Joined: 04 Aug 2018 Posts: 1583 Location: Appalachian mountains, USA
Posted: Tue Apr 07, 2026 21:27 Post subject: DNS-over-QUIC with ControlD DNS
Heads up that if your router responds like mine to the enquiry
Quote:
# smartdns --is-quic-supported
quic is supported.
you can use Windscribe's free DNS service (details at https://controld.com) to get fast and private DNS-over-QUIC access to a nonlogging DNS provider that provides both malware screening and ad/tracker blocking by changing the server line in your SmartDNS setup (see sticky above) to
line to your dnsmasq Additional Options window, assuming your are interfacing to SmartDNS via dnsmasq. They ask people to use the p2.freedns.controld.com name for queries, so they can change where it points if they need to. That requires the dnsmasq line for doing a "bootstrap" lookup. Dnsmasq will cache the result for 10 min at a time (the TTL for that domain in their DNS system), so you won't constantly be doing the extra query.
If you want malware screening without ad blocking (because you are a little crazy ), change p2 to p1 in all three places (see https://controld.com/free-dns#quick-setups).
Prior to this experiment, I used server-tls in SmartDNS to access Quad9, but DNS-over-TLS uses TCP so is slower than DNS-over-QUIC, which uses UDP exclusively. I have used Quad9 since its inception, but lately they seem to have a lot of servers offline and just generally be slower than they used to be. So I'm trying this DoQ experiment with Control D. On the Control D site they have a posted white paper (https://controld.com/blog/control-d-vs-quad9/) supposedly showing with tests that they are slightly better than Quad9 re malware blocking. Subjectively this DoQ/ControlD setup is clearly faster than DoT/Quad9.
If you are into such details, note that Control D is using the SNI field so is less private against DPI snooping than some. (I am not an expert here, so re this paragraph, you are warned.) They say they will be moving to ECS (the E is "encrypted") to get away from SNI soon. Meanwhile if you route access to p2.freedns.controld.com via a wireguard VPN using destination PBR as I do, your ISP's DPI will be ineffective. _________________ 62606: 3x Dynalink DL-WRX36, Linksys MX4200v2, 1x MR7350. 61465: 1x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
Joined: 16 Nov 2015 Posts: 7162 Location: UK, London, just across the river..
Posted: Wed Apr 08, 2026 5:42 Post subject:
SurprisedItWorks wrote:
Heads up that if your router responds like mine to the inquiry
Thank for the share...I did try quic in the past with 1.1.1.1 ever since it came out form SmartDNS...i can also use http3 or quic on my dnscrypt-proxy v2 ... no idea if control D provides free unlimited services...and ECS is not very privacy oriented may be you messed up with (ECH) nor SNI, but ESNI is fine, and yes there ware some issues with quad9 now resolved, as they ware doing some maintenance..recently..
By any chance do you use the last ddwrt builds with all the SmartDNS upstream updates...as im seeing some constant issues/syslog reports with it..?
p.s. ControlD p2 is ad and tracking, where p1 is malware can you have them both as one, you have to choose ?? _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64453 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 64453 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64453 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64453 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1583 Location: Appalachian mountains, USA
Posted: Wed Apr 08, 2026 19:16 Post subject:
Hi Alozaros... They title p2 "ads/tracking" but the fine print clarifies that malware blocking is included in that one.
AFAIK, use is unlimited.
You're likely right that I got the wrong E** abbrev, as I was going from my unreliable memory there. I went back just now to look at their site for the short paragraph dealing with this SNI thing and was unable to find it again.
One interesting catch that should have been obvious to me but still caught me by surprise is that with Control-D I am doing three or four times as many DNS queries (OK, port 853 packets actually) to the internet as before, because now going to Control-D is needed to stop those ad/tracking sites. Before I was doing that in dnsmasq using lists downloaded overnight, an approach that's really fast and saves "query bandwidth." Maybe I should use my dnsmasq adblocker with Control-D just to gain a bit of speed. Control-D would then be the backup ad blocker!
And no, I'm not yet using the nftables builds. Rather than face checking all my scripts for compatibility, I've just stayed on 62606. I'm about ready to try a new one though. Just waiting for a build thread showing probable compatibility with my three router models. Since most of my routers are maintained remotely, I need high confidence in a build before I'll try it. _________________ 62606: 3x Dynalink DL-WRX36, Linksys MX4200v2, 1x MR7350. 61465: 1x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
there are few levels of it, on some of my compliance's i use this one ...sadly 62606 is missing some vital SmartDNS security patches and ever since SmartDNS reports some odd bits..and behaves strange..for now on this particular router i use DNScrypt-proxyv2 instead, from the upstream router ahead..
ill do more SmartDNS testing, once im back...so, far not using it until its fixed... _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64453 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 64453 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64453 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64453 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1583 Location: Appalachian mountains, USA
Posted: Thu Apr 09, 2026 15:45 Post subject:
Any comments on the nature of the risk re SmartDNS bugs?
Do you happen to know whether the SmartDNS maintainers are aware of these issues and intending to fix them? _________________ 62606: 3x Dynalink DL-WRX36, Linksys MX4200v2, 1x MR7350. 61465: 1x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
Joined: 16 Nov 2015 Posts: 7162 Location: UK, London, just across the river..
Posted: Thu Apr 09, 2026 16:17 Post subject:
SurprisedItWorks wrote:
Any comments on the nature of the risk re SmartDNS bugs?
Do you happen to know whether the SmartDNS maintainers are aware of these issues and intending to fix them?
some of my reports are here ...was passed to the main Dev BS but he thought i broke my SmartDNS with my config and i can tell you its not, as he miss looked my post you can see his statement... ever since i tested it with reset and default settings too but, it reports the same on those platforms..
no idea how to interpret this last line, but tried various DNS providers with same result
Mar 16 08:37:00.218 XR500 user.warn smartdns: Handshake with 9.9.9.9 failed, Connection reset by peer
but somehow DNS works...i guess without encryption... _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64453 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 64453 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64453 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64453 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 04 Aug 2018 Posts: 1583 Location: Appalachian mountains, USA
Posted: Thu Apr 09, 2026 19:24 Post subject:
Interesting. I've never logged such a handshake failure that I know of. Of course I don't scan logs daily, but I do scan them after a dd-wrt upgrade or any significant SmartDNS config changes, and that's across six routers.
Our SmartDNS configs were not much different. I had two server-tls lines like yours, for 9.9.9.9 and the alternate Quad9 IP as well, and I had the same force-AAAA-SOA line. So the only real difference is your addition of a max-query-limit line.
[Edit: I see I also have a "cache-size 3000" line. IIRC I added it recently after seeing some discussion someone had with BS in the forum, perhaps in a build thread? The discussion and the BS recommendation to add the line may have been specific to some router model and/or dd-wrt build, but I wasn't certain, and I figured it would not hurt.] _________________ 62606: 3x Dynalink DL-WRX36, Linksys MX4200v2, 1x MR7350. 61465: 1x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
Joined: 16 Nov 2015 Posts: 7162 Location: UK, London, just across the river..
Posted: Thu Apr 09, 2026 21:28 Post subject:
cache-size 3000 --- line was introduced later way after 62606
not sure what its broken on the recent builds, but to me it seams some memory allocations as the syslog reports say _________________ Atheros
TP-Link WR1043NDv2 -DD-WRT 64453 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 -OpenWRT Kong 25.12
Netgear XR500 -DD-WRT 64453 GTW/SmDNS/DoT,AD-Blk,Forced DNS,AP&Net Isolation,x2VLAN,Vanilla
Netgear R7800 --DD-WRT 64453 Gateway/DNSCryptv2,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla,VPN cli
Netgear R9000 --DD-WRT 64453 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Dynalink DL-WRX36-DDWRT 64453
Broadcom
Netgear R7000 --DD-WRT 64453 GTW/DNScrypt-proxy2/AD-Block,IPset Firewall,Forced DNS,x4VLAN,VPN cli
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I am going back to Quad9, supported by my old homebrew adblocker using the OISD list. I prefer Quad9 over ControlD because Quad9 provides two IPs, a primary and an alternate, and ControlD does not. This let's me use two Quad9 servers by routing the two IPs through different wireguard tunnels (destination PBR) that join the internet in different geographical areas. This way if my primary Quad9 wireguard tunnel goes down or hangs or gets bogged down due to an overloaded VPN server, or indeed if my primary Quad9 server gets squirrelly, my DNS service is not hosed. Department of Redundancy Department!
[Edit: to move your SmartDNS config for Quad9 from DoT to DoQ, just change "server-tls" to "server-quic" and you are all set.] _________________ 62606: 3x Dynalink DL-WRX36, Linksys MX4200v2, 1x MR7350. 61465: 1x MR7350. WPA2personal/WPA3 w/ AES, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), Two SmartDNS/DoT providers and one DNSCrypt provider via VPNs. DNSmasq manages that plus ad blocking and local DNS.
), change p2 to p1 in all three places (see 
no idea if control D provides free unlimited services...and ECS is not very privacy oriented may be you messed up with (ECH) nor SNI, but ESNI is fine, and yes there ware some issues with quad9 now resolved, as they ware doing some maintenance..recently..