Use Control D
Control D is a customizable anycast DNS service that blocks malicious threats, unwanted content, trackers, and ads. Tailscale uses Control D with DNS over HTTPS (DoH). You can configure Control D as a global nameserver to leverage Control D throughout your tailnet. You cannot use Control D as a split DNS server (also known as a restricted nameserver).
Currently, Tailscale only shares device hostnames with Control D.
Prerequisites
Using Control D with Tailscale requires:
- Tailscale v1.70.0 or later
- A Control D endpoint.
Use Control D as a global nameserver
Use Control D as a global nameserver to route DNS queries from all devices in your tailnet to Control D.
If you configure Control D as a global nameserver, avoid configuring another global nameserver for your tailnet, as this might circumvent privacy and content restrictions enforced by Control D.
To add Control D as a global nameserver:
- Open the DNS page of the admin console.
- Go to Nameservers, then select Add nameserver > Control D.
- Enter the resolver ID for your Control D endpoint.
- Select Save to save Control D endpoint as a global nameserver for your tailnet.
- Select Override local DNS to force devices to use Control D as a global nameserver instead of the locally configured DNS settings.