exactly.
intercept/inject? why. an ISP can just run its own standard DNS servers on 8.8.8.8 and 8.8.4.4 and point their customers to those - they own their routing space, they can just route to those locally....so anyone thinking they can avoid their ISP by choosing some other addresses are mistaken.... the only way to avoid is through encrypted lookups to a known/trusted/and signed endpoint etc
