My recommendations for the ultimate ControlD Configuration :)
NOTE: This project can be found on both Codeberg, which will act as the main & preferred way to contribute, and GitHub.
Native:
-
Ads & Trackers -> ✅
Blocked(Balanced) -
Dynamic DNS -> ✅
Blocked -
IoT Telemetry -> ✅
Blocked -
Malware -> ✅
Blocked(Strict) -
New Domains -> ✅
Blocked(This will cause very rare breakage, but massively improves security) -
Phishing -> ✅
Blocked
If you're fine with a little breakage, I would highly recommend setting Ads & Trackers to **Strict** instead of **Balanced**.
3rd Party:
Here's where it gets fun.
Despite popular opinion, due to the reasons WaLLy3K has listed here, I think it's a good idea to use multiple lists and sources, rather than just limiting yourself to one or two giant lists. I myself constantly notice domains being blocked that were caught by only one or two lists and missed by others. I'm not saying you should go overboard, but I do think it's a good idea to use a variety of high quality lists for the best coverage possible.
I would generally recommend using the following lists:
-
⭐️
AdGuard Filter -
⭐️
Dev Dan's Hosts -
⭐️
Hagezi's DNS - Pro Plus -
⭐️
Hagezi's DNS - TIF -
⭐️
OISD - Full -
⭐️
StevenBlack Unified
It might seem like a lot, but these are carefully picked high quality lists with strong coverage, and it doesn't really hurt to use multiple like this.
Additionally, if you're fine with a little breakage, I would highly recommend:
-
1Hosts **(Pro)** -
Hagezi's DNS -Ultimate instead ofHagezi's DNS -Pro Plus
You should use this feature to your advantage and block any services that you don't use or care about. This can dramatically improve your privacy by preventing connections to them from even being made. If you use a service, don't block it, just block what you're comfortable with and works best for you.
I personally block:
-
Audio -> Spotify ->
Blocked✅ -
Finance -> Blackbaud ->
Blocked✅ - Data broker -
Finance -> Equifax ->
Blocked✅ - Data broker -
Finance -> Experian ->
Blocked✅ - Data broker -
Hosting -> AMP Project ->
Blocked✅ - Fuck AMPs -
Shop -> Rakuten ->
Blocked✅ -
Social -> Douyin ->
Blocked✅ - TikTok -
Social -> Facebook ->
Blocked✅ -
Social -> Gravatar ->
Blocked✅ -
Social -> Instagram ->
Blocked✅ - Facebook -
Social -> LinkedIn ->
Blocked✅ -
Social -> Messenger ->
Blocked✅ - Facebook -
Social -> Threads ->
Blocked✅ - Facebook -
Social -> TikTok ->
Blocked✅ -
Social -> VK ->
Blocked✅ -
Social -> Viber ->
Blocked✅ - Rakuten -
Social -> WeChat ->
Blocked✅ -
Social -> WhatsApp ->
Blocked✅ - Facebook -
Tools -> AnyDesk ->
Blocked✅ - Remote access software -
Tools -> Bugsnag ->
Blocked✅ - Tracker -
Tools -> Crashlytics ->
Blocked✅ - Tracker -
Tools -> LogMeIn ->
Blocked✅ - Remote access software -
Tools -> Opera Browser ->
Blocked✅ -
Tools -> RemotePC ->
Blocked✅ - Remote access software -
Tools -> Salesforce ->
Blocked✅ -
Tools -> Splashtop ->
Blocked✅ - Remote access software -
Tools -> TeamViewer ->
Blocked✅ - Remote access software -
Vendors -> AVG ->
Blocked✅ -
Vendors -> Avast ->
Blocked✅ -
Vendors -> Avira ->
Blocked✅ -
Vendors -> Fortinet ->
Blocked✅ - Used for monitoring -
Vendors -> McAfee ->
Blocked✅ -
Vendors -> Norton ->
Blocked✅ -
Vendors -> Oculus ->
Blocked✅ - Facebook -
Vendors -> Oracle ->
Blocked✅ - Data broker -
Vendors -> Qihoo 360 ->
Blocked✅ -
Vendors -> Ruckus Networks ->
Blocked✅ - Used for monitoring -
Vendors -> SolarWinds ->
Blocked✅ - Used for monitoring -
Vendors -> Symantec ->
Blocked✅ - Used for monitoring -
Video -> Rakuten TV ->
Blocked✅ - Rakuten
I would recommend making a custom rule here to bypass (why is it worded like this????) controld.com, to ensure that we can always access the dashboard, regardless of any rogue filters or other unexpected events.
AI Malware Filter -> ✅ (Balanced Mode)
DNS Rebind Protection -> ✅
Disable DNSSEC -> ❌ (This should be the default, but I've seen some guides recommend enabling this, which is why it's here. DNSSEC is important, please leave it on)
Graph icon -> Some analytics (Having some analytics is important for troubleshooting breakage)
Two-Factor Auth -> ✅
Storage Region -> Sydney, AU
-
Use a privacy-respecting browser like Firefox with my Phoenix.
-
Make sure to configure ControlD on both your OS and in your browser. This will allow you to take advantage of Encrypted Client Hello.
-
Use a content blocking extension like uBlock Origin. (See recommended settings here)
-
Enable Safe Browsing in your browser if possible and if it's not done in a privacy-invasive way. (You should use i.e. Google Safe Browsing on "Standard" Mode, Firefox's Safe Browsing, Brave's Safe Browsing, & Safari's Fraudulent Website Warning, you should avoid most other options i.e. Google Safe Browsing on "Enhanced" Mode, Microsoft SmartScreen, & Opera Sitecheck).
-
Use a (reputable) anti-virus if possible. On Windows, you can use the built-in Microsoft Defender Antivirus, on macOS, you can stick to the built-in XProtect, on Android, you can use Hypatia, and on Linux, you can use ClamAV. NOTE: You should install Hypatia through the DivestOS Official Repo instead of F-Droid's main repo, as it will allow you to receive quicker updates directly from the developer. It's also recommended to use F-Droid Basic as your F-Droid client of choice.