Passer au contenu principal
Français

Comment améliorer la vitesse du WiFi sans acheter de nouveaux points d'accès

Ce guide explique comment les établissements d'entreprise peuvent récupérer plus de 30 % de leur bande passante WiFi sans acheter de nouveaux points d'accès. En mettant en œuvre le DNS filtering, le band steering et les politiques QoS, les équipes IT peuvent prolonger la durée de vie du matériel, réduire les CapEx et améliorer les performances et la sécurité du réseau.

📖 4 min de lecture📝 758 mots🔧 2 exemples concrets3 questions d'entraînement📚 8 définitions clés

Écouter ce guide

Voir la transcription du podcast
How to Improve WiFi Speed Without Buying New Access Points A Purple Technical Briefing — Approximately 10 Minutes --- INTRODUCTION AND CONTEXT (approx. 1 minute) --- Welcome to the Purple Technical Briefing series. I'm your host, and today we're tackling one of the most common conversations I have with IT directors and CTOs at enterprise venues — the WiFi capacity problem. You've got a hotel, a retail estate, a conference centre, or a stadium. Your guests and staff are complaining about slow WiFi. Your first instinct — and frankly, the instinct your infrastructure vendor is banking on — is to buy more access points. New hardware, bigger deployment, bigger invoice. But here's the thing. In the majority of cases I've reviewed, the problem isn't the access points at all. The problem is what's running through them. And that's a software problem, which means it's a software solution. Today I'm going to walk you through exactly how DNS filtering and software-layer optimisation can reclaim thirty percent or more of your existing bandwidth — without touching a single piece of hardware. We'll cover the technical architecture, real-world deployment scenarios, and the business case you can take to your CFO. Let's get into it. --- TECHNICAL DEEP-DIVE (approx. 5 minutes) --- First, let's establish the core problem. When you look at what's actually consuming bandwidth on a typical enterprise guest WiFi network, the breakdown is genuinely surprising to most people. Advertising networks and third-party trackers — the background telemetry that every app on every device is constantly sending — account for somewhere between twenty-five and forty percent of DNS query volume on a typical guest network. These aren't requests your guests are consciously making. They're automatic. Every time someone opens a news app, a social media platform, or a retail app on their phone, that app is firing off dozens of DNS lookups to advertising servers, analytics platforms, and tracking pixels. None of that traffic is delivering value to your guests. All of it is consuming your uplink capacity. On top of that, you've got malware and botnet traffic. Compromised devices — and on a large guest network, you will have compromised devices — are constantly attempting to phone home to command-and-control servers. That traffic is not only wasting bandwidth, it's a compliance and security liability. So before a single byte of legitimate traffic — a video call, a webpage, a payment transaction — even gets to your uplink, you've already burned through a third to a half of your available capacity on noise. Now, DNS filtering operates at the resolution layer. Every internet request starts with a DNS query — a lookup that translates a domain name into an IP address. DNS filtering intercepts that query before it ever reaches your uplink. If the domain resolves to an advertising network, a known malware host, or a policy-restricted category, the query is blocked at the DNS layer. The device gets a null response. No data is transferred. No bandwidth is consumed. This is fundamentally different from a firewall or a proxy. A firewall inspects packets after they've already arrived. A proxy intercepts traffic mid-stream. DNS filtering stops the request before it starts — which is why the bandwidth reclamation is so significant. You're not cleaning up traffic that's already arrived; you're preventing it from being requested in the first place. From an architecture standpoint, deployment is straightforward. You configure your DHCP server to point client devices to your DNS filtering resolver rather than your ISP's default DNS. That's typically a two-line change in your DHCP configuration. The filtering rules are maintained centrally — either in the cloud or on-premise depending on your compliance requirements — and applied uniformly across all connected devices regardless of which access point they're associated with. This is a critical point for multi-site operators. A retail chain with two hundred stores, or a hotel group with fifty properties, can deploy a consistent DNS filtering policy across the entire estate from a single management console. No on-site engineering visits. No per-site configuration. Policy changes propagate in minutes. Now, there's an important technical consideration here that I want to flag for the architects in the room. The emergence of DNS over HTTPS — DoH — creates a challenge for traditional DNS filtering. When a device uses DoH, it encrypts its DNS queries and sends them directly to a specific resolver — typically one operated by a browser vendor — bypassing your network-level DNS entirely. This means your filtering rules are circumvented. The solution is to enforce DoH interception at the network level. This involves identifying DoH traffic — which runs on port 443 to known resolver IP ranges — and either blocking it or redirecting it to your own DoH-capable filtering resolver. This is a more advanced configuration, but it's essential for maintaining filtering efficacy on modern networks where Chrome, Firefox, and iOS are increasingly defaulting to encrypted DNS. Purple has published a detailed guide on the implications of DNS over HTTPS for public WiFi filtering, which I'd recommend reading alongside this briefing. Beyond DNS filtering, there are several complementary software-layer optimisations worth implementing in parallel. Band steering is one of the most impactful. Most modern access points support both 2.4 gigahertz and 5 gigahertz bands. The 5 gigahertz band offers significantly higher throughput but shorter range. Without active band steering, devices will often associate with the 2.4 gigahertz band by default — particularly older devices and IoT hardware — creating congestion on a band that's already crowded with legacy traffic. Enabling band steering in your wireless controller pushes capable devices to 5 gigahertz, freeing up 2.4 gigahertz for devices that genuinely need it. SSID consolidation is another quick win. Every SSID you broadcast consumes airtime through beacon frames — management traffic that every device in range has to process. A venue running eight or ten SSIDs for different departments, contractors, and guest tiers is burning a measurable percentage of airtime on management overhead. Consolidating to three or four SSIDs — guest, staff, IoT, and management — and using VLAN tagging for segmentation rather than separate SSIDs can recover that airtime immediately. QoS — Quality of Service — policy enforcement is the third lever. Without QoS, a single guest streaming 4K video can saturate a radio cell, degrading the experience for every other device on that access point. Implementing per-client rate limiting and traffic prioritisation — elevating VoIP and POS transaction traffic above bulk streaming — ensures that business-critical traffic is protected even under peak load. Finally, channel planning and transmit power optimisation. These are often set-and-forget during initial deployment and never revisited. As the RF environment changes — new buildings, new interference sources, changes in device density — your channel assignments may be creating co-channel interference that significantly degrades throughput. Running a passive RF survey and reoptimising channel assignments is a zero-cost intervention that can yield substantial throughput improvements. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS (approx. 2 minutes) --- Let me give you a practical deployment sequence for a mid-size venue — say, a two-hundred-room hotel or a regional retail distribution centre. Start with a baseline measurement. Before you change anything, instrument your network to capture DNS query volume by category, per-client bandwidth consumption, and uplink utilisation by time of day. This gives you the before state for your ROI calculation. Most enterprise WiFi analytics platforms will surface this data natively — Purple's analytics platform, for instance, provides device-level visibility that makes this baseline exercise straightforward. Step two: deploy DNS filtering in monitoring mode. Most enterprise DNS filtering solutions support a passive mode where queries are logged and categorised but not blocked. Run this for forty-eight to seventy-two hours to understand your traffic composition before you enforce any policy. This prevents false positives from disrupting legitimate traffic on day one. Step three: enable blocking in phases. Start with the highest-confidence categories — known malware domains, botnet command-and-control, and advertising networks. These are low-risk blocks with high bandwidth impact. Review the logs daily for the first week to catch any unexpected blocks. Step four: layer in QoS and band steering. Once DNS filtering is stable, implement per-client rate limiting and band steering. Test these changes during off-peak hours and validate that POS terminals, VoIP handsets, and other business-critical devices are performing correctly. Step five: document and measure. After thirty days, pull your bandwidth utilisation metrics and compare against your baseline. In most deployments, you'll see a twenty to forty percent reduction in uplink utilisation. That's your ROI figure. Now, the pitfalls. The most common one I see is over-blocking. If you enable aggressive content filtering categories without reviewing the logs first, you will block legitimate services. Cloud storage, business SaaS applications, and even some payment processing domains can appear in broad category blocks. Always start conservative and expand. The second pitfall is ignoring DoH bypass. If you deploy DNS filtering without addressing DoH, you'll see your filtering efficacy drop over time as more devices default to encrypted DNS. Address this at the network policy level from day one. The third pitfall is failing to segment IoT traffic. IoT devices — smart TVs, building management systems, digital signage — often generate significant DNS traffic to manufacturer telemetry servers. If you're not segmenting IoT onto a separate VLAN with its own filtering policy, you may inadvertently block device functionality when you tighten your filtering rules. --- RAPID-FIRE Q AND A (approx. 1 minute) --- Let me run through the questions I get most often. "Will DNS filtering affect guest experience?" In practice, guests never notice. The domains being blocked are background telemetry, not content they're actively requesting. If anything, their experience improves because there's more bandwidth available for the things they're actually trying to do. "Does this require changes to our access points?" No. DNS filtering is configured at the DHCP and DNS resolver layer. Your access points are untouched. "Is this GDPR compliant?" DNS filtering logs domain queries, not content. You're not performing deep packet inspection. Provided you have appropriate data retention policies and your privacy notice covers network monitoring — which it should regardless — DNS filtering is fully compatible with GDPR. For public sector and healthcare deployments, it's often a compliance requirement rather than a choice. "What about PCI DSS?" DNS filtering actually strengthens your PCI DSS posture by preventing cardholder data environments from communicating with known malicious domains. It's a positive control, not a risk. --- SUMMARY AND NEXT STEPS (approx. 1 minute) --- To bring this together: the majority of enterprise WiFi performance problems are not hardware problems. They're software problems — specifically, the absence of intelligent traffic management at the DNS layer. By deploying DNS filtering, you can reclaim thirty percent or more of your existing bandwidth, extend the operational life of your current access point infrastructure by two to four years, and simultaneously improve your security and compliance posture. The deployment timeline is measured in hours, not months. The capital expenditure is a fraction of a hardware refresh. The practical next steps are straightforward. Run a DNS traffic audit on your network this week — most enterprise platforms will give you this data without any additional tooling. Identify your top bandwidth-consuming domain categories. Then evaluate a DNS filtering solution against those categories. If you're operating a guest WiFi network at scale — hospitality, retail, events, public sector — Purple's platform integrates DNS filtering with guest WiFi management and analytics in a single deployment. That means you get the bandwidth reclamation, the compliance controls, and the guest data insights from one platform rather than three. Thanks for listening to the Purple Technical Briefing. Full implementation guidance, architecture diagrams, and worked examples are available in the accompanying written guide. Until next time.

header_image.png

Résumé Exécutif

Pour les directeurs IT et les CTO gérant des réseaux d'établissements à grande échelle, la réponse par défaut à l'épuisement de la bande passante est souvent un coûteux renouvellement matériel. Cependant, jusqu'à 40 % de la bande passante du réseau invité est généralement consommée par la télémétrie d'arrière-plan sans valeur ajoutée, les traqueurs publicitaires et le trafic malveillant. En mettant en œuvre une optimisation au niveau logiciel — spécifiquement le DNS filtering, le band steering intelligent et l'application des politiques QoS — les établissements peuvent récupérer plus de 30 % de la bande passante existante sans déployer un seul nouveau point d'accès.

Ce guide détaille comment mettre en œuvre ces optimisations pour prolonger la durée de vie du matériel actuel, réduire les CapEx et améliorer l'expérience utilisateur dans les environnements Hôtellerie , Commerce de détail , Santé et Transport .

Approfondissement Technique

La Consommation de Bande Passante : Télémétrie et Traqueurs

Lors de l'examen du profil de trafic d'un réseau Guest WiFi typique, le volume de trafic non initié par l'utilisateur est significatif. Les réseaux publicitaires et les traqueurs tiers représentent 25 % à 40 % du volume des requêtes DNS. Chaque lancement d'application déclenche des dizaines de recherches en arrière-plan vers des plateformes d'analyse et des pixels de suivi, dont aucune n'apporte de valeur à l'invité mais toutes consomment de la capacité de liaison montante.

De plus, les appareils compromis sur le réseau génèrent du trafic de malware et de botnet, tentant constamment de contacter des serveurs de commande et de contrôle. Cela gaspille de la bande passante et introduit de graves risques de conformité et de sécurité.

dns_bandwidth_breakdown.png

La Solution de DNS Filtering

Le DNS filtering opère au niveau de la couche de résolution. Il intercepte les requêtes DNS avant qu'elles n'atteignent la liaison montante. Si un domaine se résout en un réseau publicitaire, un hôte de malware connu ou une catégorie restreinte par la politique, la requête est bloquée, renvoyant une réponse nulle à l'appareil. Aucune donnée n'est transférée ; aucune bande passante n'est consommée.

Contrairement aux firewalls qui inspectent les paquets après leur arrivée ou aux proxies qui interceptent en cours de flux, le DNS filtering empêche l'initiation de la requête. Cet avantage architectural le rend très efficace pour la récupération de bande passante.

Gérer le DNS over HTTPS (DoH)

Une considération technique critique est l'essor du DNS over HTTPS (DoH). Le DoH chiffre les requêtes DNS, contournant le DNS au niveau du réseau et les règles de filtrage traditionnelles. Pour maintenir l'efficacité du filtrage, les réseaux doivent appliquer l'interception DoH en identifiant le trafic DoH (généralement sur le port 443 vers des résolveurs connus) et en le redirigeant vers un résolveur de filtrage compatible DoH. Pour plus de détails, consultez notre guide sur DNS Over HTTPS (DoH) : Implications pour le filtrage du WiFi public (ou la version portugaise : DNS Over HTTPS (DoH): Implicações para a Filtragem de WiFi Público ).

architecture_overview.png

Guide d'Implémentation

Le déploiement de l'optimisation au niveau logiciel est simple et peut être géré de manière centralisée pour les opérateurs multi-sites, en utilisant des plateformes comme WiFi Analytics pour surveiller l'impact.

  1. Mesure de Référence : Instrumentez le réseau pour capturer le volume de requêtes DNS par catégorie et la consommation de bande passante par client. Cela établit la base pour les calculs de ROI.
  2. Mode de Surveillance : Déployez le DNS filtering en mode de surveillance passive pendant 48 à 72 heures pour comprendre la composition du trafic sans bloquer, évitant ainsi les faux positifs.
  3. Blocage Progressif : Activez le blocage pour les catégories à haute confiance en premier (par exemple, malware connus, botnets, réseaux publicitaires). Examinez les journaux quotidiennement pour ajuster les politiques.
  4. Optimisations Complémentaires :
    • Band Steering : Poussez les appareils compatibles vers la bande 5GHz pour libérer la bande 2.4GHz congestionnée.
    • Consolidation des SSID : Réduisez la charge de gestion en consolidant les SSID et en utilisant le marquage VLAN pour la segmentation.
    • Application de la QoS : Mettez en œuvre une limitation de débit par client pour protéger le trafic critique pour l'entreprise (par exemple, VoIP, POS) du streaming de masse.
  5. Documenter et Mesurer : Après 30 jours, comparez l'utilisation de la bande passante par rapport à la référence pour quantifier le ROI.

Bonnes Pratiques

  • Segmenter le Trafic IoT : Les appareils IoT génèrent souvent une télémétrie significative. Placez-les sur un VLAN séparé avec des politiques de filtrage adaptées pour éviter de rompre la fonctionnalité lors du resserrement des règles.
  • Éviter le Sur-Blocage : Commencez par des politiques de blocage conservatrices et étendez-les progressivement en fonction des examens des journaux pour éviter de perturber les applications SaaS légitimes de l'entreprise.
  • Audits RF Réguliers : Réoptimisez périodiquement les attributions de canaux et la puissance de transmission pour atténuer les interférences de co-canal à mesure que l'environnement physique change.

Dépannage et Atténuation des Risques

  • Services Légitimes Bloqués : Si les utilisateurs signalent des applications défectueuses, vérifiez les journaux DNS pour les blocages de catégories larges affectant les domaines requis (par exemple, stockage cloud, passerelles de paiement) et mettez-les sur liste blanche.
  • Efficacité du Filtrage en Baisse : Si la consommation de bande passante augmente à nouveau, vérifiez que les politiques de contournement DoH interceptent et redirigent activement les requêtes DNS chiffrées.
  • Problèmes de Connectivité des Appareils Anciens : Si les appareils plus anciens ont du mal à se connecter après l'activation du band steering, assurez-vous que la bande 2.4GHz est toujours correctement provisionnée et envisagez d'ajuster l'agressivité du steering.

ROI et Impact Commercial

L'optimisation logicielle offre un ROI immédiat. Alors qu'une mise à niveau matérielle peut coûter entre 50 000 et 200 000 £ et prendre des mois à déployer, le filtrage DNS et les modifications de configuration coûtent une fraction de ce montant et se déploient en quelques heures. Les sites constatent généralement une réduction de 30 à 40 % de l'utilisation de la liaison montante, prolongeant la durée de vie des points d'accès existants de 2 à 4 ans tout en renforçant simultanément la conformité au GDPR et au PCI DSS.

roi_comparison_chart.png

Écoutez notre exposé technique complet :

Définitions clés

DNS Filtering

The process of blocking access to certain domains at the DNS resolution stage, preventing the connection before data is transferred.

Used to reclaim bandwidth by stopping ad, tracker, and malware traffic before it consumes uplink capacity.

Band Steering

A wireless network feature that encourages dual-band capable clients to connect to the less congested 5GHz band instead of the 2.4GHz band.

Crucial for optimizing airtime and improving throughput in dense environments.

DNS over HTTPS (DoH)

A protocol for performing remote Domain Name System resolution via the HTTPS protocol, encrypting the data.

Creates challenges for network administrators as it can bypass traditional, unencrypted DNS filtering controls.

SSID Consolidation

Reducing the number of broadcasted network names (SSIDs) to minimize management frame overhead.

Each SSID consumes airtime; fewer SSIDs mean more airtime available for actual data transmission.

Quality of Service (QoS)

Technologies that manage data traffic to reduce packet loss, latency, and jitter on the network.

Used to prioritize critical business traffic (like POS transactions) over guest streaming.

VLAN Tagging

The practice of inserting a VLAN ID into a packet header to identify which virtual LAN the packet belongs to.

Allows for logical segmentation of network traffic (e.g., Guest vs. Staff) without requiring separate physical networks or SSIDs.

Beacon Frames

Management frames in IEEE 802.11 based WLANs that contain information about the network.

Broadcasting too many SSIDs generates excessive beacon frames, consuming valuable airtime and slowing down the network.

Co-Channel Interference

Crosstalk from two different radio transmitters using the same frequency channel.

Mitigated by proper channel planning and transmit power optimization to ensure APs don't shout over each other.

Exemples concrets

A 200-room hotel is experiencing severe WiFi complaints during the evening peak. The infrastructure vendor recommends a £80,000 AP upgrade. How can software optimization address this?

  1. Deploy DNS filtering to block ad networks and malware, reclaiming ~30% of bandwidth. 2. Enable band steering to move capable devices to 5GHz. 3. Implement QoS to rate-limit video streaming to 5Mbps per client, prioritizing VoIP and operational traffic. 4. Consolidate from 8 SSIDs to 3 using VLAN tagging.
Commentaire de l'examinateur : This approach targets the root cause (traffic composition and RF management overhead) rather than the symptom. It defers the £80k CapEx while delivering immediate performance improvements.

A large retail chain with 500 stores needs to improve network performance for POS terminals while still offering Guest WiFi.

  1. Segment POS devices and Guest WiFi onto separate VLANs. 2. Apply aggressive DNS filtering on the Guest VLAN to block high-bandwidth non-essential traffic. 3. Configure strict QoS rules prioritizing the POS VLAN traffic over the Guest VLAN. 4. Manage policies centrally via a unified dashboard.
Commentaire de l'examinateur : Centralized management is crucial for retail scale. This ensures POS reliability (revenue protection) without sacrificing the Guest WiFi experience, avoiding per-store hardware upgrades.

Questions d'entraînement

Q1. A stadium network is experiencing severe congestion on the 2.4GHz band, while the 5GHz band is underutilized. What is the most immediate software-layer action to take?

Conseil : Consider how to force capable devices to use the better frequency.

Voir la réponse type

Enable and configure Band Steering on the wireless controller to actively push dual-band capable clients to the 5GHz band, freeing up 2.4GHz capacity for legacy devices.

Q2. After deploying DNS filtering, you notice that overall bandwidth consumption has only dropped by 5%, much lower than the expected 30%. What is the most likely technical reason for this?

Conseil : Think about modern browser default behaviors regarding DNS.

Voir la réponse type

Client devices are likely using DNS over HTTPS (DoH), bypassing the network's standard DNS resolver. The network must be configured to intercept DoH traffic and redirect it to the filtering resolver.

Q3. A hospital IT team wants to implement DNS filtering but is concerned about blocking critical medical telemetry from IoT devices. How should they architect the deployment?

Conseil : How can you apply different rules to different types of devices?

Voir la réponse type

Segment the IoT devices onto a dedicated VLAN. Apply a highly specific, permissive DNS filtering policy to the IoT VLAN that allows required telemetry, while applying the stricter ad/malware blocking policy to the Guest and Staff VLANs.