ProHoster > Blog > Rianachd > Mikrotik split-dns: rinn iad e

Mikrotik split-dns: rinn iad e

Tha nas lugha na 10 bliadhna air a dhol seachad bho chuir luchd-leasachaidh RoS (ann an stàball 6.47) gnìomh a leigeas leat iarrtasan DNS ath-stiùireadh a rèir riaghailtean sònraichte. Ma bha e riatanach na bu tràithe a bhith a 'tighinn a-steach le riaghailtean Layer-7 anns a' bhalla-teine, a-nis tha seo air a dhèanamh gu sìmplidh agus gu grinn:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Chan eil fios aig mo thoileachas gun chrìoch!

Dè tha seo a’ bagairt oirnn?

Aig a 'char as lugha, gheibh sinn cuidhteas de structaran neònach NAT mar an tè seo:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

Agus chan e sin a h-uile càil, a-nis faodaidh tu grunn luchd-sgaoilidh a chlàradh, a chuidicheas le dns fàiligeadh.
Leigidh giullachd DNS tuigseach dhut tòiseachadh air ipv6 a thoirt a-steach do lìonra a’ chompanaidh. Roimhe sin, cha do rinn mi seo, is e an t-adhbhar gum feumadh mi grunn ainmean dns fhuasgladh gu seòlaidhean ionadail, agus ann an ipv6 cha ghabhadh seo a dhèanamh às aonais bagaichean mòra.

Source: www.habr.com