[ptk]

Do you have examples of ISPs that do this?

[KevinGlass]

In the US, Comcast does this on all business copper connections. They call it "Secure Edge". It frequently breaks DNS, VPNs, some voip, torrents (or any P2P connections), and probably other stuff. It's enabled by default on all new accounts and will randomly be at the account level.

To disable it you have to call them and ask.

[tptacek]

Worth noting that an ISP that does this --- literally intercepting all port 53 traffic, TCP and UDP --- can just strip DNSSEC, too.

[buro9]

In the UK most ISPs do this, it's their primary mechanism for enforcing any legal blocks against websites.