I thought the point was that they queried many available DNS servers, not that they did so from as many different locations as possible. Even if they only have a dozen sources in a given country, can't they still query all the DNS servers they know of from there?
> We used all RIPE Atlas probes (~9000 probes) to send DNS queries to 8.8.8.8. Each probe issued several queries, a single query covered one of the features described above (e.g. DNSSEC validation, IPv6 only-domain reachability, NXDOMAIN redirection, …).
My understanding was that they did the same queries from as many network locations as possible, and looked for unexpected results.
Querying more known public dns IPs would provide better confidence that a given probe was attached to a network that hijacked DNS, but still wouldn't tell you very much about the internet in a country with a low probe count.
