#DNS trivia, especially for those have ever used the "It was DNS" meme. What is wrong with this (real) dig response and what is the likely cause? AI probably won't help you.
John Kristoffdig @1.1.1.1 foobar.gov +norecurse +nocmd +noquestion +noauthority +nostats
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1808
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
Hiding dig's version number (+nocmd) while asking what's wrong. At least you didn't use +short.
Querying a recursive DNS service with +norec.
1.1.1.1 is a restrictive recursive DNS service that doesn't allow cache snooping so you should probably not be seeing a NOERROR response. Probably you should see SERVFAIL.
1.1.1.1 supports Extended DNS Errors, which can be sent to any EDNS query. Even old versions of dig will dump the raw bytes of an unknown EDNS option code. But your response doesn't have any EDE options.
The fact that you didn't get a SERVFAIL response with an EDE option stating that a cache snooping query was being rejected ("no local cache to fulfill non recursion (RD=0) request" being the specific EDE text string that the 1.1.1.1 implementation generates) is suspicious and I agree with the other commenters suggesting that this is not the real 1.1.1.1.
@jtk If you added +nsid to the dig and didn't see a Cloudflare-style NSID response (of the form "<X>m<Y>" where X and Y are numbers, e.g. "509m215") I think that would be overwhelming proof that you're not talking to the real Cloudflare 1.1.1.1 service.
On a new enough dig you could also add +https to see either the real response, or how badly the local network admin wants to break off-site DNS resolution.
Robert Edmonds