Sonic has been doing that for a year. All they're doing is applying a blacklist at their DNS servers. Unlike OpenDNS and Google, they don't divert DNS no-finds to ads. It is annoying, though, that they don't clearly identify who's displaying that message and why.
Sonic has an alternative DNS server without this feature (at 75.101.19.196 or 75.101.19.228), which is useful if you're testing things that need to see phishing sites.
While OpenDNS does do the redirect thing (It can be turned off), Google have never done that and even state quite expressly that they don't in the Google DNS FAQ:
Google Public DNS has never hijacked NXDOMAIN [1], OpenDNS no longer does [2].
The problem with what Sonic is doing is that they are blocking legit sites [3], not providing a way to click and bypass the block, and not informing customers why the site is getting blocked or by who.
It is a stupid feature. All the major browsers (Chrome, Firefox, IE, and Safari) have malware and phishing blocking, most use the Google Safe Browsing API [4], which is a much more reliable blacklist than what Sonic seems to be using. With browser-side blocking users are able to bypass the block if they really need to get to the site, they also know who is doing the blocking (browser) and why it is blocked.
Moreover, we give users two very powerful differences neither of the other options you mentioned do, along which achieving a philosophical model that better maps to the way security should be deployed on the Internet.
1) The ability to granularly control the policy down to the device or user.
2) The ability to bypass blocked sites with credentials.
This is because we push policy to the edge. Security enforcement must be done at the edge to be done properly, doing it in the core (like an ISP or IX) is the wrong place to enforce security policy because it forces a one-size-fits-all approach that is inappropriate for Internet users.
Replying just to point out that OpenDNS do DNSCurve which is different to DNSSEC in that it is encrypted end to end. Even so DNSCurve would allow OpenDNS to view queries and implement a blacklist - because they are an endpoint and have to process requests, which wasn't apparent to me when I glossed over DNSCurve first but is obvious now.
The forum post referenced in the email was posted on March 14th, meaning that this has been going on for awhile. Have they done anything in the meantime to improve the usability of this or present DNSSEC enabled services that do not have this man in the middle action going on?
Done right this can be a really good service- malware that takes advantage of cutting edge exploits (combined with computers that get updated slowly if at all) can be hard to block if it isn't being cut off at it's source, and a company proactively protecting their customers can be a very good thing. However, to do that right requires a few important steps-
1. Notifying the customer of what is happening. This is a huge fail since they give their customers no notice of what company is actually doing it.
2. Instructions to report false positives. They're not even saying who they are, so there's clearly no easy way to report false positives.
3. A commitment to only blocking active exploits. They shouldn't be censors, they should only be blocking things that can actually cause damage. The fact that they're blocking political and financial sites due to social engineering is clearly problematic.
4. Finally, they should add a way to get around the block. This is unfortunately a difficult thing to do with DNS based blocking and I'd be willing to cut them some slack on this if they could make up for it by rigid standards of damage and a fast false positive response.
When my team managed the blocklist that mbam uses we had to deal with this kind of stuff, but overall it worked really well and as time went on more features were added to the product to make sure customers had control. This type of service can be done right, but when it's not I feel it can do far more harm than good as people abandon security because of the perceived inconvenience that's really just a shitty product.
I've been a Sonic subscriber for a few years now and I'm configured to use the affected DNS servers, but I've never encountered a block and I don't really see the problem (aside from not branding the block page.)
Sonic has an alternative DNS server without this feature (at 75.101.19.196 or 75.101.19.228), which is useful if you're testing things that need to see phishing sites.