A simple workaround for nefarious vendors is to ignore your DHCP-provided resolver address and just punch through to their own resolver. Maybe over SSL is they're really sneaky.

You need to firewall addresses ( tricky ), or connect to a LAN-only Wifi, or don't connect at all.