Kasa da shekaru 10 daga baya, masu haɓaka RoS (a cikin kwanciyar hankali 6.47) sun ƙara ayyuka waɗanda ke ba ku damar tura tambayoyin DNS bisa ga ƙa'idodi na musamman. Idan a baya ya zama dole don kawar da ka'idodin Layer-7 a cikin Tacewar zaɓi, yanzu ana yin wannan cikin sauƙi kuma cikin ladabi:
/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD
Farin cikina bai san iyaka ba!
Menene wannan ke yi mana barazana?
Aƙalla, muna kawar da abubuwan ban mamaki na NAT kamar wannan:
/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp
Kuma ba haka ba ne, yanzu za ku iya yin rajistar masu turawa da yawa, waɗanda za su taimaka wajen yin gazawar dns.
Gudanar da DNS mai hankali zai ba da damar fara gabatar da ipv6 a cikin hanyar sadarwar kamfanin. Kafin wannan, ban yi wannan ba, dalilin shine ina buƙatar warware yawancin sunayen dns zuwa adiresoshin gida, kuma a cikin ipv6 ba za a iya yin hakan ba tare da manyan crutches ba.
source: www.habr.com