I am running a recursive resolver locally. When it resolves a name, "upstream" means the root servers, not some DNS cache such as my ISP offers. A recursive resolver chases the name down the DNS tree to the authoritative server.
To block that, you have to either tamper with the root servers, or get control of the authoritative servers.
> To block that, you have to either tamper with the root servers, or get control of the authoritative servers.
I don't think so. The ISP can just reply to the DNS packets itself, without sending them to the root servers. Your local recursive resolver will think the response is from other DNS servers but in fact they would all be from your ISP.
To block that, you have to either tamper with the root servers, or get control of the authoritative servers.