As seen in this previous thread: https://forum.defcon.org/showthread.php?t=9805, Nxdomain wildcarding (when the DNS resolver returns a valid name when it should return an error) can produce strange results on the network, such as making you think someone is trying to MITM your SSL connections...

This is just one of the reasons why we developed our network measurement tool, The ICSI Netalyzr, http://netalyzr.icsi.berkeley.edu.

Among the many things it checks for is port filtering, hidden proxies, latency, buffering, DNS wildcarding, DNS Man-in-the-middling, DNS port randomization, and a bunch of others.

It does require Java (and benefits from JavaScript).