DNS security & parental control for internet service providers

White-label DNS security that stays in your network

KernoDNS is a DNS filtering and parental-control platform for internet service providers. It runs on your infrastructure — subscriber data never leaves your network.

In development. Built by network engineers from the ISP industry.

Your subscribers’ data is not our business model

The dominant DNS security model routes every query through the vendor’s cloud — someone else’s infrastructure sees every domain your subscribers visit. KernoDNS takes the opposite approach. Resolution, filtering policies and analytics all run inside the operator’s network. Our cloud ships threat-intelligence updates and nothing else; it never sees a single subscriber query.

  • Compliance by architecture — GDPR, NIS2, national regulators
  • Keeps working if the link to our cloud goes down
  • A data-protection conversation your legal team can actually finish
Operator network — KernoDNS cloud Nothing personal ever leaves. Operator network DNS resolution Filtering policies Analytics Subscriber data subscriber data stays inside updates in KernoDNS cloud Threat-intelligence updates No subscriber data No queries
Nothing personal ever leaves.

What it does

One platform, three audiences

For operators

  • A security and parental-control service under your own brand
  • A new revenue stream on infrastructure you already run
  • Regulatory blocklists and compliance reporting handled in one place

For subscribers

  • Network-level protection from malware and phishing — nothing to install
  • Parental controls with a clear reason for every block
  • A portal that shows what was blocked and why

For business & education

  • Content filtering for SMBs and schools, sold by the operator
  • Per-organization policy hierarchies
  • Compliance packs for education

See first. Block later.

Changing subscriber DNS is a sensitive move, and operators are right to be careful. KernoDNS is designed to start in observation mode: it shows what is actually happening in your DNS traffic — how much malware, phishing and botnet activity your subscribers run into — before a single query is blocked. Enforcement comes gradually, with a preview of how many subscribers each rule would affect. The platform deploys on your own VMs, inside your own perimeter.

Where the product is

KernoDNS is in development. There is no GA product to buy today, and we won’t pretend otherwise. What exists: the architecture, a working prototype of the traffic-analytics pipeline, and ongoing conversations with operators about their real constraints. If you run an ISP network and any of this resonates, our contact is in the footer.

Who’s building it

Built by ISP engineers, in Warsaw

KernoDNS is built by network engineers with 20+ years in the ISP industry — building and operating carrier-grade networks, CCIE-level engineering, based in Warsaw, EU. It comes from the operator side of the table: the same regulatory pressure, the same subscriber-data sensitivity, the same reasons to keep filtering in your own network.

FAQ

Questions operators ask

What is white-label DNS security?
DNS security filters malicious and unwanted domains at the network’s DNS layer — blocking malware, phishing and botnet callbacks before a subscriber ever reaches them. “White-label” means the internet provider offers it under its own brand: the subscriber portal, the block page and the reports all carry the operator’s name, not a third-party vendor’s.
Why run DNS filtering on-premise instead of in the cloud?
When filtering runs in a vendor’s cloud, every subscriber query leaves your network and someone else’s infrastructure sees where your subscribers go. Running it inside your own network keeps that data local — which matters for data-protection regulation, for independence from a vendor’s control plane, and for staying operational even if the link to any external service goes down.
Do subscribers need to install anything?
No. Protection happens at the network level, so there is nothing for subscribers to install — no app, no agent, no device configuration. Malware and phishing filtering and parental controls apply to the connection itself.
How does DNS filtering help with NIS2 and local regulations?
KernoDNS is designed with NIS2 and national requirements in mind — local CERT feeds, regulatory blocklists and reporting are handled in one place, and keeping subscriber data inside the operator’s network supports data-locality obligations. This is not legal advice, and no product guarantees compliance on its own; it gives your compliance team the architecture and records to work from.
How do ISPs make money on DNS security?
As a security and parental-control tier for subscribers, and as content filtering sold to business and education customers on the same platform. It runs on infrastructure the operator already owns, under a partner revenue model — a new line of revenue rather than a new cost center.
Where does the threat intelligence come from?
From a combination of commercial and open threat-intelligence sources, plus national CERT feeds where they are available. Our cloud delivers those updates into your network; it does not receive subscriber queries in return.
Can we try it?
KernoDNS is in development. We are working with a small number of operators as design partners while the product takes shape. If you run an ISP network and this is relevant to you, our contact is in the footer.