Control D DNS Management

Control D is a DNS filtering and privacy service. This skill enables full API access.

Authentication

Store API token in environment variable or pass directly:
CODEBLOCK0

Get your API token from: https://controld.com/dashboard (Account Settings > API)

Token Types:

• - Read - View-only access to Profiles, Devices, and Analytics
• Write - View and modify data (create/modify/delete)

Security Tip: Restrict tokens by allowed IP addresses for automation hosts.

API Reference

Base URL: https://api.controld.com
Auth: INLINECODE1

Profiles

DNS filtering profiles define blocking rules, filters, and service controls.

CODEBLOCK1

Profile Options

CODEBLOCK2

Devices

Devices are DNS endpoints that use profiles for filtering.

CODEBLOCK3

Device Icons: desktop-windows, desktop-mac, desktop-linux, mobile-ios, mobile-android, browser-chrome, browser-firefox, browser-edge, browser-brave, browser-other, tv-apple, tv-android, tv-firetv, tv-samsung, tv, router-asus, router-ddwrt, router-firewalla, router-freshtomato, router-glinet, router-openwrt, router-opnsense, router-pfsense, router-synology, router-ubiquiti, router-windows, router-linux, INLINECODE29

Device Status: 0=pending, 1=active, 2=soft-disabled, 3=hard-disabled

Filters

Native and external blocking filters for profiles.

CODEBLOCK4

Services

Block, bypass, or redirect specific services (apps/websites).

CODEBLOCK5

Custom Rules

Create custom blocking/bypass rules for specific domains.

CODEBLOCK6

Rule Actions (do): 0=block, 1=bypass, 2=spoof (resolve via proxy), 3=redirect

Default Rule

Set default action for unmatched domains.

CODEBLOCK7

Proxies

List available proxy locations for traffic redirection (spoofing).

CODEBLOCK8

Use proxy PK values with the via parameter when setting service/rule actions to do:2 (spoof).

IP Access Control

Manage known/allowed IPs for devices.

CODEBLOCK9

Analytics

Configure logging and storage settings.

CODEBLOCK10

Account & Network

CODEBLOCK11

Organization Management (Business Accounts)

Organization features require a business account. These endpoints manage multi-user access, sub-organizations, and team deployments.

Note: Contact [[email protected]](mailto:[email protected]) from a work email to request business account access.

Organization capabilities include:

• - Manage large amounts of end user devices or networks
• Quickly onboard hundreds/thousands of devices using RMM
• Grant access to team members with permission levels
• Group Profiles and Endpoints into Sub-Organizations
• Share Profiles between organizations
• Lock resolvers to specific IP addresses

Organizations

The organization endpoints operate on the organization associated with your API token (no org_id in path).

CODEBLOCK12

Modify Organization Parameters (all optional):

• - name (string) — Organization name
• INLINECODE41 (string) — Primary contact email
• INLINECODE42 (integer) — Require 2FA/MFA for members (0=no, 1=yes)
• INLINECODE43 (string) — Storage region PK from INLINECODE44
• INLINECODE45 (integer) — Max number of User Devices
• INLINECODE46 (integer) — Max number of Router Devices
• INLINECODE47 (string) — Physical address
• INLINECODE48 (string) — Website URL
• INLINECODE49 (string) — Contact person name
• INLINECODE50 (string) — Phone number
• INLINECODE51 (string) — Global Profile ID to enforce on all devices

Note: Modifying max_users and max_routers is a billable event.

Members

View organization membership.

CODEBLOCK13

Sub-Organizations

Sub-organizations compartmentalize profiles and endpoints into logical groups:

• - Departments - Internal organizational units
• Physical sites - Office locations, branches
• Customer companies - For MSPs managing multiple clients
• Any logical grouping - Based on your needs

Each sub-org has its own Profiles, Endpoints, and optionally a Global Profile that applies to all its Endpoints.

CODEBLOCK14

Create Sub-Organization Parameters:

Required:

• - name (string) — Organization name
• INLINECODE55 (string) — Primary contact email
• INLINECODE56 (integer) — Require 2FA/MFA (0=no, 1=yes)
• INLINECODE57 (string) — Storage region PK from INLINECODE58
• INLINECODE59 (integer) — Max number of User Devices
• INLINECODE60 (integer) — Max number of Router Devices

Optional:

• - address (string) — Physical address
• INLINECODE62 (string) — Website URL
• INLINECODE63 (string) — Contact person name
• INLINECODE64 (string) — Phone number
• INLINECODE65 (string) — Global Profile ID to enforce on all devices

Provisioning Codes

Mass deploy ctrld daemon to endpoints using RMM tools.

CODEBLOCK15

Device Types: windows, mac, INLINECODE68

Deployment Commands:

# Windows (PowerShell as Admin)
(Invoke-WebRequest -Uri 'https://api.controld.com/dl/rmm' -UseBasicParsing).Content | Set-Content "$env:TEMP\ctrld_install.ps1"; Invoke-Expression "& '$env:TEMP\ctrld_install.ps1' 'CODE'"

# macOS/Linux
sh -c 'sh -c "$(curl -sSL https://api.controld.com/dl/rmm)" -s CODE'

Billing

View billing history, subscriptions, and active products.

CODEBLOCK17

Mobile Config (Apple Devices)

Generate signed Apple DNS profiles (.mobileconfig) for iOS/macOS devices.

CODEBLOCK18

Path Parameter:

• - device_id (required) — Device/Resolver ID

Query Parameters (all optional):

• - exclude_wifi[] (array) — WiFi SSIDs to exclude from using Control D
• INLINECODE71 (array) — Domain names to exclude from using Control D
• INLINECODE72 (string) — Set to 1 to return unsigned profile
• INLINECODE74 (string) — Set to 1 to exclude common captive portal hostnames from WiFi exclusions
• INLINECODE76 (string) — Optional client name

Note: This endpoint returns binary data (not JSON) on success. Errors still return JSON.

Helper Script

Use scripts/controld.sh for common operations:

CODEBLOCK19

Common Workflows

Set Up New Device

1. 1. List profiles: INLINECODE78
2. Create or select profile
3. Create device with profile: INLINECODE79
4. Note the resolver addresses (DoH/DoT/IPv4) from response
5. Configure device DNS to use resolvers

Block Social Media

1. 1. List social media services: INLINECODE80
2. Block each service: INLINECODE81
3. Or create custom rules for specific domains

Enable Ad Blocking

1. 1. List filters: INLINECODE82
2. Enable ad-related filters: INLINECODE83
3. Enable malware filters: INLINECODE84

Redirect Traffic Through Proxy (Geo-Spoofing)

1. 1. List proxies: INLINECODE85
2. Set service to spoof via proxy:

Mass Deploy to Enterprise Endpoints

1. 1. Create provisioning code: INLINECODE86
2. Deploy via RMM using the provided command
3. Monitor endpoint registrations in dashboard

Rate Limiting

API rate limit: ~1200 requests per 5 minutes (4 req/sec average). Exponential backoff on 429 responses.

Notes

• - Organization endpoints require a business account
• Sub-organization members inherit parent org member permissions unless explicitly added
• Global Profile on a sub-org applies to ALL devices in that sub-org
• Analytics data is stored for 1 month (raw logs) or 1 year (stats)
• SSO supported: Okta OIDC and Microsoft EntraID OIDC

API Documentation Sources

• - Conceptual docs: https://docs.controld.com/docs/
• API reference: https://docs.controld.com/reference/get-started (JS-rendered)
• API base URL: https://api.controld.com

Verified endpoints (from API reference, March 2026):

• - Core: /profiles, /devices, /access, /proxies, /services, INLINECODE92
• Organization: /organizations/organization, /organizations/members, /organizations/sub_organizations, /organizations/suborg, /organizations (PUT)
• Billing: /billing/payments, /billing/subscriptions, INLINECODE100
• Mobile Config: INLINECODE101
• Provisioning: INLINECODE102

Organization and billing endpoints require a business account.