Network context, DNS, and zero-rating

The challenge

On many African mobile networks, DNS resolution is the silent failure point. Up to 52% of mobile-app launches see DNS timeouts or partial failures. The downstream effects look like security incidents — false fraud alerts, abandoned transactions, mid-flow session resets — but the cause is upstream of the security stack.

This is not an inconvenience. It directly undermines financial inclusion. A user in a rural network whose banking app cannot resolve hostnames is, for that moment, excluded from the financial system.

Why we built this inside the runtime

A secure transaction that never completes is as ineffective as an unprotected one. Our threat-detection logic should not penalise users for network conditions outside their control. The runtime that signs execution evidence is also where we can intervene at the network-resolution layer — without putting external infrastructure in the path.

DNS Racer ships as part of the YinkoShield SDK update and runs entirely inside your mobile application. No external infrastructure is required.

How it works

DNS Racer queries multiple resolvers in parallel:

• Classic DNS
• DNS-over-HTTPS (DoH)
• DNS-over-TLS (DoT)
• Operator-defined custom resolvers

It picks the first authenticated response, with SSL pinning and DNSSEC validation to block man-in-the-middle attempts. A dedicated DoH endpoint preserves zero-rating where the operator has established it with the carrier.

Adaptive to network and location

In urban networks with good connectivity, DNS Racer prioritises encrypted DNS for privacy. In rural or slow-network conditions, it falls back to faster local resolvers and caches more aggressively. The decision is made on the device, in real time.

Because DNS Racer is embedded in the application, it works identically on iOS, Android, and on the most resource-constrained low-end Android handsets we ship to.

The operational outcome

With DNS Racer enabled, users on unstable networks experience:

• Faster DNS resolution.
• Far fewer session timeouts.
• Uninterrupted, secure access to banking features.

For the operator, that means higher transaction success rates, reduced support overhead, and stronger user trust. For the fraud team, fewer false-positive incidents driven by network flapping rather than adversarial behaviour.

Why this fits the witness layer

DNS Racer is the same shape as the rest of the substrate. It runs in the device, declares what it observed and what it chose, and emits its decision into the evidence record. The operator can verify that the network path was the one expected — and reason about it forensically when something looks unusual.

A reliable network is part of execution coherence. A signed record of how that reliability was achieved is part of the witness register.

What’s next

Over the next quarter we will publish field performance data from production deployments — transaction-success deltas, session-abandonment reductions, support-ticket impact — across the markets where DNS Racer is now in front of real users.

Existing customers — update to the latest SDK to enable DNS Racer out of the box. Operators evaluating: reach out for a briefing on deployment and zero-rating arrangements.