic but I’m not sure of their free DNS servers not having DNSSEC is worthy.
