If the filter is enabled and a blocked site is looked up in DNS, the returned A record is spoofed to a Sky IP address in order to provide a "site blocked" page.
If the filter is disabled, the normal A record is returned.
How does the DNS server know which source IP addresses should get the spoofed result, and which source IP addresses should get the real IP address?
All I can think of is that the DNS server is being continually fed a list of IP address along with their chosen level of filtering. Then, when the source IP address requests an A record, the DNS server decides whether a spoofed result is needed or not. The trouble is of course is that Sky IP addresses are dynamic. So every time a customer's IP address changes, the new IP address has to be fed into the DNS server along with the customer's chosen level of filtering.
I would be interested to know how this is done. My guess is that it works somewhat like OpenDNS whereby a dynamic IP address update client runs and updates the system with the customer's username and IP current address. However this dynamic IP address update client must be sitting on the Sky network somewhere since of course there is no update client running on the customer side. It's definitely not customer router based since several Sky routers have had no firmware update in two years or more.
The other way it could be done is that the DNS server hooks into a database which is continually updated every time a customer changes their IP address. The source IP address can be looked up to see if it should have a filtered result or not.
However this system was set up, it seems like it might have been an interesting technical challenge.