DNS is in the services that have the most priority in the network, if not the top. DNS is very important already on a network based on Active Directory. Browsers have been pushing for encrypted DNS for a while allegedly for a good cause, this seems to have caught Apple's attention whose adoption mainstreamed its use, thus the work required to maintain DNS in our network became much more complicated than before, in addition to that, it was decided to host local OpenNIC slaves which will be made available to the public — the might already be public by the time you are reading this — and finally a public DoT filtered resolver for our own devices, which anybody can use, of course if they don't mind it's heavy filtering.

DNS, as you might have gotten the hint, it's a very important service. It is what allows a (computer/ized) system to locate another system using a textual address since routable computer networks use numeric¹⁾ IP addresses only.

Before going further, let's review a few concepts tightly related to DNS.

Computer networks are addressed using two methods (also called families or stacks): IPv4 and IPv6. IPv4 addresses are exhausted. IPv6 is far from being exhausted but over a decade had gone without interest for its adoption then when it finally started getting some attention the explosion of Docker and Kubernetes (and its poor support for IPv6 and heavy use of NAT) appears to have slowed down IPv6 adoption once again²⁾

HTTP, the web{pages} protocol is only one of the services offered through the Internet, but it has consistently have high usage, and the basic service expected in any given network thus it's often allowed through firewalls. In its later revisions it gained the ability of being able to be multiplex several connections to a server into a single binary bidirectional connection with push support. HTTP has several features that make it useful for other things beyond serving web pages such as headers in which the name of the server can be indicated allowing for multiple virtual servers per machine and methods which indicate the type of request that is being sent to a web server which can be interpreted as commands by a server.

The permitted the creation of web service APIs e.g, RESTful, which loosely means that HTTP can be used as a transport for communication between apps and various systems of virtually any kind with low resource requirements and low risk of being blocked by firewalls.

====

Using DNS, a server using a limited resource like an IP address, can respond to multiple namespaces with a protocol that supports some indication of the intended name independent of routing. DNS allows changing the location of the server easily, an invaluable feature in set-an-forget-type devices.

DNS is a server-client application. DNS servers can be and most often are DNS clients as well. DNS clients are nearly all devices that have some IP networking capability so they need to be configured with one or more DNS servers where they can resolve their queries. As it can be inferred before, hardcoding IP addresses in devices isn't practical, and the DNS address or a DNS server can't be programmed either because there's no way to translate the DNS address of a DNS server into its IP address, without a DNS server. This is where DHCP comes in.

DNS addresses are memorable names for IP addresses, or at least most of the time. But at the lower layers of computer networking, devices address each other using MAC addresses—addresses permanently programmed in network interfaces. Unlike IP addresses, MAC addresses can't be routed thus they need to be in the same local network to communicate with each other. This isn't the only obstacle MAC addresses have; there can only be put so many devices in a local network before it becomes too noisy making communications impossible, and there aren't many applications that support this type of addressing in anyway.

DHCP is another important network service that is responsible for leasing out IP addresses from a given range to new MAC addresses (i.e; devices) that broadcast their presence in a network, in addition to giving clients and IP address, it also provisions them with the range the leased IP belongs to, with the address of the gateway they need to contact if they want to connect outside of that network, with the name of the domain the network is in—if there is one, with a time server they can contact to set their clocks and of IP addresses of DNS servers they may use, among other information.

DHCP servers are essential in most networks, and are not exclusive of what's normally understood of a computer network; other networks non-traditionally understood as computer networks use them too, such as cellular networks to assign IP addresses to cellular devices and even in satellite networks.

Both DHCP and DNS servers are servers that do not require substantial resources to run, so they are embedded everywhere, most notably in CPEs, Customer-Premises Equipment AKA the ISP or Wi-Fi Router; it is why a user almost never has to set up IP addresses in each device nor to configure DNS servers. The CPE usually comes preconfigured and can be configured remotely by ISPs using protocols specifically designed for that—which also rely on DNS.

If you didn't already, now you know that DNS is what makes Internet addresses possible and how devices get their DNS server information without user intervention.

DNS is how you can reach any site you want to visit. DNS is also how you reach any site you don't want to visit, for example, those that host ads, or malware, scams, trackers or collect your personal data for various reasons. One of the ways of blocking this unwanted content is by blocking them with aTo prevent accessing this content using a sophisticated even by today's standard, which would block the connections to unwanted resources from going through.

But what if you could prevent your device from making those connections in the first place? — that's what DNS filtering does.

Remember we mentioned before every DNS server can also be a DNS client? This is because DNS is designed as a hierarchy and it's designed so that servers forward the request to other servers and store (or cache) for a brief period of time so the next hundred request a device sends to a server which often happen within a minute or two don't have to query servers from the top and waste all that time. Most CPEs' set themselves as the sole DNS server that is set up in their clients. This allows for every home network with cheap underpowered ISP-provided Wi-FI routers to have their own local DNS cache and speeds up dramatically DNS resolution even with mediocre equipment.

DNS filtering works by in one of this midpoints, instead of returning a malicious or undesired address to the client, return an address that's invalid or unroutable or falsy respond that it does not exist. As a consequence the DNS client doesn't waste resources, and therefore energy/battery trying to contact the server only to make the whole system hangs until the requests times out because it has been blocked by the firewall using the other method. DNS filtering is also known as a DNS firewall.

DNS filtering can selectively block by categories or targeted domains using lists crowd sourced with low false-positives. VitaNetworks' intranet DNS is filtered to block advertisements, some phishing and malware, Microsoft and Apple's update servers, Meta Inc (Facebook, WhatApp Messenger, Instagram, etc), Adobe Inc. which most people think as a software company, but it's a massive marketing and invasive data collection network, and some others.

Some things we don't block might make you raise an eyebrow, for instance; adult sites? yes, they're allowed. Religious sites? yes, they're allowed. Sites about drugs and paraphernalia? to some extent (use not make), yes, they're allowed.

This is because we're not trying to be you moral compass. If you're old enough to visit these sites, you should know what's best for you. We're not going to block them to prevent minors from accessing them because we believe it's their parents' or guardians' responsibilities not to block them either but to educate them to make the right choices for themselves as well, and when the time is appropriate What we are blocking is sites that are know to compromise users' privacy and use their visitors private information to find other users to unbeknownst to them invade their privacy as well. Sites that will damage an individual, be it financial damage such as ransomware or property damage, like virus or automation systems compromise, and sites that abuse the users' device or connection in some way, like loading numerous ads to the memory of a computer, scripts that use users' computer power to mine cryptocurrencies, load video ads automatically with disregards of users' data allowance for a given period.