[josephcsible]

> DNSSEC protects against that for well-configured domains

This isn't effective against DNS-level censorship, though. A DNSSEC validation error is just as effective as a fake NXDOMAIN or bogus IP at keeping me from visiting the correct site.

[jeroenhd]

It works in the sense that at least you can know your ISP is messing with your DNS. If they mess with DNS, they might as well just block an IP (range), so a DNS alternative probably won't bypass most censorship. You're better off with a decent VPN at that point.

[tptacek]

Are you wondering whether your ISP is messing with your DNS? Let me help you with that: if you're in North America, your ISP is messing with your DNS.

[josephcsible]

I temporarily agree with this, but once TLS ECH gets widely deployed then I won't. I can see an ISP blocking a single domain, but not all of Cloudflare just because it's hosted there.