{"id":1352,"date":"2026-05-22T11:15:32","date_gmt":"2026-05-22T09:15:32","guid":{"rendered":"https:\/\/simon-frey.com\/blog\/?p=1352"},"modified":"2026-05-22T11:15:34","modified_gmt":"2026-05-22T09:15:34","slug":"why-does-dig-any-not-return-any-records","status":"publish","type":"post","link":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/","title":{"rendered":"Why Does dig ANY Not Return Any Records?"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">If you&#8217;ve used <code>dig domain.com ANY<\/code> lately to see all DNS records for a domain, you&#8217;ve probably noticed it doesn&#8217;t work anymore. Instead of A, MX, NS, TXT records, you get a single weird line mentioning &#8220;RFC8482&#8221;. Here&#8217;s why and what to do instead.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">TLDR;<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code>dig ANY<\/code> is dead. RFC 8482 retired it to stop DDoS amplification. Loop over the numeric RR types in parallel instead. Command to do this with dig on linux at the end of the article<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><code>dig ANY<\/code> return nothing for most nameservers<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>$ dig cloudflare.com ANY +short<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">A few years ago the same command dumped every record type the server had, but now not a single record is returned<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why does <code>ANY<\/code> not return all records anymore?<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">It was actively retired\/disabled as of three reason<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>DDoS amplification.<\/strong> Small <code>ANY<\/code> query in, huge response out. Attackers spoof a victim&#8217;s IP, flood open resolvers with <code>ANY<\/code> queries, and the resolvers blast amplified responses at the victim. Killing <code>ANY<\/code> killed one of the most popular reflection vectors on the internet.<\/li>\n\n\n\n<li><strong>It never really worked anyway.<\/strong> RFC 1035 defined <code>ANY<\/code> as &#8220;a request for some or all records the server has available.&#8221; Servers were never required to return everything, they just often did. This was not a reliably behavior anyways. <\/li>\n\n\n\n<li><strong>It is expensive <\/strong>Modern DNS providers split records across distributed backends, so returning &#8220;everything&#8221; is expensive and exposes infrastructure details.<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">In 2019, <a href=\"https:\/\/www.rfc-editor.org\/info\/rfc8482\/\">RFC 8482<\/a> standardized what big providers were already doing: tell the client to query specific types.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Script to replace dig ANY<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Query each record type individually. Loop over the IANA type numbers directly:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>seq 1 265 \\\n  | xargs -P 16 -I{} sh -c '\n      out=$(dig +noall +answer example.com \"TYPE{}\")\n      if &#91; -n \"$out\" ]; then\n        name=$(echo \"$out\" | awk \"{print \\$4; exit}\")\n        printf \"=== %s (TYPE{}) ===\\n%s\\n\" \"$name\" \"$out\"\n      fi\n    '<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Replace <code>example.com<\/code> with your domain.<\/strong> <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>seq 1 265<\/code> covers every assigned RR type number (IANA&#8217;s range ends at 264 as of April 2026). <br><code>dig TYPE{}<\/code> uses numeric syntax that works even for newer types like SVCB (64) and HTTPS (65). <br><code>xargs -P 16<\/code> runs 16 queries in parallel, so the sweep finishes in seconds. <br>The <code>[ -n \"$out\" ]<\/code> check skips empty responses, so you only see types that actually have records.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;ve used dig domain.com ANY lately to see all DNS records for a domain, you&#8217;ve probably noticed it doesn&#8217;t work anymore. Instead of A, MX, NS, TXT records, you get a single weird line&hellip;<\/p>\n<p><a href=\"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/\" class=\"more-link\">Read more<span class=\"screen-reader-text\"> of Why Does dig ANY Not Return Any Records?<\/span><span aria-hidden=\"true\"> &rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[232,377],"tags":[],"class_list":["post-1352","post","type-post","status-publish","format-standard","hentry","category-devops","category-pentesting"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Why Does dig ANY Not Return Any Records? - Blog by Simon Frey<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Simon Frey\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Why Does dig ANY Not Return Any Records? - Blog by Simon Frey","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/","twitter_misc":{"Written by":"Simon Frey","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/#article","isPartOf":{"@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/"},"author":{"name":"Simon Frey","@id":"https:\/\/simon-frey.com\/blog\/#\/schema\/person\/34753982b648415636ee7a079f3e19a3"},"headline":"Why Does dig ANY Not Return Any Records?","datePublished":"2026-05-22T09:15:32+00:00","dateModified":"2026-05-22T09:15:34+00:00","mainEntityOfPage":{"@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/"},"wordCount":314,"publisher":{"@id":"https:\/\/simon-frey.com\/blog\/#\/schema\/person\/34753982b648415636ee7a079f3e19a3"},"articleSection":["DevOps","pentesting"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/","url":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/","name":"Why Does dig ANY Not Return Any Records? - Blog by Simon Frey","isPartOf":{"@id":"https:\/\/simon-frey.com\/blog\/#website"},"datePublished":"2026-05-22T09:15:32+00:00","dateModified":"2026-05-22T09:15:34+00:00","breadcrumb":{"@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/simon-frey.com\/blog\/why-does-dig-any-not-return-any-records\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/simon-frey.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Why Does dig ANY Not Return Any Records?"}]},{"@type":"WebSite","@id":"https:\/\/simon-frey.com\/blog\/#website","url":"https:\/\/simon-frey.com\/blog\/","name":"Blog by Simon Frey","description":"","publisher":{"@id":"https:\/\/simon-frey.com\/blog\/#\/schema\/person\/34753982b648415636ee7a079f3e19a3"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/simon-frey.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/simon-frey.com\/blog\/#\/schema\/person\/34753982b648415636ee7a079f3e19a3","name":"Simon Frey","logo":{"@id":"https:\/\/simon-frey.com\/blog\/#\/schema\/person\/image\/"},"sameAs":["https:\/\/simon-frey.com","https:\/\/www.linkedin.com\/in\/simonfrey\/","https:\/\/x.com\/eu_frey"]}]}},"_links":{"self":[{"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/posts\/1352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/comments?post=1352"}],"version-history":[{"count":1,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/posts\/1352\/revisions"}],"predecessor-version":[{"id":1353,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/posts\/1352\/revisions\/1353"}],"wp:attachment":[{"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/media?parent=1352"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/categories?post=1352"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/simon-frey.com\/blog\/wp-json\/wp\/v2\/tags?post=1352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}