Obfuscating SOA information in RPZ

Mark Andrews marka at isc.org
Mon Dec 2 22:56:27 UTC 2019

You need BIND 9.14.0 or later.  

5177.   [func]          Add the ability to specify in named.conf whether a
                        response-policy zone's SOA record should be added
                        to the additional section (add-soa yes/no). [GL #865]

That said the rpz SOA is “unrelated” to the query so it doesn’t belong in the
authority section as there is no automated way to process it.  Additionally
the server is permitted to put anything it thinks may be useful in the additional

RFC 1034, 4.3.2. Algorithm

   6. Using local data only, attempt to add other RRs which may be
      useful to the additional section of the query.  Exit.

Also why is the machine getting a rpz modified response in the first place?


> On 30 Nov 2019, at 00:16, Ict Security <ict.security.job at gmail.com> wrote:
> Dear guys,
> we use RPZ zone in Bind 9 to protect some users against possible
> malwares and to force Google safe search changing resolution to
> Google's safe IP address server.
> We have an industrial machine which, for some reason, if "complaining"
> about the SOA information, visible in the additional info of the DNS
> query.
> Is it possible to obfuscate/remove the SOA information for a specific RPZ zone?
> Thank you so much,
> Frank
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list