DoT Implementation Solution

We were recently faced with an interesting corner case implementation issue after an Asuswrt-merlin update. Here's how we fixed it.

· 2 min read
DoT Implementation Solution

It was recently brought to our attention that Control D’s DoT implementation did not work with Asuswrt-merlin 388.x but had worked up till version 386.x.

After lots of troubleshooting and subsequent analysis, we identified the problem as a TLS misconfiguration. This had gone unnoticed due to most clients not using ALPN for DoT requests.

The ALPN extension is used within the TLS handshake to negotiate the Application Layer protocol. Starting from 388.x, Merlin began supplying `dot` as the “next protocol” in the `ClientHello` message - which Control D servers were not advertising in our TLS configuration, so the handshake was aborted. This has since been fixed.

Merlin

Control D

How Do I Set up Control D Dot on Merlin Anyway?

  1. Navigate to the router's admin dashboard. It should be available at router.asus.com
  2. Advanced Settings > WAN > WAN DNS Setting > DNS Privacy Protocol > Set to “DNS-over-TLS (DoT)”
  3. Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to 76.76.2.22 and 76.76.10.22 if you’re a paid customer and to 76.76.2.11 and 76.76.10.11 if you are using a free resolver.
  4. Hit apply and verify you’re using Control D over at https://controld.com/status
Blocks threats, unwanted content, and ads on all devices within minutes

Secure, Filter, and Control Your Network

Control D is a modern and customizable DNS service that blocks threats, unwanted content and ads - on all devices. Onboard in minutes, and forget about it.

Deploy Control D in minutes on your device fleet using any RMM

Block malware, harmful content, trackers and ads in seconds

Go beyond blocking with privacy features