Why Does dig ANY Not Return Any Records?

By Simon Frey Last updated:
show table of contents

If you’ve used dig domain.com ANY lately to see all DNS records for a domain, you’ve probably noticed it doesn’t work anymore. Instead of A, MX, NS, TXT records, you get a single weird line mentioning “RFC8482”. Here’s why and what to do instead.

TLDR;

dig ANY is dead. RFC 8482 retired it to stop DDoS amplification. Loop over the numeric RR types in parallel instead. Command to do this with dig on linux at the end of the article

dig ANY return nothing for most nameservers

$ dig cloudflare.com ANY +short

A few years ago the same command dumped every record type the server had, but now not a single record is returned

Why does ANY not return all records anymore?

It was actively retired/disabled as of three reason

  1. DDoS amplification. Small ANY query in, huge response out. Attackers spoof a victim’s IP, flood open resolvers with ANY queries, and the resolvers blast amplified responses at the victim. Killing ANY killed one of the most popular reflection vectors on the internet.
  2. It never really worked anyway. RFC 1035 defined ANY as “a request for some or all records the server has available.” Servers were never required to return everything, they just often did. This was not a reliably behavior anyways.
  3. It is expensive Modern DNS providers split records across distributed backends, so returning “everything” is expensive and exposes infrastructure details.

In 2019, RFC 8482 standardized what big providers were already doing: tell the client to query specific types.

Script to replace dig ANY

Query each record type individually. Loop over the IANA type numbers directly:

seq 1 265 \
  | xargs -P 16 -I{} sh -c '
      out=$(dig +noall +answer example.com "TYPE{}")
      if [ -n "$out" ]; then
        name=$(echo "$out" | awk "{print \$4; exit}")
        printf "=== %s (TYPE{}) ===\n%s\n" "$name" "$out"
      fi
    '

Replace example.com with your domain.

seq 1 265 covers every assigned RR type number (IANA’s range ends at 264 as of April 2026).
dig TYPE{} uses numeric syntax that works even for newer types like SVCB (64) and HTTPS (65).
xargs -P 16 runs 16 queries in parallel, so the sweep finishes in seconds.
The [ -n "$out" ] check skips empty responses, so you only see types that actually have records.

To never miss an article subscribe to my newsletter
No ads. One click unsubscribe.