DoT Implementation Solution

We were recently faced with an interesting corner case implementation issue after an Asuswrt-merlin update. Here's how we fixed it.

· 2 min read
DoT Implementation Solution

It was recently brought to our attention that Control D’s DoT implementation did not work with Asuswrt-merlin 388.x but had worked up till version 386.x.

After lots of troubleshooting and subsequent analysis, we identified the problem as a TLS misconfiguration. This had gone unnoticed due to most clients not using ALPN for DoT requests.

The ALPN extension is used within the TLS handshake to negotiate the Application Layer protocol. Starting from 388.x, Merlin began supplying `dot` as the “next protocol” in the `ClientHello` message - which Control D servers were not advertising in our TLS configuration, so the handshake was aborted. This has since been fixed.


Control D

How Do I Set up Control D Dot on Merlin Anyway?

  1. Navigate to the router's admin dashboard. It should be available at
  2. Advanced Settings > WAN > WAN DNS Setting > DNS Privacy Protocol > Set to “DNS-over-TLS (DoT)”
  3. Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to and if you’re a paid customer and to and if you are using a free resolver.
  4. Hit apply and verify you’re using Control D over at