Ping is not reliable for testing end to end.
Any router/hop/firewall between you and the root servers can reply to your ICMP ping.
If you read up on how recursive resolvers work, you would find out that this is close to impossible.
They not only work with root hints and nameserver records (ns), but there are also keys involved for checking validity for the records served.
You're a bit familiar with the dig command now I presume 
Have a look below at all the queries unbound makes for just resolving the www.instagram.com domain.
The "Below my good logs" part:
VPN and Tor are the only ones that can encrypt all traffic.
With that, they wont be able to sniff DNS or SNI.
EDIT: Have a look at how those keys are managed/created:
Some call them "The Elders of The Internet"
EDIT2: Ow thats from "The IT Crowd" TV series:
