The answer to above question used to be difficult. You had to be an expert to find out the answer. And unfortunately, this is not something that average internet users care about.

Playing with dnstraceroute tool (see project on GitHub), I noticed it is a common practice among service providers to divert outbound DNS traffic to their local DNS servers. So If you thought you are using Google’s Public DNS Server or Verisign‘s, there is a good chance that your DNS traffic is in fact being served by ISP’s local resolver.

Following is a couple of examples, going through my favorite VPN Tunnel service provider:

% ./dnstraceroute.py -q -s 8.8.8.8 yahoo.com
1   google-public-dns-a.google.com (8.8.8.8) 159 ms

% ./dnstraceroute.py -q -s 4.2.2.1 yahoo.com
1   a.resolvers.level3.net (4.2.2.1) 127 ms

I assume I should be more than one hop away from all DNS servers in the world.

So I thought maybe they have a list of well-known public DNS servers and doing a routing trick based on destination IP addresses.

Then I tried tracing to various random IP addresses (not DNS servers), but the results were the same, which is really interesting. The next idea was that they are basically redirecting all UDP/53 traffic. So I changed the port number to test this hypothesis:

% ./dnstraceroute.py -q -p 55 -s 4.2.2.1 yahoo.com
1   a.resolvers.level3.net (4.2.2.1) 133 ms

Wow! The trick is even more sophisticated than a simple IP address or port based policy. In fact, every DNS request, aside from the destination IP address or port number is redirected. So there should be a Layer 7 inspection or DPI in place, which is a clever (and scary) idea.

This is perhaps done to filter out suspicious DNS requests.


You can’t blame your service provider for hijacking your DNS traffic or running DPI on their network these days. In fact most of them use DPI to some extent for various reasons. But if they are inspecting my DNS traffic up to layer 7, they can also see everything else, unless it is encrypted.

If you are really concerned about your DNS traffic being intercepted (you should be) or want to decouple your DNS traffic from Web traffic, I highly recommend using DNSCrypt with your trusted DNS resolver.

That is perhaps a simple Unbound DNS resolver which you installed and secured on a virtual server somewhere over the internet. Public DNSCrypt servers? That’s another mistake you better not make. If you insist on using a public DNS server, you may want to use DNSDiag tools to see how much you can trust your ISP.