Running dig ANY target.com on a home internet connection usually results in a timeout. However, if you append @8.8.8.8 to query Google DNS directly, it works instantly.
Your ISP isn't broken. They block ANY queries by default to prevent a specific type of cyberattack called a DNS Amplification DDoS.
The Mechanics of the Attack
DNS queries normally use UDP, which means there is no handshake. Because there is no handshake, an attacker can easily fake (spoof) their IP address to look like a victim's IP.
The ANY tag tells a DNS server to return every single record it has (A, MX, TXT, etc.). This creates a massive payload discrepancy:
- Request: ~50 bytes
- Response: ~1000+ bytes
If an attacker sends millions of these tiny ANY requests using the victim's spoofed IP to open DNS servers, those servers will blast massive responses at the victim. The victim's bandwidth gets flooded, knocking them offline.
Why Your ISP Blocks It (But Google Doesn't)
Your ISP blocks ANY requests at the router level because normal web browsing never uses them. It is a simple way to stop their network from being used in DDoS attacks.
Google (8.8.8.8) and Cloudflare (1.1.1.1) allow them because they have massive global scrubbing networks to filter out spoofed traffic. They also use "TCP Fallback." If a response gets too big, they force the connection to switch to TCP. Since TCP requires a real handshake, spoofing becomes impossible.
The Fix for Recon
When doing CTFs, Hack The Box, or bug bounties, home internet security configurations will regularly block your traffic.
Skip your ISP's local resolver and query a public server directly:
dig @8.8.8.8 ANY target.com +short
Top comments (0)