diff --git a/daemon/remote.c b/daemon/remote.c
index 67839bbda..a4ac2fea0 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -215,8 +215,13 @@ daemon_remote_create(struct config_file* cfg)
 		}
 		rc->use_cert = 1;
 	} else {
+		struct config_strlist* p;
 		rc->ctx = NULL;
 		rc->use_cert = 0;
+		for(p = cfg->control_ifs.first; p; p = p->next) {
+			if(p->str && p->str[0] != '/')
+				log_warn("control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", p->str);
+		}
 	}
 	return rc;
 }
@@ -358,9 +363,9 @@ struct listen_port* daemon_remote_open_ports(struct config_file* cfg)
 {
 	struct listen_port* l = NULL;
 	log_assert(cfg->remote_control_enable && cfg->control_port);
-	if(cfg->control_ifs) {
+	if(cfg->control_ifs.first) {
 		struct config_strlist* p;
-		for(p = cfg->control_ifs; p; p = p->next) {
+		for(p = cfg->control_ifs.first; p; p = p->next) {
 			if(!add_open(p->str, cfg->control_port, &l, 1, cfg)) {
 				listening_ports_free(l);
 				return NULL;
diff --git a/doc/Changelog b/doc/Changelog
index c003cf799..40d8f2c16 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 14 June 2018: Wouter
 	- #4103: Fix that auth-zone does not insist on SOA record first in
 	  file for url downloads.
+	- Fix that first control-interface determines if TLS is used.  Warn
+	  when IP address interfaces are used without TLS.
 
 12 June 2018: Ralph
 	- Don't count CNAME response types received during qname minimisation as
diff --git a/pythonmod/interface.i b/pythonmod/interface.i
index 72e6d99c7..df06d1064 100644
--- a/pythonmod/interface.i
+++ b/pythonmod/interface.i
@@ -883,7 +883,7 @@ struct config_file {
    struct config_strlist* local_zones_nodefault;
    struct config_strlist* local_data;
    int remote_control_enable;
-   struct config_strlist* control_ifs;
+   struct config_strlist_head control_ifs;
    int control_port;
    char* server_key_file;
    char* server_cert_file;
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 4716469c7..3d97de5d3 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -491,8 +491,8 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 	int fd, useport = 1;
 	/* use svr or the first config entry */
 	if(!svr) {
-		if(cfg->control_ifs) {
-			svr = cfg->control_ifs->str;
+		if(cfg->control_ifs.first) {
+			svr = cfg->control_ifs.first->str;
 		} else if(cfg->do_ip4) {
 			svr = "127.0.0.1";
 		} else {
diff --git a/util/config_file.c b/util/config_file.c
index 63d2e740c..0f5bb6217 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -244,7 +244,8 @@ config_create(void)
 	cfg->insecure_lan_zones = 0;
 	cfg->python_script = NULL;
 	cfg->remote_control_enable = 0;
-	cfg->control_ifs = NULL;
+	cfg->control_ifs.first = NULL;
+	cfg->control_ifs.last = NULL;
 	cfg->control_port = UNBOUND_CONTROL_PORT;
 	cfg->minimal_responses = 0;
 	cfg->rrset_roundrobin = 0;
@@ -385,6 +386,9 @@ struct config_file* config_create_forlib(void)
 #define S_STRLIST_UNIQ(str, var) if(strcmp(opt, str)==0) \
 	{ if(cfg_strlist_find(cfg->var, val)) { return 0;} \
 	  return cfg_strlist_insert(&cfg->var, strdup(val)); }
+/** append string to strlist */
+#define S_STRLIST_APPEND(str, var) if(strcmp(opt, str)==0) \
+	{ return cfg_strlist_append(&cfg->var, strdup(val)); }
 
 int config_set_option(struct config_file* cfg, const char* opt,
 	const char* val)
@@ -555,7 +559,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_YNO("unblock-lan-zones:", unblock_lan_zones)
 	else S_YNO("insecure-lan-zones:", insecure_lan_zones)
 	else S_YNO("control-enable:", remote_control_enable)
-	else S_STRLIST("control-interface:", control_ifs)
+	else S_STRLIST_APPEND("control-interface:", control_ifs)
 	else S_NUMBER_NONZERO("control-port:", control_port)
 	else S_STR("server-key-file:", server_key_file)
 	else S_STR("server-cert-file:", server_cert_file)
@@ -941,7 +945,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_YNO(opt, "trust-anchor-signaling", trust_anchor_signaling)
 	else O_YNO(opt, "root-key-sentinel", root_key_sentinel)
 	else O_LST(opt, "dlv-anchor", dlv_anchor_list)
-	else O_LST(opt, "control-interface", control_ifs)
+	else O_LST(opt, "control-interface", control_ifs.first)
 	else O_LST(opt, "domain-insecure", domain_insecure)
 	else O_UNS(opt, "val-override-date", val_date_override)
 	else O_YNO(opt, "minimal-responses", minimal_responses)
@@ -1344,7 +1348,7 @@ config_delete(struct config_file* cfg)
 	config_del_strbytelist(cfg->respip_tags);
 	config_deltrplstrlist(cfg->acl_tag_actions);
 	config_deltrplstrlist(cfg->acl_tag_datas);
-	config_delstrlist(cfg->control_ifs);
+	config_delstrlist(cfg->control_ifs.first);
 	free(cfg->server_key_file);
 	free(cfg->server_cert_file);
 	free(cfg->control_key_file);
@@ -2268,8 +2272,8 @@ void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname)
 int options_remote_is_address(struct config_file* cfg)
 {
 	if(!cfg->remote_control_enable) return 0;
-	if(!cfg->control_ifs) return 1;
-	if(!cfg->control_ifs->str) return 1;
-	if(cfg->control_ifs->str[0] == 0) return 1;
-	return (cfg->control_ifs->str[0] != '/');
+	if(!cfg->control_ifs.first) return 1;
+	if(!cfg->control_ifs.first->str) return 1;
+	if(cfg->control_ifs.first->str[0] == 0) return 1;
+	return (cfg->control_ifs.first->str[0] != '/');
 }
diff --git a/util/config_file.h b/util/config_file.h
index 7766f66cd..0cd0cdd73 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -53,6 +53,14 @@ struct sock_list;
 struct ub_packed_rrset_key;
 struct regional;
 
+/** List head for strlist processing, used for append operation. */
+struct config_strlist_head {
+	/** first in list of text items */
+	struct config_strlist* first;
+	/** last in list of text items */
+	struct config_strlist* last;
+};
+
 /**
  * The configuration options.
  * Strings are malloced.
@@ -374,7 +382,7 @@ struct config_file {
 	/** remote control section. enable toggle. */
 	int remote_control_enable;
 	/** the interfaces the remote control should listen on */
-	struct config_strlist* control_ifs;
+	struct config_strlist_head control_ifs;
 	/** port number for the control port */
 	int control_port;
 	/** private key file for server */
@@ -651,14 +659,6 @@ struct config_strbytelist {
 	size_t str2len;
 };
 
-/** List head for strlist processing, used for append operation. */
-struct config_strlist_head {
-	/** first in list of text items */
-	struct config_strlist* first;
-	/** last in list of text items */
-	struct config_strlist* last;
-};
-
 /**
  * Create config file structure. Filled with default values.
  * @return: the new structure or NULL on memory error.
diff --git a/util/configparser.c b/util/configparser.c
index 0b25a3f32..facddca10 100644
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -5072,7 +5072,7 @@ yyreduce:
 #line 2288 "./util/configparser.y" /* yacc.c:1646  */
     {
 		OUTYY(("P(control_interface:%s)\n", (yyvsp[0].str)));
-		if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
+		if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, (yyvsp[0].str)))
 			yyerror("out of memory");
 	}
 #line 5079 "util/configparser.c" /* yacc.c:1646  */
diff --git a/util/configparser.y b/util/configparser.y
index 058dfca56..7a5b06899 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -2287,7 +2287,7 @@ rc_control_port: VAR_CONTROL_PORT STRING_ARG
 rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG
 	{
 		OUTYY(("P(control_interface:%s)\n", $2));
-		if(!cfg_strlist_insert(&cfg_parser->cfg->control_ifs, $2))
+		if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, $2))
 			yyerror("out of memory");
 	}
 	;