Why You Should (and Shouldn't) Use Control D

· 8 min read

The following article offers a technical deep dive into Control D, illustrating the many ways you can use it - as well as use cases when you shouldn't - and why.

What is Control D, actually?

Control D is a user configurable DNS service that offers transparent proxies deployed on top of an anycast network, with exit locations in over 69 countries.

When you get started on Control D, we will issue you a set of DNS resolvers that are unique to your account, and can enforce your unique configuration. You can modify and customize your configuration via a simple to use web interface.

Control D supports multiple DNS protocols:

  • Legacy IPv4 (UDP 53)
  • Legacy IPv6 (UDP 53)
  • DNS-Over-HTTPS (TCP 443)
  • DNS-Over-TLS (TCP 853)

The first two protocols offer the best compatibility, and can be used on any Internet connectable device. The latter two offer you the best privacy, as your DNS queries cannot be intercepted or spied upon by your ISP or a snoopy network administrator at your work or school.  

Once you configure one of the DNS resolvers on your device (router, computer, browser, phone) your DNS queries will be steered to the Control D network. By default, if no settings are changed, Control D will behave like a standard DNS resolver, no different than Cloudflare, Google, or your local ISP. Once you start fiddling with the knobs, however, you can do all kinds of neat things:

  • Block a category of sites (ads, or porn for example)
  • Block malicious domains and non-malicious domains that point to malicious IPs
  • Block a specific service (Facebook, or Minecraft)
  • Block a specific TLD, FQDN, subdomain, or a wildcard entry (i.e. server-*.domain.com)
  • Redirect a specific service through a proxy location (BBC iPlayer through London, for example)
  • Redirect a specific TLD, FQDN, subdomain, or wildcard entry through a proxy location
  • Redirect all resolved DNS queries through a specific proxy location (there are over 100 cities to choose from)
  • Spoof a service, TLD, FQDN, subdomain, or all DNS queries to a specific IP address of your choice (think a wildcard-supporting host file)
  • Override blocks enforced by category filters, or services
  • Schedule any of the above behavior to kick in at a certain time of day
  • A whole bunch more
TL;DR: Control D allows you to selectively disregard the authoritative DNS records associated with any domain you attempt to resolve (regardless of it actually existing in public DNS), and replace the answers with This will prevent the domain from loading by spoofing (redirecting) it to an IP of your choice, or to one of over 100 exit locations supported by Control D. Then, Control D will transparently proxy SNI (and some non-SNI) enabled traffic through servers in that location/country. You can also block, spoof, and redirect ALL of your DNS queries by using the "Default Rule".

Bad Use Cases

Before we jump into why you should use Control D, let's spend a moment talking about when you shouldn't use it.

Life Critical Anonymity

If you live in a country where freedom of speech is non-existent, or you are a whistleblower, dissident or a political activist, you should not use Control D to stay safe online. Despite Control D encrypting your DNS queries, even if you are using the proxy capabilities to spoof your location, the Server Name Indication (SNI) TLS extension is still transmitted in plaintext. This means that on adversarial networks where this information is captured and filtered, Control D will not provide you any security benefits. It will not be able to unblock restricted sites, and your browsing history could still be captured by the network administrator.

If this is your particular use case, you are much better off using a trusted, no logging VPN. Do keep in mind that a VPN is not a magical security solution either, despite what you may have heard from your favourite YouTuber. It is simply one line of defence for staying secure online.


Control D will not affect the BitTorrent protocol. Since this is a P2P protocol, which does not rely on DNS, all your torrent activity will be in the clear. Control D offers an optional filter that will block all common torrent indexes and trackers, which will make the use of the BitTorrent protocol difficult on the network where Control D is deployed, but it will not 100% eliminate all torrent activity.

If you wish to apply a layer of privacy to your torrent activities, you should use a VPN.  

Gaming (Improvements)

Many people use VPNs for gaming in order to "improve ping" or mask their IP from trolls. The efficacy of this is debatable, but Control D is unlikely to help here. In fact, there is a good chance that if you redirect all your traffic to our proxies, it will break some games entirely. We recommend disabling Control D functionality if you experience problems playing your favourite games. You can do this from the Services section of the control panel; simply find your game and create a BYPASS rule.

Good Use Cases

So now that we got that out of the way, what CAN you use Control D for?

Block Ads and Trackers (and many other things)

Yes, you can use a browser extension like uBlock that will do a really good job blocking things in your browser (until January of 2023 anyway). However, this will just block ads in your favorite desktop browser. All tracking (and ad delivery) that happens outside of the browser (OS, installed programs, mobile applications and browsers) will get through. If you setup Control D inside the operating system, or on your router, all DNS queries that any application makes (including the browser) will query your personal resolver, and all your rules apply. This means you can eliminate 99% of all ads and trackers (as well as 11 other categories)  from even loading on your devices. This effectively creates a network/system wide ad block, which is highly effective.

With this in mind, you can block many other categories, including:

  • Malware distributing, typosquatting and phishing domains
  • Adult content (handy on networks with kids)
  • Social networks (stop wasting time looking at your "feed")
  • IoT telemetry (prevent your fridge from talking to servers in China)
  • Gambling, Drugs, Dating sites (keep your vices in check)
  • A whole bunch more

Eliminate Your Pi-Hole

Pi-Hole is great, but there are downsides:

  • Pi-Hole only works on your home network – Control  D works on all networks, including cellular.
  • You have to manage blocklists yourself – Our bespoke filters are built on top of community maintained blocklists, with tens of thousands of false positives removed, based on feedback from 44M Windscribe users. We did all the work for you!
  • Lack of advanced blocking – Pi-Hole only blocks domain names. Control D malware filter also blocks domains that resolve to malicious IPs from threat intelligence feeds.
  • Lack of scheduling or flexibility – With Control D, your rules don't have to be static. They can change day to day, and be different on different devices.  
  • You have to run it yourself – Control D is deployed on top of a global anycast network, and is available everywhere, including cellular networks.

(Selectively) Spoof Your Location

Unlike a VPN, which sends all your activity to a single server in a chosen country, you have a lot more, well, control when you use Control D. Since it operates at the DNS layer, you can create all kinds of rules in your configuration to do all kinds of things. Here is a silly example:

You can instruct Control D to resolve different FQDNs through proxies in different countries, with as little as 3 clicks. When your browser asks to resolve a domain that has a rule, Control D will return a proxy IP instead of the true IP of the destination. It will read the SNI, and forward the end-to-end encrypted request to the site you wanted to load.

From here, we can get more fancy. Instead of creating individual rules, you can create a folder of rules, and assign an action (block, redirect or bypass) to it. Any domain you add to this folder will inherit and apply the chosen folder rule.

Don't want to make your own rules? That's where the Services section comes in. We've created rules for over 400 most common services online, and this list is always growing based on user requests. With a single toggle switch you can apply a chosen rule to a video streaming service, an audio service, a store, tool, social network, or a game.  Each service can be redirected through a unique location (or blocked entirely), so you can appear to be in 69+ countries, all at once.

FYI: Do not sign up if this is your sole use case. This feature is offered on a best effort basis only, and can break at anytime. 

The days of hopping VPN server locations are over, just create your browsing profile that suits your use case, and browse. No need to "connect to a different server" ever again.

Lastly, you can redirect all your activity through the closest Control D Primary Location, if you don't care about the geo-location of your IP. This will have the best performance, and supports IPv6 end to end. Optionally, you can choose a specific exit location (city), which will double hop your traffic from the closest Control D Primary Location, to a Windscribe VPN server in the chosen country. All of this is without having to install a VPN app.

You can use all 3 behaviors in parallel to create some very unique browsing profiles. The rule engine works as follows:

  • Custom rules take precedence over everything
  • Service rules are second in line, and are checked if there are no custom rules that match the DNS query
  • Filters (which block things) are 3rd in-line, and will match a domain if there is no overriding custom rule or Service rule
  • Last in line is the Default Rule, which will, like the name suggests, match queries that aren't affected by any of the above

Parental/Productivity/Impulse Controls

The internet is full of distractions and harmful content. You may choose to block certain types of content at certain times of day (or all the time) so you can get stuff done, or prevent your kids from wasting time when they should be doing their homework.

Control D gives you the tools to block large categories of distractions (social networks and games) so you can concentrate on your school or work. You can also use the same tools to block harmful content like porn, drugs, and malware on your network if you have kids. You can make these rules permanent, or time-based using the Scheduler. Here are some examples:

  • Block social networks and games every Monday to Friday, allow playtime on the weekends during certain hours
  • Block porn, Reddit, and TikTok Monday to Friday 9am to 5pm so you can remain gainfully employed and boost your productivity
  • British TV Fridays: Every Friday your Netflix and Disney+ shows British content
  • Shopping Tuesday Mornings: All popular shopping sites are blocked every day except for 1hr on Tuesday morning. Then you can decide if you REALLY needed those $800 custom sock puppets you found at 3am after a few drinks, and thought were super cool.

Unique Device Configurations

You're not limited to a single set of rules. Each account allows you to have up to 10 unique browsing profiles (configurations), and you can then create up to 10 devices and enforce your configurations using unique per-device DNS resolvers. Your personal laptop and phone can have one profile,  your partner's iPad could use another, and your kids' phones can use the rest. Each physical device can be configured to access or block a unique set of filters, services, and custom rules.


As you can see, there's a lot you can achieve with Control D, and this article really only scratches the surface. We recommend you get yourself a trial account (no payment details required!) and play around with it - we think you will be pleasantly surprised.

It's time to take back control of your Internet experience.