Is there anyway to see my REAL DNS server

Question

Is there anyway to see my REAL DNS server?

and I'm not referring to 127.0.0.53 or the router (192.168.0.1), but the real external server in bash?

I'm talking about the ISP DNS, or VPN DNS servers...

Answer 1

Your local system only knows about its own resolver configuration.

If you want to see the DNS server your router is using, you need to look at your router's DNS configuration (and similarly for any upstream VPN servers).

There's some discussion of this same question over on superuser.com.

Answer 2

127.0.0.53 hints at systemd-resolved (see Why does /etc/resolv.conf point at 127.0.0.53?); you can see what nameservers it currently uses with systemd-resolve --status (or resolvectl status), it shows something like:

Link 3 (eno1)
      Current Scopes: DNS        
DefaultRoute setting: yes        
                 ...        
  Current DNS Server: 8.8.8.8
         DNS Servers: 8.8.4.4
          DNS Domain: ...  

Now, if those point at an external router on your premises, probably because it does NAT and acts as a DHCP server and gives its own address as the nameserver, then you'll need to find out from the router's own configuration or status information where it relays the queries.

Eventually of course the requests go to one of the nameservers of the site being accessed. None of that has anything to do with Bash or other shells, though.

Answer 3

Assuming you are on Linux using systemd-resolved. To verify the information displayed by systemd-resolve --status and see what is actually going out from your machine you could set up one shell to run a packet capture using sudo tcpdump -i any udp port 53 -nn while testing DNS queries from another shell.

You may need to install the tcpdump tool which should be available in your repo.

The difference of a query passing over your router as opposed to VPN would look like this:

nslookup google.com
19:12:26.749153 IP 127.0.0.1.53404 > 127.0.0.53.53: 24079+ A? google.com. (28)
19:12:26.749310 IP 192.168.0.108.57422 > 192.168.0.1.53: 34613+ [1au] A? google.com. (39)
19:12:26.754334 IP 192.168.0.1.53 > 192.168.0.108.57422: 34613 1/0/1 A 216.58.211.14 (55)
19:12:26.754483 IP 127.0.0.53.53 > 127.0.0.1.53404: 24079 1/0/0 A 216.58.211.14 (44)
19:12:26.754839 IP 127.0.0.1.48040 > 127.0.0.53.53: 54901+ AAAA? google.com. (28)
19:12:26.755037 IP 192.168.0.108.57637 > 192.168.0.1.53: 64355+ [1au] AAAA? google.com. (39)
19:12:26.760094 IP 192.168.0.1.53 > 192.168.0.108.57637: 64355 1/0/1 AAAA 2a00:1450:400f:80d::200e (67)
19:12:26.760356 IP 127.0.0.53.53 > 127.0.0.1.48040: 54901 1/0/0 AAAA 2a00:1450:400f:80d::200e (56)
nslookup companyname.com
19:12:48.423115 IP 127.0.0.1.46052 > 127.0.0.53.53: 3203+ A? companyname.com. (40)
19:12:48.423377 IP <vpndns-IP>.46258 > <vpn-IP>: 19523+ [1au] A? companyname.com. (51)
19:12:48.463179 IP <my-vpn-IP> > <vpndns-IP>.46258: 19523 1/0/1 A <reply-IP> (67)
19:12:48.463461 IP 127.0.0.53.53 > 127.0.0.1.46052: 3203 1/0/0 A <reply-IP> (56)
19:12:48.463977 IP 127.0.0.1.35173 > 127.0.0.53.53: 30803+ AAAA? companyname.com. (40)
19:12:48.464224 IP <vpndns-IP>.44227 > <vpn-IP>: 41970+ [1au] AAAA? companyname.com. (51)
19:12:48.503799 IP <my-vpn-IP> > <vpndns-IP>.44227: 41970 0/1/1 (103)
19:12:48.504027 IP 127.0.0.53.53 > 127.0.0.1.35173: 30803 0/0/0 (40)

You see my local 192.168 address talking to the 192.168.0.1 router for looking up google. For a query to the company domain going over the VPN you instead see my VPN IP talking to the company DNS IP (masked). This is a split DNS configuration.

The same thing could probably be done on your router too if you have cli access to it which would get you one step further in that direction. But when checking your VPN is the main concern looking on your local machine should be enough.