Unless you have trusted a CA from your ISP, they won't have a valid cert. They can divert the packETS, but their response will be invalid (fail when the client checks the cert).
I addressed this in my response. You're right that redirection does little more than just blocking the traffic, on account of the certificate check, but if the attacker can force a fallback to regular DNS, that's a problem.