By Cliff Potts, CSO, and Editor-in-Chief of WPS News

Baybay City, Leyte, Philippines — April 14, 2026

Start Simple: What DNS Is Supposed to Do

When a user types a web address, the Domain Name System (DNS) translates that name into a numerical address so the connection can happen. That is its intended role: translation, not judgment (Mockapetris, 1987).

DNS was designed to function as a neutral directory. It does not decide what content is acceptable. It does not evaluate intent. It simply answers the question: “Where is this located?” (Mockapetris, 1987; Cloudflare, n.d.).

That neutrality matters, because DNS happens before anything else. If DNS does not resolve a name, the connection never begins.

Where the Shift Happens

In practice, DNS no longer always behaves as a neutral directory.

Modern DNS services can:

  • Block domains
  • Redirect users
  • Filter categories of content
  • Apply policy decisions at the resolution stage (Cisco, n.d.)

At that point, DNS is no longer just translating. It is deciding.

The system shifts from:

  • “Here is where it is”

to:

  • “Here is what you are allowed to reach”

This is not a technical error. It is a structural change.

The First Gate Problem

Because DNS happens before the connection, control at this layer becomes upstream of everything else.

If a domain does not resolve:

  • The site is effectively invisible
  • The user never reaches it
  • No further safeguards or freedoms apply

That makes DNS the first gate in the system.

Not the loudest gate. Not the most visible.

But the earliest one.

And early control is the most efficient form of control.

The “Safer DNS” Argument

A common response to concerns about DNS is to recommend services such as Cisco/OpenDNS.

These services provide:

  • Malware blocking
  • Content filtering
  • Parental controls
  • Network-wide enforcement (Cisco, n.d.)

All of that is accurate.

All of that is useful in specific contexts.

And none of it addresses the issue being raised here.

What Cisco/OpenDNS Actually Does

Cisco/OpenDNS is a centralized DNS resolver that applies policy decisions at the resolution layer (Cisco, n.d.).

It decides:

  • Which domains resolve
  • Which domains do not
  • How categories of content are handled

This is valuable for:

  • Families managing access for children
  • Schools enforcing acceptable use
  • Enterprises reducing risk exposure

But it operates by introducing control at the DNS layer.

Where It Misses the Point

The issue is not whether DNS can be made safer.

The issue is that DNS has become a point where control can be applied at scale.

Recommending a centralized DNS provider does not solve that problem.

It changes who exercises that control.

(See also: DeNardis, 2014)

This is the core misunderstanding.

The discussion is not about choosing a better tool.

It is about recognizing what the tool has become.

Centralization and Chokepoints

When large numbers of users rely on a small number of DNS providers, resolution becomes concentrated.

That concentration creates a chokepoint.

Not necessarily through overt censorship.

But through the ability to:

  • Shape access
  • Apply policy quietly
  • Influence visibility upstream (DeNardis, 2014; Mueller, 2017)

The risk is not hypothetical.

DNS has already been used globally for:

  • Domain blocking
  • Traffic redirection
  • Policy enforcement at the network level (DeNardis, 2014)

The Structural Difference

There are two different approaches to this problem.

One approach says:

  • Choose a trusted authority to filter DNS
  • Improve safety through centralized control

The other approach says:

  • Reduce the amount of control any single authority has
  • Preserve DNS as neutral infrastructure

These approaches are not compatible.

They solve different problems.

Why This Matters

If DNS remains a layer where a small number of actors can decide how names resolve—or whether they resolve at all—then it remains a structural gate.

It does not need to block loudly.

It does not need to announce itself.

It only needs to sit upstream, quietly determining what resolves and what does not.

That is enough.

The Bottom Line

This discussion is not about whether a DNS service is useful.

Many are.

This discussion is about what DNS becomes when control is concentrated at that layer.

You do not solve that problem by selecting a different controller.

You solve it by recognizing that the layer itself has become a point of control.

And deciding whether that is acceptable.

For more social commentary, please see Occupy 2.5 at https://Occupy25.com

If you read this and it matters, help me keep it going: https://www.patreon.com/cw/WPSNews

References

Cisco. (n.d.). OpenDNS home internet security. https://www.opendns.com/home-internet-security/

Cloudflare. (n.d.). What is DNS?. https://www.cloudflare.com/learning/dns/what-is-dns/

DeNardis, L. (2014). The global war for internet governance. Yale University Press.

Mockapetris, P. (1987). Domain names – Concepts and facilities (RFC 1034). Internet Engineering Task Force. https://doi.org/10.17487/RFC1034

Mueller, M. (2017). Will the internet fragment? Sovereignty, globalization and cyberspace. Polity Press.

Discover more from WPS News

Subscribe to get the latest posts sent to your email.