How to Improve WiFi Speed Without Buying New Access Points

How to Improve WiFi Speed Without Buying New Access Points A Purple Technical Briefing — Approximately 10 Minutes --- INTRODUCTION AND CONTEXT (approx. 1 minute) --- Welcome to the Purple Technical Briefing series. I'm your host, and today we're tackling one of the most common conversations I have with IT directors and CTOs at enterprise venues — the WiFi capacity problem. You've got a hotel, a retail estate, a conference centre, or a stadium. Your guests and staff are complaining about slow WiFi. Your first instinct — and frankly, the instinct your infrastructure vendor is banking on — is to buy more access points. New hardware, bigger deployment, bigger invoice. But here's the thing. In the majority of cases I've reviewed, the problem isn't the access points at all. The problem is what's running through them. And that's a software problem, which means it's a software solution. Today I'm going to walk you through exactly how DNS filtering and software-layer optimisation can reclaim thirty percent or more of your existing bandwidth — without touching a single piece of hardware. We'll cover the technical architecture, real-world deployment scenarios, and the business case you can take to your CFO. Let's get into it. --- TECHNICAL DEEP-DIVE (approx. 5 minutes) --- First, let's establish the core problem. When you look at what's actually consuming bandwidth on a typical enterprise guest WiFi network, the breakdown is genuinely surprising to most people. Advertising networks and third-party trackers — the background telemetry that every app on every device is constantly sending — account for somewhere between twenty-five and forty percent of DNS query volume on a typical guest network. These aren't requests your guests are consciously making. They're automatic. Every time someone opens a news app, a social media platform, or a retail app on their phone, that app is firing off dozens of DNS lookups to advertising servers, analytics platforms, and tracking pixels. None of that traffic is delivering value to your guests. All of it is consuming your uplink capacity. On top of that, you've got malware and botnet traffic. Compromised devices — and on a large guest network, you will have compromised devices — are constantly attempting to phone home to command-and-control servers. That traffic is not only wasting bandwidth, it's a compliance and security liability. So before a single byte of legitimate traffic — a video call, a webpage, a payment transaction — even gets to your uplink, you've already burned through a third to a half of your available capacity on noise. Now, DNS filtering operates at the resolution layer. Every internet request starts with a DNS query — a lookup that translates a domain name into an IP address. DNS filtering intercepts that query before it ever reaches your uplink. If the domain resolves to an advertising network, a known malware host, or a policy-restricted category, the query is blocked at the DNS layer. The device gets a null response. No data is transferred. No bandwidth is consumed. This is fundamentally different from a firewall or a proxy. A firewall inspects packets after they've already arrived. A proxy intercepts traffic mid-stream. DNS filtering stops the request before it starts — which is why the bandwidth reclamation is so significant. You're not cleaning up traffic that's already arrived; you're preventing it from being requested in the first place. From an architecture standpoint, deployment is straightforward. You configure your DHCP server to point client devices to your DNS filtering resolver rather than your ISP's default DNS. That's typically a two-line change in your DHCP configuration. The filtering rules are maintained centrally — either in the cloud or on-premise depending on your compliance requirements — and applied uniformly across all connected devices regardless of which access point they're associated with. This is a critical point for multi-site operators. A retail chain with two hundred stores, or a hotel group with fifty properties, can deploy a consistent DNS filtering policy across the entire estate from a single management console. No on-site engineering visits. No per-site configuration. Policy changes propagate in minutes. Now, there's an important technical consideration here that I want to flag for the architects in the room. The emergence of DNS over HTTPS — DoH — creates a challenge for traditional DNS filtering. When a device uses DoH, it encrypts its DNS queries and sends them directly to a specific resolver — typically one operated by a browser vendor — bypassing your network-level DNS entirely. This means your filtering rules are circumvented. The solution is to enforce DoH interception at the network level. This involves identifying DoH traffic — which runs on port 443 to known resolver IP ranges — and either blocking it or redirecting it to your own DoH-capable filtering resolver. This is a more advanced configuration, but it's essential for maintaining filtering efficacy on modern networks where Chrome, Firefox, and iOS are increasingly defaulting to encrypted DNS. Purple has published a detailed guide on the implications of DNS over HTTPS for public WiFi filtering, which I'd recommend reading alongside this briefing. Beyond DNS filtering, there are several complementary software-layer optimisations worth implementing in parallel. Band steering is one of the most impactful. Most modern access points support both 2.4 gigahertz and 5 gigahertz bands. The 5 gigahertz band offers significantly higher throughput but shorter range. Without active band steering, devices will often associate with the 2.4 gigahertz band by default — particularly older devices and IoT hardware — creating congestion on a band that's already crowded with legacy traffic. Enabling band steering in your wireless controller pushes capable devices to 5 gigahertz, freeing up 2.4 gigahertz for devices that genuinely need it. SSID consolidation is another quick win. Every SSID you broadcast consumes airtime through beacon frames — management traffic that every device in range has to process. A venue running eight or ten SSIDs for different departments, contractors, and guest tiers is burning a measurable percentage of airtime on management overhead. Consolidating to three or four SSIDs — guest, staff, IoT, and management — and using VLAN tagging for segmentation rather than separate SSIDs can recover that airtime immediately. QoS — Quality of Service — policy enforcement is the third lever. Without QoS, a single guest streaming 4K video can saturate a radio cell, degrading the experience for every other device on that access point. Implementing per-client rate limiting and traffic prioritisation — elevating VoIP and POS transaction traffic above bulk streaming — ensures that business-critical traffic is protected even under peak load. Finally, channel planning and transmit power optimisation. These are often set-and-forget during initial deployment and never revisited. As the RF environment changes — new buildings, new interference sources, changes in device density — your channel assignments may be creating co-channel interference that significantly degrades throughput. Running a passive RF survey and reoptimising channel assignments is a zero-cost intervention that can yield substantial throughput improvements. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS (approx. 2 minutes) --- Let me give you a practical deployment sequence for a mid-size venue — say, a two-hundred-room hotel or a regional retail distribution centre. Start with a baseline measurement. Before you change anything, instrument your network to capture DNS query volume by category, per-client bandwidth consumption, and uplink utilisation by time of day. This gives you the before state for your ROI calculation. Most enterprise WiFi analytics platforms will surface this data natively — Purple's analytics platform, for instance, provides device-level visibility that makes this baseline exercise straightforward. Step two: deploy DNS filtering in monitoring mode. Most enterprise DNS filtering solutions support a passive mode where queries are logged and categorised but not blocked. Run this for forty-eight to seventy-two hours to understand your traffic composition before you enforce any policy. This prevents false positives from disrupting legitimate traffic on day one. Step three: enable blocking in phases. Start with the highest-confidence categories — known malware domains, botnet command-and-control, and advertising networks. These are low-risk blocks with high bandwidth impact. Review the logs daily for the first week to catch any unexpected blocks. Step four: layer in QoS and band steering. Once DNS filtering is stable, implement per-client rate limiting and band steering. Test these changes during off-peak hours and validate that POS terminals, VoIP handsets, and other business-critical devices are performing correctly. Step five: document and measure. After thirty days, pull your bandwidth utilisation metrics and compare against your baseline. In most deployments, you'll see a twenty to forty percent reduction in uplink utilisation. That's your ROI figure. Now, the pitfalls. The most common one I see is over-blocking. If you enable aggressive content filtering categories without reviewing the logs first, you will block legitimate services. Cloud storage, business SaaS applications, and even some payment processing domains can appear in broad category blocks. Always start conservative and expand. The second pitfall is ignoring DoH bypass. If you deploy DNS filtering without addressing DoH, you'll see your filtering efficacy drop over time as more devices default to encrypted DNS. Address this at the network policy level from day one. The third pitfall is failing to segment IoT traffic. IoT devices — smart TVs, building management systems, digital signage — often generate significant DNS traffic to manufacturer telemetry servers. If you're not segmenting IoT onto a separate VLAN with its own filtering policy, you may inadvertently block device functionality when you tighten your filtering rules. --- RAPID-FIRE Q AND A (approx. 1 minute) --- Let me run through the questions I get most often. "Will DNS filtering affect guest experience?" In practice, guests never notice. The domains being blocked are background telemetry, not content they're actively requesting. If anything, their experience improves because there's more bandwidth available for the things they're actually trying to do. "Does this require changes to our access points?" No. DNS filtering is configured at the DHCP and DNS resolver layer. Your access points are untouched. "Is this GDPR compliant?" DNS filtering logs domain queries, not content. You're not performing deep packet inspection. Provided you have appropriate data retention policies and your privacy notice covers network monitoring — which it should regardless — DNS filtering is fully compatible with GDPR. For public sector and healthcare deployments, it's often a compliance requirement rather than a choice. "What about PCI DSS?" DNS filtering actually strengthens your PCI DSS posture by preventing cardholder data environments from communicating with known malicious domains. It's a positive control, not a risk. --- SUMMARY AND NEXT STEPS (approx. 1 minute) --- To bring this together: the majority of enterprise WiFi performance problems are not hardware problems. They're software problems — specifically, the absence of intelligent traffic management at the DNS layer. By deploying DNS filtering, you can reclaim thirty percent or more of your existing bandwidth, extend the operational life of your current access point infrastructure by two to four years, and simultaneously improve your security and compliance posture. The deployment timeline is measured in hours, not months. The capital expenditure is a fraction of a hardware refresh. The practical next steps are straightforward. Run a DNS traffic audit on your network this week — most enterprise platforms will give you this data without any additional tooling. Identify your top bandwidth-consuming domain categories. Then evaluate a DNS filtering solution against those categories. If you're operating a guest WiFi network at scale — hospitality, retail, events, public sector — Purple's platform integrates DNS filtering with guest WiFi management and analytics in a single deployment. That means you get the bandwidth reclamation, the compliance controls, and the guest data insights from one platform rather than three. Thanks for listening to the Purple Technical Briefing. Full implementation guidance, architecture diagrams, and worked examples are available in the accompanying written guide. Until next time.