How I know it? Easy. I have tree hosts: my own laptop, liz a VPS in Germany with IP 18.104.22.168 and abbie a VPS in USA.
# I don't even have a DNS server installed on this host (liz) $ ssh firstname.lastname@example.org tcpdump 'port 52'
And now I run from my laptop (the one that is conected to my ISP, Vodafone):
$laptop> dig +short @22.214.171.124 goatse.com 126.96.36.199 188.8.131.52
And I get two results. How is this even possible to get results if I'm making the query to my own server and I don't even have a DNS server installed? Simple, checking out the console where I'm running tcpdump I see that any request package has arrived on my VPS. Cool. It means that someone else is giving me an answer but.... who? I don't know. Probably the DNS servers of Vodafone.
I do the same test with the VPS in the USA, and lets see what happens:
$abbie> dig +short @184.108.40.206 goatse.com ;; connection timed out; no servers could be reached
Oh. That makes more sense. And from the console where I'm running TCPDUMP we can see the request made to my server:
22:04:40.093864 IP XXX.XXX.XXXX.XXX.52702 > 220.127.116.11.domain: 34396+ A? goatse.com. (28)
So, again. WHYYYYYY VODAFONE!?? WHYYYY?! I mean, I thought we have a relationship where I pay you, and you give me access to the Internet. What I could not imagine was that you where hijacking my DNS packets and modifying them at your wish :S