ProHoster > blog > Amministrazzjoni > Mikrotik split-dns: għamluha

Mikrotik split-dns: għamluha

Għaddew inqas minn 10 snin minn meta l-iżviluppaturi RoS (f'6.47 stabbli) żiedu l-funzjonalità li tippermettilek li terġa 'tidderieġi t-talbiet tad-DNS skont regoli speċjali. Jekk qabel kien meħtieġ li jiġu evitati r-regoli Layer-7 fil-firewall, issa dan isir b'mod sempliċi u eleganti:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Il-ferħ tiegħi ma jafx limiti!

Dan x’jheddidna?

Bħala minimu, neħilsu minn kostruzzjonijiet NAT strambi bħal dan:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

U dan mhux kollox, issa tista 'tirreġistra diversi servers ta' twassil, li jgħinuk tagħmel failover dns.
L-ipproċessar intelliġenti tad-DNS se jagħmilha possibbli li tibda tintroduċi ipv6 fin-netwerk tal-kumpanija. Ma kontx għamilt dan qabel, ir-raġuni kienet li kelli bżonn issolvi numru ta 'ismijiet DNS f'indirizzi lokali, u f'ipv6 dan ma setax isir mingħajr krozzi pjuttost kbar.

Sors: www.habr.com