First thing I did was check DNS records through several different proxies and found that 8.8.8.8 lies about assigned IP address of certain hosts.
For example 8.8.8.8 retuns an address that doesn't exist in DNS records for the remote host, it clearly points to another host which appears to be hosted in the area.
In the past, all my systems behind a router used to resolve all hosts properly like this:
But apparently, this is what upstream does right now:SRC<----->8.8.8.8:53<----->DST
.\______________________________\
This is unacceptable to me because the contract with ISP clearly says "internet access" and NOT "internal cache access"SRC<------->\<-DROP->8.8.8.8:53
........................\
...........................DNAT 1.2.3.4.5:53 <-----> DST_CACHE <-----> DST
..............................\_____________________________\
Anyway, it's possible to bypass this NAT through a tunnel, like this:
Since the MAP from ISP is not exactly open to public I can only assume how it looks like, but I figure they aren't going to drop SSL packets anytime soon.\------------------------------------------------------------------------------------------------------\
..\------- DNSMASQ <----- SSL_TUNNEL -----> PROXY <-----> 8.8.8.8:53 <-----> DST
....\
SRC\<-DROP->\8.8.8.8:53
One could say the remote proxy cache is just as insecure as the ISP cache, but personally I don't care one bit as long as the resolvers don't lie about DNS records.
I see when the resolver is poisoned because I sometimes drop outgoing packets to entire country for testing purpose.
It crossed my mind to suggest cisco's dnscrypt included in distribution as default resolver, to address this issue.