Find out which DNS server answered your query

See this https://stackoverflow.com/questions/38021/how-do-i-find-the-authoritative-name-server-for-a-domain-name

in short, nslookup set the query type to SOA

single line:

 nslookup -querytype=soa google.de
 nslookup -d2 -type=ANY google.de
 nslookup -d2 -type=ANY google.de 8.8.8.8

look for: primary name server

command line> nslookup
> set querytype=soa
> google.de
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
google.de
    primary name server = ns2.google.com 
    responsible mail addr = dns-admin.google.com
    serial  = 160093636
    refresh = 900 (15 mins)
    retry   = 900 (15 mins)
    expire  = 1800 (30 mins)
    default TTL = 60 (1 min)

>

EDIT:

I'm told that the SOA record may not be the best method. That it may not even be set correctly. So, the NS record would have been a better choice:

Where is the nameserver server for the domain...

  nslookup  -type=NS google.de

Or with a lot of debug info to find the nameserver

  nslookup -d2 -type=NS google.de

I want to know what exact server in the end had the answer. Is that possible?

This is not achievable. You will not find the specific authoritative server that was consulted named anywhere in the payload of a DNS reply. There are CHAOS queries that exist for the purpose of identifying the specific recursive server that replied to you, but no such equivalent for extracting the name of the exact authoritative server that a recursor obtained the data from.

The StackOverflow Q&A that Phillip linked to provides instructions for how to identify the list of NS records that were present in the authority section of a recursive DNS response. This is the full list of servers though, not the specific server. Even were that sufficient for your uses, this information is considered optional by the DNS standards and it is increasingly rare to see it in recursive responses in order to reduce the payload size of internally sourced reflection attacks.

If you know the name of the zone, you can request the full list of NS records via an explicit request for them. This requires knowing that you are at the apex of the zone; a request for example.com NS records will return the desired response but www.example.com will not, unless www was delegated to another set of servers. In this case, you have no choice but to work backwards iteratively until you discover the apex of the zone.

Long story short, there is no reliable short path (i.e. single query) to getting information about all upstream authority from a recursive server, and there is no way to learn the specific authoritative server that responded to a query without also controlling the authoritative server and creating unique data on each server. (if you do this, please create a unique zone for that purpose so that it does not interfere with your more sensitive production zone transfers)


When you use dig in the default reply you will have the IP of the answering nameserver, which should be the recursive nameserver configured in your system (/etc/resolv.conf typically).