Why do bad DNS names and failed connections to servers not get SSL intercepted?