@dma_pf here are some tests you might want to do to see if your isp is intercepting your dns..
so query a specific authoritative NS for a record - say www.google.com to one of the actual google ns.. You should see aa in the response field showing that it was an authoritative response..
aa.jpg
Notice when I just ask some other NS for www.google.com I do not see the aa in the flags.. This means was not an authoritative response.. This points to dns being intercepted if you don't see the aa when doing a directed query to specific authoritative name server.
Another simple test to see if all dns is being intercepted is just do a query to some IP you know for sure isn't actually running dns.
So for example 1.2.3.4 sure and the hell is not providing dns.. But if its being redirected - sure looks like it is. So a quick test to see if all dns is being redirected is to just do a directed query to some IP you know for sure is not providing dns services - if you get a response, then your dns is being intercepted.
redirect.jpg
another sign of interception is when you query an authoritative ns for a record it is authoritative for.. You would get back the full TTL.. Notice I got a 300 back when I asked ns1.google.com for www.google.com, but when I asked another ns I got back some odd ttl.. That was something lower than the actual ttl - since it was from cache and not from the actual authoritative NS..
Another possible hint of dns shenanigans is odd response times. Lets say 1.2.3.4 was actually some dns I could talk too.. But look at the response time I got back, 0 (since my redirection is local).. But if through some vpn while a query to maybe 1.2.3.4 might take 40ms, if your seeing much lower response time than what would be normal - that points to dns interception as well.
There are many clues to look for to see if your isp or vpn is messing with your dns..
