whichdns

When you do a DNS request, which DNS server is used? This tool will tell you. It does a DNS request while capturing network packets using native AF_PACKET sockets and gets the DNS server that replied.

Warning: Requires root access since it captures network packets while doing the DNS requests.

Usage/Examples

Get DNS server (default domain: example.com)

sudo ./whichdns

Get DNS server for specific domain

sudo ./whichdns --domain google.com

Return only the DNS server IP for use in scripts

sudo ./whichdns --iponly --domain google.com

Enable debug output

sudo ./whichdns --debug --domain google.com

Show version

./whichdns version

Show help

./whichdns --help

How To build

No external dependencies required - uses only native Linux AF_PACKET sockets.

Build

go build

Requirements

• Linux (AF_PACKET sockets are Linux-specific)
• Root privileges (for raw socket access)
• Go 1.19+ (for AF_PACKET support)

Example output

Default interface: eno1
[████████████████████████████████████████] 100.00%
DNS server IP: 1.1.1.1

With --iponly flag (script-friendly)

$ sudo ./whichdns --iponly --domain google.com
1.1.1.1

Version command

$ ./whichdns version
Version: 1.0.3

Technical Implementation

This tool uses native Linux AF_PACKET raw sockets to capture Ethernet frames directly from the network interface. Unlike traditional packet capture libraries, it performs all packet parsing and filtering in userspace using pure Go code.

CLI Framework

Built with Cobra - a modern CLI framework for Go that provides:

• Long flag support only (no short flags)
• Subcommands (version, help)
• Automatic help generation
• Clean command structure

Why AF_PACKET?

• Zero external dependencies - No libpcap, CGO, or system libraries required
• Smaller binaries - No vendored C libraries
• Better portability - Only requires Linux kernel support
• Full control - Custom packet dissection and filtering logic

How it works:

1. Creates raw AF_PACKET socket bound to the default network interface
2. Performs DNS lookups to generate network traffic
3. Captures Ethernet frames containing DNS responses
4. Parses Ethernet → IP → UDP → DNS packets in userspace
5. Extracts the responding DNS server IP address

Requirements: Linux with AF_PACKET support (kernel 2.2+), root privileges for raw socket access.

Documentation & Compliance

Contributing

Contributions are always welcome! All contributions are required to follow the https://google.github.io/styleguide/go/

Vulnerability Reporting

Please report any security vulnerabilities to the project using issues or directly to the owner.

Code of Conduct

This project follows the go project code of conduct, please refer to https://go.dev/conduct for more details

Roadmap

• Add --iponly option to return just the DNS server IP for scripting
• Replace libpcap with native AF_PACKET sockets
• Add support for other packet capture methods (BPF, etc.)

Authors

• @earentir

License

I will always follow the Linux Kernel License as primary, if you require any other OPEN license please let me know and I will try to accomodate it.