Why Does dig ANY Not Return Any Records?

If you’ve used dig domain.com ANY lately to see all DNS records for a domain, you’ve probably noticed it doesn’t work anymore. Instead of A, MX, NS, TXT records, you get a single weird line mentioning “RFC8482”. Here’s why and what to do instead. TLDR; dig ANY is dead. RFC 8482 retired it to stop DDoS amplification. Loop over the numeric RR types in parallel instead. Command to do this with dig on linux at the end of the article dig ANY return nothing for most nameservers $ dig cloudflare.com ANY +short A few years ago the same command dumped every record type the server had, but now not a single record is returned Why does ANY not return all records anymore? It was actively retired/disabled as of three reason DDoS amplification. Small ANY query in, huge response out. Attackers spoof a victim’s IP, flood open resolvers with ANY queries, and the resolvers blast amplified responses at the victim. Killing ANY killed one of the most popular reflection vectors on the internet. It never…