ProHoster > Blog > Administrasyon an > Mikrotik split-dns: yo te fè li

Mikrotik split-dns: yo te fè li

Mwens pase 10 ane te pase depi devlopè yo nan RoS (nan stab 6.47) te ajoute fonksyonalite ki pèmèt ou redireksyon demann DNS an akò ak règ espesyal. Si pi bonè li te nesesè pou eskive ak règ Kouch-7 nan firewall la, kounye a sa a se fè tou senpleman ak elegant:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Kè kontan mwen pa gen limit!

Kisa sa menase nou?

Nan yon minimòm, nou debarase m de etranj NAT konstwi tankou sa a:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

Epi sa a se pa tout, kounye a ou ka anrejistre plizyè transitaire, ki pral ede fè dns failover.
Pwosesis DNS entèlijan pral fè li posib pou kòmanse entwodwi ipv6 nan rezo konpayi an. Anvan sa, mwen pa t 'fè sa a, rezon ki fè mwen te bezwen rezoud yon kantite non dns nan adrès lokal yo, ak nan ipv6 sa a pa t 'kapab fè san yo pa pito beki gwo.

Sous: www.habr.com