[mschuster91]

> China (and others) can also simply intercept all udp traffic to port 53.

Which is why DNSSEC (to prevent MITM tampering) and DNS encryption technologies such as DNScrypt or DNS-over-TLS/HTTPS become ever more important to be widely deployed.

[tptacek]

DNSSEC does little to prevent state-level intercept of DNS queries, since it's a server-to-server protocol that collapses down to a single, trivially-flipped header bit in the client/server transaction.

[isostatic]

Doesn't really help though - even when you bypass China's DNS hijacking you still can't connect to the target IP.