It was recently brought to our attention that Control D’s DoT implementation did not work with Asuswrt-merlin 388.x but had worked up till version 386.x.
After lots of troubleshooting and subsequent analysis, we identified the problem as a TLS misconfiguration. This had gone unnoticed due to most clients not using ALPN for DoT requests.
The ALPN extension is used within the TLS handshake to negotiate the Application Layer protocol. Starting from 388.x, Merlin began supplying `dot` as the “next protocol” in the `ClientHello` message - which Control D servers were not advertising in our TLS configuration, so the handshake was aborted. This has since been fixed.
Merlin
Control D
How Do I Set up Control D Dot on Merlin Anyway?
- Navigate to the router's admin dashboard. It should be available at router.asus.com
- Advanced Settings > WAN > WAN DNS Setting > DNS Privacy Protocol > Set to “DNS-over-TLS (DoT)”
- Under the DNS-over-TLS server list, enter your DoT resolver under the “TLS Hostname” section and point the resolver to 76.76.2.22 and 76.76.10.22 if you’re a paid customer and to 76.76.2.11 and 76.76.10.11 if you are using a free resolver.
- Hit apply and verify you’re using Control D over at https://controld.com/status