is there any function to setup secure DNS lookups?
currently all our client DNS go via the univention (as is supposed)
the univention then resolves to 1.1.1.1 or whatever.
in a certain country that shall remain nameless, they are tracking the DNS packets and if they are “un acceptable” (google)
they are inserting DNS records to reroute to websites/domains serving viruses.
for example if you ping google.com, the ip address is always different on a rotation
and it returns sites such that looking them up on alienvault shows compromised domains.
and yep… i have grabbed packets going out of our firewall to next hop in the isp leased line, with returns from the isp, with this crap in it…
so the only solution would be a secure DNS