<div dir="ltr">Or why not just simply block outbound dns traffic unless from one of your official sources. It's likely to break some things yes, but its a more up front and honest policy.</div><div class="gmail_extra"><br><div class="gmail_quote">On 23 June 2015 at 15:25, Stuart Henderson <span dir="ltr"><<a href="mailto:stu@spacehopper.org" target="_blank">stu@spacehopper.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2015-06-23, Yuri Voinov <<a href="mailto:yvoinov@gmail.com">yvoinov@gmail.com</a>> wrote:<br>
> You are completely overlooked some providers in some countries that<br>
> censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose<br>
> of hacking, and to counteract censorship, if everyone understands what I<br>
> mean.<br>
><br>
</span>> Please keep in mind,I'm talking about the interception of requests for<br>
<span class="">> name resolution in favor of a clean cache, which is used as a source of<br>
> reliable server through dnscrypt. So, my users can't get poisoned by<br>
> provider DNS answers.<br>
<br>
</span>Perhaps you should look at dnscrypt or similar instead? WCCP for DNS<br>
is more like a mechanism that a provider might want to use to help<br>
them poison answers...<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@unbound.net">Unbound-users@unbound.net</a><br>
<a href="http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer" target="_blank">http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
</div></div></blockquote></div><br></div>