Or why not just simply block outbound dns traffic unless from one of your official sources. It's likely to break some things yes, but its a more up front and honest policy.
On 23 June 2015 at 15:25, Stuart Henderson <[email protected]> wrote: > On 2015-06-23, Yuri Voinov <[email protected]> wrote: > > You are completely overlooked some providers in some countries that > > censor the DNS/DNSSEC etc.etc.etc. I am interested in is not the purpose > > of hacking, and to counteract censorship, if everyone understands what I > > mean. > > > > Please keep in mind,I'm talking about the interception of requests for > > name resolution in favor of a clean cache, which is used as a source of > > reliable server through dnscrypt. So, my users can't get poisoned by > > provider DNS answers. > > Perhaps you should look at dnscrypt or similar instead? WCCP for DNS > is more like a mechanism that a provider might want to use to help > them poison answers... > > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
