It was recently brought to our attention that Control D’s DoT implementation did not work with Asuswrt-merlin 388.x but had worked up till version 386.x.
After lots of troubleshooting and subsequent analysis, we identified the problem as a TLS misconfiguration. This had gone unnoticed due to most clients not using ALPN for DoT requests.
The ALPN extension is used within the TLS handshake to negotiate the Application Layer protocol. Starting from 388.x, Merlin began supplying `dot` as the “next protocol” in the `ClientHello` message - which Control D servers were not advertising in our TLS configuration, so the handshake was aborted. This has since been fixed.
How Do I Set up Control D Dot on Merlin Anyway?
- Navigate to the router's admin dashboard. It should be available at router.asus.com
- Advanced Settings > WAN > WAN DNS Setting > DNS Privacy Protocol > Set to “DNS-over-TLS (DoT)”
- Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to 22.214.171.124 and 126.96.36.199 if you’re a paid customer and to 188.8.131.52 and 184.108.40.206 if you are using a free resolver.
- Hit apply and verify you’re using Control D over at https://controld.com/status