[dsl]

I'm not sure I fully understand your question.

A "standalone" site can get the IP address of the users DNS server by doing an AJAX request to http://[random].ip.yourdomain.com/. Your DNS server responds to requests for *.ip.yourdomain.com with the IP of your webserver and stores the requesting IP address in a database using [random] as its key. Finally a script on your website fetches the IP from the database when it gets the request and prints it out wrapped in a cute little JSON wrapper. You can see an example of this at http://entropy.dns-oarc.net/test/

[gojomo]

Clever, but it seems to me that might only coarsely reveal some global service my DNS server falls back to, NOT the server my local machine consults first.

Is this technique, including running your own authoritative DNS server and remembering every unique lookup, commonly used to geolocalize individual web visitors? Or do servers more often just look up the originating IP? My conjecture is that the latter dominates.

[dsl]

You said originally "there's no way for a site to know what DNS servers I use." I proved that is false.

Is it used to geolocate users? No. Is it used to route traffic in most major CDNs? Yes. The two are completely different use cases.

I think this is getting way out of scope for HN. If you are still curious how this stuff works I can email you directly if you'd like.

[gojomo]

OK, a typical website acting alone can't know what DNS servers my local machine is configured to contact, and furthermore doesn't use such DNS sensing to geo-localize its content (the claim I was responding to).

But, with the technique you've described, a website coordinating with a DNS server can probe to learn one of the DNS servers that gets consulted (directly or indirectly) by my machine. Got it. Neat and useful trick.