Obfuscating SOA information in RPZ
Mark Andrews
marka at isc.org
Mon Dec 2 22:56:27 UTC 2019
You need BIND 9.14.0 or later.
5177. [func] Add the ability to specify in named.conf whether a
response-policy zone's SOA record should be added
to the additional section (add-soa yes/no). [GL #865]
That said the rpz SOA is “unrelated” to the query so it doesn’t belong in the
authority section as there is no automated way to process it. Additionally
the server is permitted to put anything it thinks may be useful in the additional
section.
RFC 1034, 4.3.2. Algorithm
6. Using local data only, attempt to add other RRs which may be
useful to the additional section of the query. Exit.
Also why is the machine getting a rpz modified response in the first place?
Mark
> On 30 Nov 2019, at 00:16, Ict Security <ict.security.job at gmail.com> wrote:
>
> Dear guys,
>
> we use RPZ zone in Bind 9 to protect some users against possible
> malwares and to force Google safe search changing resolution to
> Google's safe IP address server.
>
> We have an industrial machine which, for some reason, if "complaining"
> about the SOA information, visible in the additional info of the DNS
> query.
>
> Is it possible to obfuscate/remove the SOA information for a specific RPZ zone?
>
> Thank you so much,
> Frank
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list