Kirang ti 10 taun ti harita, pamekar RoS (dina stabil 6.47) nambihan fungsionalitas anu ngamungkinkeun anjeun alihan pamundut DNS dumasar kana aturan khusus. Upami sateuacana kedah ngahindar sareng aturan Layer-7 dina firewall, ayeuna ieu dilakukeun sacara sederhana sareng elegan:
/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD
Kabagjaan kuring henteu aya watesna!
Naon ieu ngancam urang?
Sahenteuna, urang nyingkirkeun konstruksi NAT aneh sapertos kieu:
/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp
Sareng éta henteu sadayana, ayeuna anjeun tiasa ngadaptarkeun sababaraha panyalur, anu bakal ngabantosan ngadamel dns failover.
Pangolahan DNS calakan bakal ngamungkinkeun pikeun ngamimitian ngenalkeun ipv6 kana jaringan perusahaan. Sateuacan éta, kuring henteu ngalakukeun ieu, alesanana nyaéta kuring kedah ngabéréskeun sababaraha nami DNS ka alamat lokal, sareng dina IPv6 ieu henteu tiasa dilakukeun tanpa crutches anu rada ageung.
sumber: www.habr.com