Yeah, such a shame because I really liked their Free DNS service. I know there’s paid one which would allow me to verify DNSSEC, but honestly, their Free DNS service is more than enough for my needs as I don’t need that advanced level of configuration nor the features that it offers.
I also think ControlD should be more transparent about their services. The only reason why I found out about them not verifying DNSSEC records is because Barry told me; all DNSSEC tests showed support. Nowhere else I could find the information about security standards enabled for their Free DNS on their website. There is one article on their blog saying it’s supported, but asking Barry again, bot said the article was written for paid service, not the free one.
Now… I’d understand if we’re talking about the new, experimental standard that hasn’t been thoroughly tested so ControlD doesn’t want to implement it. But we’re talking about simple, basic security standard that came out in 1997 and is used by pretty much every single popular DNS service today.
Using Mullvad DNS is not an option, as their DNS is unusable for me. Ping towards their servers varies from 30-150ms and even more.
Barry says they don’t do DNSSEC verification at all and that ControlD is made to work like that on purpose. That means users of plain DNS are completely unprotected from DNS manipulation so it’s definitely not recommended to use this on older routers as well as devices that don’t have DoH/DoT support.
The one thing that also caught my eye on that Reddit post is “It’s also not compatible with a DNS resolver that manipulates DNS records”. AdGuard Public DNS, NextDNS and all other DNS servers use same blocklists and still verify DNSSEC records without any issue.
Barry was confused there, we tweaked his brain to provide the correct answer. DNSSEC is totally supported on free resolvers, which you can verify yourself at anytime.
I feel there is a little too much buzz word and number chasing in this thread, by those who don’t understand the the real world, or how the Internet works. The comment by @Yo is a perfect example of that, who thinks that 11ms vs 18ms as far as DNS resolution is concerned actually matters. The real numbers, for Europe (which you can see on dnsperf) are 6ms vs 12ms by the way, not that this changes anything.
Why does this not matter? Well, a DNS query is not issued for every request, as there is heavy client side caching of that data, so the 6ms difference is incurred very infrequently. A TLS handshake on the other hand occurs a lot more frequently, and takes a LOT longer, on average. If you think you can tell the difference between 6 and 12ms (or 1 and 50ms) you’re only fooling yourself.
But hey, if this for some reasons matters to you, by all means use Cloudflare, nobody is preventing you from doing so.
I had no idea we have someone from Windscribe/ControlD here to give us more details and clarify some things. I just tested Barry again and it does indeed give correct response now.
Barry gave me wrong response and after searching the web, seeing Reddit confirming Barry’s claims it did make me believe DNSSEC verification was disabled. So it would be right from me to apologize to you and the company. I’m sorry. Though it would be great if you could list DNSSEC support somewhere, to prevent any further confusion.
While you’re here… I have ControlD (non-filtering DNS) set up in Windows. Few days ago, I lost complete internet access on my device and after changing DNS to Cloudflare, everything works.
Weird thing is Windows Update isn’t working, nor I can access any websites through the web browser, but network troubleshooter says everything is fine. Once I changed DNS to Cloudflare, everything works normally.
I did change it now again to ControlD and the same happens—internet just stops working entirely on device.
Do you have any suggestion what could I do to see what exactly is causing a problem? I’m not using VPN and I just entered ControlD IPs and DoH address in network adapter settings—that’s it.
When I set ControlD in Firefox with DoH, sites open normally and everything works; just setting it in network adapter setting causes issues.
@yegor - Quick question. On my router should I enable the setting DNSSEC support. I think I saw somewhere that ControlD says to leave the router setting off, that DNSSEC is automatically on and supported. A little confusing because I would assume the router setting should be enabled to get DNSSEC.
Hmm… When I enter ControlD DoH addresses in the network settings, internet stops working. If I use plain DNS, it works normally. I reset entire network settings, all network adapters and it still isn’t working. I don’t know what to try anymore; it used to work before.
Got an email back from ControlD which answers my question which I wanted to share with others:
Thanks for contacting Control D support.
You do not need to enable DNSSEC on your router when using Control D free DNS. Control D’s free resolvers already fully support DNSSEC validation on their end, so DNSSEC is automatically enforced upstream.
Enabling DNSSEC on your router won’t add any extra security, and in some cases, it could even lead to resolution issues if the router is doing its own validation and something fails locally.
They do support dnssec validation. Test with kdig -d @<dns-server-ip> brokendnssec.net and see returned servfail. Or kdig -d @<dns-server-ip> +tls brokendnssec.net for DoT and kdig -d @<dns-server-ip> +https brokendnssec.net for DoH.
Do kdig -d @9.9.9.10 brokendnssec.net and see noerror returned result bypassing dnssec check since 9.9.9.10 specifically doesn’t do dnssec validation.
I wouldn’t call it that. This info wasn’t mentioned in his “brain” so he defaults to what the base LLM knows, which is older info it had at training time. This info changed since then, and requires a manual correction.
