Quiz Entry - updated: 2026.07.05
How can an ISP interfere with DNS, and what are the two main countermeasures?
An ISP can block resolution / return poisoned records, or redirect third-party DNS queries to its own servers; you counter with custom resolvers and, more robustly, encrypted DNS.
The problems:
- ISP blocks DNS resolution: the default ISP DNS server refuses certain domains or answers with false IP records (DNS poisoning).
- DNS redirection: queries sent to third-party resolvers (e.g.
8.8.8.8or1.1.1.1) are redirected by the ISP to its own servers or blocked entirely.
The countermeasures:
- Alternative DNS servers: configure custom resolvers in the router or device (e.g. Cloudflare
1.1.1.1, Google8.8.8.8, Quad99.9.9.9). - Encrypted DNS: don't send DNS over plain UDP port 53 — use DoT, DoH, or DoQ to prevent manipulation and surveillance.
A tool like OONI Probe can detect this: a result of "Anomaly – DNS tampering" means the DNS answer was altered in transit.
Tip: Just switching to 1.1.1.1 isn't enough if the ISP redirects port-53 traffic — encrypted DNS is what actually defeats interception, not just choosing a different resolver.
Go deeper:
DNS over HTTPS (Wikipedia) — why encrypted DNS, not just a different resolver, defeats interception.