ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Mikrotik pamisah-dns: padha nindakake

Mikrotik pamisah-dns: padha nindakake

Kurang saka 10 taun wis liwati wiwit pangembang RoS (ing stabil 6.47) nambahake fungsi sing ngidini sampeyan ngarahake panjalukan DNS miturut aturan khusus. Yen sadurunge sampeyan kudu nyingkiri aturan Layer-7 ing firewall, saiki wis rampung kanthi gampang lan elegan:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Kasenenganku ora ana watese!

Apa iki ngancam kita?

Paling ora, kita nyingkirake konstruksi NAT aneh kaya iki:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

Lan ora mung iku, saiki sampeyan bisa ndhaptar sawetara forwarder, sing bakal mbantu nggawe dns failover.
Pangolahan DNS sing cerdas bakal ngidini sampeyan miwiti ngenalake ipv6 menyang jaringan perusahaan. Sadurunge, aku ora nindakake iki, amarga aku kudu ngrampungake sawetara jeneng dns menyang alamat lokal, lan ing ipv6 iki ora bisa ditindakake tanpa crutches sing rada gedhe.

Source: www.habr.com