Blocked Query Response (Custom Block Pages)

Customize how Control D responds to blocked queries.

What is this?

When Control D blocks a domain via a Filter, Service, or Custom Rule, by default it returns the following DNS records:

  • A: 0.0.0.0
  • AAAA: ::

This feature allows you to change this behavior and return a different response.

How to Use it

Edit your desired Profile and go to Profile Options.

Toggle this feature ON and choose the desired response type. There are several to choose from:

  • 0.0.0.0 / :: (Default)
  • NXDOMAIN - Return this RCODE
  • REFUSED - Return this RCODE
  • Custom - Choose your own IPs to respond with or use custom block page
  • Branded - Use a branded and customizable block page

Custom Block Page

Here you can input your own IPv4 and IPv6 addresses. When a website is blocked, Control D will spoof to IP addresses you have chosen here. This can be used with a self-hosted block page + your own Root Certificate.

Branded Block Page

❗️

Root Certificate Installation Required

In order for this to work with HTTPS websites, Root Certificate Installation is required. Check the linked document to learn more.

This option allows you to use a Control D hosted block page, which you can optionally customize with:

  • Your own logo
  • Custom block title
  • Custom block message
  • External link title
  • External link URL

By default, with no custom settings, a branded page will look like this.

Now, you can customize it using the 5 fields.

When a website is blocked, it will look something like this.

Unblock Request Button

You can choose whether to show a Request Unblock button on a branded page using the Unblock Reporting dropdown which provides 3 options.

  • None - No button will be shown
  • Default - A Request Unblock button will be shown. Clicking this button will reveal a small form where the end user can request for this page to be unblocked. The account owner or admin will receive this request via email or Slack notification, and an action can be performed.

  • Custom - The External Link Title and External Link URL fields will allow you to customize what the button says and does.

Unblock Request Handling

By default, the organization owner or admin receives unblock requests via email. If you prefer to send these requests to a specific set of email addresses or a Slack channel (via a webhook), you can configure this on the My Org page.

Go to My Org and enable the Unblock Reporting option. Then, add your desired email addresses and/or Slack webhook URL, and click Save. From that point on, all unblock requests will be sent to the specified email list and/or Slack channel.

Unblock request email/Slack priority handling

When an unblock request is submitted, Control D determines who should receive the notification based on two factors:

  • Which Organization owns the endpoint (parent vs. Sub-Organization)
  • Whether custom recipients are configured

The rules are as follows:

Endpoint ownershipCustom recipients definedNotification goes to
Parent OrganizationYesParent Organization custom recipients
Parent OrganizationNoAll parent Organization admins
Sub-OrgYesSub-Organization custom recipients
Sub-OrgNo, but parent has themParent Organization custom recipients
Sub-OrgNo (and parent has none)All Sub-Organization members and all parent Organization members

Hostname Variable

In the External Link URL you can use a variable {domain} which will template your link with the website FQDN that was blocked. For example, if you use: https://reporting-url-example.com?hostname={domain} and access pornhub.com, and it's blocked, the link will become https://reporting-url-example.com?hostname=pornhub.com

🍎

If the physical device in use is an Apple platform, the Shortcuts url scheme can be used as the link on the branded block page.

Using this neat trick, a shortcut can be built to send pertinent information to the “family IT admin” along with something like "I need something unblocked," all in the background.