Now, your question and the followups are just intriguing me, but I don't get the impression you understand the nature of DNS and its determination to replicate consistent address/name resolution.
If you believe there is any value in getting name lookups from one server over another and of well known servers, not really, such as if you had to get the addresses of the StackExchange name servers and whether you query google's free DNS or your ISP's DNS, more than likely its gonna be the same info and probably just as fast whenever a change is made. Trying to differentiate between one free telephone directory assistance over another free telephone directory assistance when both have up the second info... doesn't really matter until you need really high speed and high volume lookups and bombarding anyone's DNS server unexpectedly will just get your source ip filtered, throttled down, whatever.
when I'm trying to mask my source, don't be afraid to admit it if that is your objective, time to consider at ToR client along with a ton of other stuff that can do the same.
Even further dude, and based on the fact you ain't being clear about what you're trying to do, but if I had to perform lookups while offline or didn't want to use DNS servers,then dig out a copy of ipofflineinfo.exe out of Nirsoft or find an archived version since I don't see it there at the moment cause it carries a pretty large but not comprehensive IP address DB encapsulated in the binary and can be configured to poll when connected or at intervals to update the way a submarine can surface before disappearing again.
then, you put those entries into your host files, don't ask me where that is cause it depends on which OS you don't to share you're using.
But finding the DNS server is possible if you want to use a sniffer, it is just as un-ncessary as wondering what city your capital one customer service is sitting in at the moment since no matter which DNS server you reach, you're gonna get the same answers until you start asking for inside domain info like a zone transfer, usually considered part of larger security probe and prelude to a network penetration,,, "hacking" that is a fun conversation we'd have on a different server instead of this one.
Your original question, the answer is yes, it can be done, in about four nslookupcommands that are inside every NSlookup help file, DNS is one of the oldest Inernet protocols and the older they are the less secure they are, you'll never be rid of spam cause the messaging protocols that enable it are too widely installed to replace effectively without creating new socioeconomic classes of email users.
So, share more details about what you're trying to accomplish, or get to Wikipedia cause this thread is becoming that basic. You seem like a decent guy, you contribute to the community and have a good rep, why you gotta be so protective so suddenly is just hard to help.
//Since you never came back with clarifying info, then I'll make some general presumptions and render the following nslookup magic to find other peoples DNS servers. You have to be connected to make this work, trying to do so without is counterproductive. ReReading your original request makes me wonder if you were trying to hint you wanted to copy a DNS's server catalog of addresses which is a zone transer and is possible but not as likely as it used to be (considered a security weakness to transfer catalogs) or if you actually just wanted to copy the entire root zone of all DNS in the world, which isn't as impossible as most people think and hope but that a whole nother discussion //
This is for all the new DNS and NSLookup Curious in the world
*C:\WINDOWS\system32>*nslookup Starts an interactive NSLookup shell in Windows, most NSLOOKUP commands are ubiquitous across different operating systems
Default Server: resolver1.opendns.com shows my current DNS server name Address: 208.67.222.222 shows my current DNS server name
set d=2 Set debugLevel 2 / veryverbose and more than usual output / helpful for instructional reasons by displaying under the cover stuff
> server 8.8.8.8 Changing my preferred DNS server from opendns.com to Google's free DNS server also at 4.4.4.4
Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS: 8.8.8.8.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com ttl = 79942 (22 hours 12 mins 22 secs)
Default Server: google-public-dns-a.google.com Address: 8.8.8.8
set type=ns Type is used to focus return data for a type of service/server listed in the queried domain, NS is the DNS server publicly listed as the DNS, MX is the external mail server which is to recieve email, etc
stackexchange.com We've already set our DNS server to googles, set our type to return listed DNS Name Servers, if we enter any properly formatted domain, it is sent as a DNS "query" lookup request to 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8
Got answer: HEADER: opcode = QUERY, id = 3, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 3, authority records = 0, additional = 0
QUESTIONS: stackexchange.com, type = NS, class = IN ANSWERS: -> stackexchange.com nameserver = ns2.serverfault.com ttl = 236 (3 mins 56 secs) -> stackexchange.com nameserver = ns3.serverfault.com ttl = 236 (3 mins 56 secs) -> stackexchange.com nameserver = ns1.serverfault.com ttl = 236 (3 mins 56 secs)
Non-authoritative answer:
stackexchange.com nameserver = ns2.serverfault.com ttl = 236 (3 mins 56 secs) stackexchange.com nameserver = ns3.serverfault.com ttl = 236 (3 mins 56 secs) stackexchange.com nameserver = ns1.serverfault.com ttl = 236 (3 mins 56 secs)
And the output is StackExchange's DNS servers are ns1, ns2 and ns3.serverfault.com The term "lookup" is an official word when describing DNS servers. Those ns1-ns3 aren't necessarily the actual DNS servers inside the serverfault.com network but the address to send queries, more than likely they're IP filters and load balancers responsible for handling the query and behind the scenes without the users interaction, the "magic sauce" we take for granted just like turning on the faucet.
Not all DNS servers are "open", meaning trying to query Comcasts DNS servers or a corporations DNS server from outside the network will likely be prohibited to protect system resources and attacks.
DNS is one of the oldest IP protocols and usually the older the protocol, the likelihood it has a history of being attacked and a key mechanism of attack. The original question hinted maybe you wanted to do this anonymously while getting current accurate info, I'm not criticizing or moralizing and whatever your reasons for remaining covert are yours. But know what I described will leave traces in the DNS servers log and any ISP in the chain between servers to the detail they log and retain those logs. It is possible to do this covertly but you'll have to share some context for an effective answer.
Google, keeps all traffic, all traffic never flushing it