How whoer Detects Your DNS Resolver

· 1 min read · 157 Words · -Views -Comments

While registering for Spotify I came across whoer and noticed it can detect your DNS server. Curious how that works, I looked into it—here’s the gist.

https://static.1991421.cn/2022/2022-08-07-164940.jpeg

  1. The whoer page triggers a CSS request like https://sdvtq1659862.ed.whrq.net/css/null.css?_=1659862263203.

    The subdomain is randomized and the file doesn’t exist.

  2. Since the DNS answer won’t be cached locally, the resolver walks up the hierarchy and ultimately queries the authoritative DNS for whrq.net. That DNS server records the randomized subdomain and the source DNS IP for the query.

  3. whoer’s backend correlates the recorded subdomain (e.g., sdvtq1659862) with the user’s session. The client then issues a request containing that token, and the server returns the detected DNS info.

    https://static.1991421.cn/2022/2022-08-07-165455.jpeg

In short, whoer leverages the DNS resolution path to learn your DNS server’s address. Because DNS queries only include the domain, randomized subdomains provide per-user correlation.

Other fields are obtained similarly: OS/browser from the User-Agent, ISP from your IP address.

Done—that’s the core idea.

Authors
Developer, digital product enthusiast, tinkerer, sharer, open source lover