> What's the best way to tell if they're intercepting queries
Setup a simple DNS resolver in an external VM (use a service like DO where you can pay by the hour, and the test will cost you at most tens of pennies), configure it with a DNS zone that the rest of the Internet does not know about (thisdoesnotreallyexist.net). Then if you try query for that domain from that server but get an NXDOMAIN response your query was probably intercepted (of course test from other locations too, to make sure the problem isn't a mistake in the new resolver's config).
Or you could configure the test resolver to give different answers for an existing domain, of course, and check for which addresses you get back instead of checking for address or error - that would essentially be the same test.
Or, he says, thinking of the obvious after explaining the more long winded, if you have a DNS server in your control, simply turn on the relevant logging options and run a query against it and see if your query turns up in its logs.
This assumes they are intercepting and NATing all standard DNS requests (usually on UDP & TCP port 53), rather then just DNS traffic going to a list of known alternative DNS services. If they are doing the latter then there are tests you can do that rely on timing and TTL settings (get their server to cache a result, change the name->address mapping, then ask 8.8.8.8 or similar and see what answer you get).
Setup a simple DNS resolver in an external VM (use a service like DO where you can pay by the hour, and the test will cost you at most tens of pennies), configure it with a DNS zone that the rest of the Internet does not know about (thisdoesnotreallyexist.net). Then if you try query for that domain from that server but get an NXDOMAIN response your query was probably intercepted (of course test from other locations too, to make sure the problem isn't a mistake in the new resolver's config).
Or you could configure the test resolver to give different answers for an existing domain, of course, and check for which addresses you get back instead of checking for address or error - that would essentially be the same test.
Or, he says, thinking of the obvious after explaining the more long winded, if you have a DNS server in your control, simply turn on the relevant logging options and run a query against it and see if your query turns up in its logs.
This assumes they are intercepting and NATing all standard DNS requests (usually on UDP & TCP port 53), rather then just DNS traffic going to a list of known alternative DNS services. If they are doing the latter then there are tests you can do that rely on timing and TTL settings (get their server to cache a result, change the name->address mapping, then ask 8.8.8.8 or similar and see what answer you get).