Reply to comment:

Stéphane Bortzmeyer
In a country like Iran, there is also the risk that the server you talk with is not the one you want (route hijacking, turkish-style https://ripe68.ripe.net/presentations/158-bortzmeyer-google-dns-turkey.pdf https://ripe68.ripe.net/archives/video/177/ ) Google Public DNS has zero defense (not even a public ID) and others have poor defenses (the server ID can be forged) so you have to rely on latency measurements to detect it. In the future, resolver authentication will probably be a MUST.