On Fri, Sep 29, 2017 at 02:56:12PM +0200, Baptiste Jonglez <baptiste.jonglez@imag.fr> wrote a message of 56 lines which said:
What I mean by "traffic interception" is that DNS queries from the probe to a third-party DNS server do not reach the server, but are intercepted and answered by a middle-box instead.
Many interceptors (for instance the GFC) do so only when the request matches some criteria. "Intercepting" is not all-or-nothing.
It seems that the "DNS Root Instances" map could be used for that purpose, because DNS traffic interception shows up as if the probe was contacting an "Unknown" root instance.
There are many rogue root instances (with anycast, it can be difficult to be sure of talking to a real root) so a strange instance is not always DNS interception.
I also looked for DNS-related tags on probes, but could not find anything useful.
System tag "clean DNS" would certainly be useful but, as the two examples above show, it is difficult to define precisely.