There are some authoritative DNS services that will return information about the resolver used to contact them. They can help prove interception. (But they can’t prove a negative with complete certainty, since an improbably clever interceptor could lie!)
They can return:
- The resolver’s IP address.
- The optional EDNS Client Subnet extension sent by some resolvers to some authoritative servers, which normally identifies the subnet the resolver received the query from.
Note that large resolvers will use different IP addresses to contact authoritative servers, not the resolver’s public IP address. (They can also use a different IP version.) For example, 220.127.116.11 will use IPs assigned to Cloudflare. 18.104.22.168 lists the ranges they use in their FAQ. 22.214.171.124 will usually, but not always, use IP addresses assigned to PCH.
For example, Akamai runs this:
$ dig whoami.ds.akahelp.net txt
If you run, say,
dig whoami.ds.akahelp.net txt @126.96.36.199" and it reports that it got the query from somewhere outside Google’s published ranges, or without an ECS extension, it was likely intercepted.
o-o.myaddr.l.google.com. PowerDNS runs several things. I run
You can also sometimes detect more subtle differences between different implementations. (Mostly obviously whether DNSSEC is used or not.)
Edit: You can also try to query the authoritative servers for those zones directly.