The DNS ‘ANY’ query was not designed to reveal all of the records in the zone file for a specific domain. What the ANY query does, is ask the DNS server to provide all records for the specific hostname you type. For example, if you make an ANY query for “example.com”, it will most likely return all SOA, NS, A, MX, SPF, TXT (etc.) specifically for “example.com”. It essentially saves you from having to query all of those record types individually. It won’t reveal other A records the domain might have such as ftp.example.com because you didn’t ask for ftp.example.com, you asked for all records for example.com. Again, it is very specific.
If what you’re trying to accomplish is to retrieve the entire copy of a zone file from a DNS server (to reveal ftp.example.com, www.example.com and so forth), you need to use “AXFR”, which is a request for a complete Zone Transfer. However, don’t get your hopes up with AXFR either. The IP address of the requesting server or computer needs to be specifically allowed at the authoritative DNS server before it will give you all of that information. This is intentional, and by design for security reasons. If you had a confidential hostname of “secretserver.example.com” that you didn’t want the entire world to know about, and only those you gave it to, DNS won’t voluntarily give this information out. HOWEVER, it is important to keep in mind that DNS will always provide an answer when asked a question, because that is what it is designed to do. So if someone ran a dictionary against example.com, they would eventually find it, but it will take some work.