DNS Intercept Mode
Stop VPN software from fighting with Control D over DNS settings.
The Problem
When you use Control D alongside VPN software (F5 BIG-IP, Cisco AnyConnect, Palo Alto GlobalProtect, Tailscale, etc.), they can fight over DNS settings. Both want to control where your DNS queries go, which causes:
- Intermittent failures — DNS randomly stops working for a few seconds
- Bypassed filtering — Queries sneak through to the VPN's DNS, skipping your Control D profile
- Infinite loops — Control D sets DNS, VPN overwrites it, Control D fixes it, VPN overwrites again...
📘 This happens because both Control D and VPN software modify the same DNS settings on your network adapter. They're fighting over the same parking spot.
The Solution
DNS Intercept Mode works at a deeper level than network adapter settings. Instead of changing where your OS thinks DNS should go, it intercepts DNS traffic directly and redirects it to Control D.
Your VPN can set whatever DNS settings it wants — Control D intercepts the actual packets before they leave your machine.
When to Use This
Enable DNS Intercept Mode if you:
- Use corporate VPN software (F5, Cisco, Palo Alto, Zscaler)
- Run Tailscale, WireGuard, or other overlay networks
- Experience random DNS failures when VPN connects/disconnects
- See gaps in your Control D analytics when VPN is active
- Have endpoint security software that also manages DNS
How to Enable
Add --intercept-mode to your ctrld start command:
# Recommended: intercepts DNS but preserves VPN internal domain resolution
ctrld start --intercept-mode dns --cd RESOLVER_ID_HERE
# Strict: ALL DNS goes through Control D, no exceptions
ctrld start --intercept-mode hard --cd RESOLVER_ID_HEREWhich Mode?
| Mode | Best For |
|---|---|
--intercept-mode dns | Most users. VPN internal domains (like *.corp.local) still work. Graceful — DNS never breaks, but aggressive VPNs may occasionally bypass briefly. |
--intercept-mode hard | Maximum control. Every DNS query goes through Control D. Fully prevents any bypass. |
📘 Recommended: Start with --intercept-mode dns. It automatically detects VPN internal domains and routes them correctly while Control D handles everything else.
🚧 Hard mode warning: If your VPN has internal resources (company intranet, internal tools), they won't resolve unless you add them as explicit rules in Control D.
Platform Support
| Platform | Supported | How It Works |
|---|---|---|
| Windows | ✅ | Uses NRPT (Name Resolution Policy Table); hard mode adds Windows Filtering Platform for full enforcement |
| macOS | ✅ | Uses pf (packet filter) to redirect DNS traffic |
| Linux | ❌ | Not currently supported (Linux DNS stacks don't have the same VPN conflicts) |
macOS Requirements
🚧 Important: DNS Intercept Mode on macOS requires secure DNS upstreams (DoH or DoT). If you're using plain DNS upstreams on port 53, the packet filter will intercept ctrld's own queries and create a loop. ctrld will warn you at startup if this is detected.
Additional Features
- Captive portal recovery — WiFi login pages (hotels, airports, coffee shops) work automatically in both modes
- No network adapter changes — Your DNS settings stay untouched, eliminating conflicts entirely
What Changes?
| Behavior | Normal Mode | DNS Intercept Mode |
|---|---|---|
| Network adapter DNS | Set to 127.0.0.1 | Not modified |
| VPN DNS conflicts | Possible | Eliminated (hard) / Greatly reduced (dns) |
| Filtering bypass window | Up to 20 seconds | None (hard) / Minimal (dns) |
Troubleshooting
Windows
# Verify DNS intercept is active
Get-DnsClientNrptRule
# Test DNS resolution (use Resolve-DnsName, NOT nslookup)
Resolve-DnsName example.com
# If you must use nslookup, specify localhost explicitly
nslookup example.com 127.0.0.1🚧 Important: nslookup bypasses DNS Intercept Mode on Windows because it uses its own DNS implementation. Always use Resolve-DnsName or ping to test. This is a Windows limitation, not a ctrld bug.
macOS
# Check if intercept rules are active
sudo pfctl -a com.controld.ctrld -sr
# Test DNS is routing through ctrld
dig @127.0.0.1 example.comKnown VPN Compatibility
DNS Intercept Mode has been tested with:
- ✅ F5 BIG-IP APM
- ✅ Cisco AnyConnect
- ✅ Palo Alto GlobalProtect
- ✅ Tailscale (including Exit Nodes)
- ✅ Windscribe
- ✅ WireGuard
Updated about 2 hours ago