On Mon, Jan 04, 2016 at 01:50:21PM +0100, Rick van Rein via Unbound-users <unbound-users at unbound.net> wrote a message of 9 lines which said: > What I am wondering is if the approach of recursive resolution, not > explicitly going through the CPE, suffices to avoid mangling. The > CPE *could* still force control over DNS traffic on account of > target port 53, and I am wondering if this happens. Yes. In China, for instance, it is quite common. Also, port 53 is sometimes blocked. In these cases, the only solution is to reach the upstream resolver through DNS-over-TLS (Unbound supports it) or your VPN.