Latsaky ny 10 taona taty aoriana, ny mpamorona ny RoS (ao amin'ny stable 6.47) dia nanampy fiasa izay ahafahanao mamindra ny fangatahana DNS araka ny fitsipika manokana. Raha teo aloha dia ilaina ny miala amin'ny Layer-7 fitsipika ao amin'ny firewall, izao dia atao tsotra sy kanto:
/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD
Tsy misy fetra ny fahasambarako!
Inona no atahorantsika izany?
Farafaharatsiny, esorinay ny fananganana NAT hafahafa toa ity:
/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp
Ary tsy izany ihany, ankehitriny dia afaka misoratra anarana forwarders maro, izay hanampy hanao dns failover.
Ny fanodinana DNS manan-tsaina dia ahafahana manomboka mampiditra ipv6 amin'ny tambajotran'ny orinasa. Talohan'izay dia tsy nanao izany aho, ny antony dia mila mamaha anarana dns maromaro amin'ny adiresy eo an-toerana aho, ary amin'ny ipv6 dia tsy azo atao izany raha tsy misy tehina lehibe.
Source: www.habr.com