You can't filter out the bad guys
What are you going to do, not give address space to Somali pirates or the Taliban?
With ipv6 its even harder due to the lack of scarcity.
You can't stop people with physical access, the the Russians can set up their own DNS servers and pass all local DNS traffic to them for "proxying" before forwarding out to the US or European parts of the internet.
You can have secure, or you can have insecure, but you can't have "secure but only for the good guys." -Schneier