FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains why FortiOS DNS services respond with NOTIMP (Not Implemented) to DNS queries of type ANY (QTYPE=255) when the FortiGate is acting as a DNS server.
This behavior is intentional, in line with modern DNS best practices, and serves both security and performance goals.
Scope
FortiOS DNS applies to both IPv4 and IPv6 DNS queries.
Solution
What is a DNS ANY Query.
A DNS query of type ANY (QTYPE=255) asks for all record types (A, AAAA, MX, TXT, etc.) associated with a domain name. Though originally intended for diagnostics, ANY queries are now considered unreliable, deprecated, and often exploited in DNS amplification attacks.
FortiOS Behavior.
When FortiOS receives a DNS query of type ANY, it responds with the response code NOTIMP (RCODE 4), indicating that the query type is not implemented.
FortiOS Respond with NOTIMP.
This behavior is intentional and aligns with:
RFC 8482: Recommends that servers return minimal or no data for ANY queries.
RFC 1035: defines the DNS protocol, includes ANY (type 255) as a valid query type, but does not require a resolver to respond to it.
DNS security best practices: ANY queries are often used for reconnaissance or as part of reflection/amplification attacks - RFC 5358.
Operational efficiency: Avoids unnecessary processing and large responses that provide no benefit in normal resolution.
