ProHoster > blog > Utawala > Mikrotik split-dns: walifanya hivyo

Mikrotik split-dns: walifanya hivyo

Chini ya miaka 10 baadaye, watengenezaji wa RoS (katika 6.47 thabiti) waliongeza utendakazi ambao hukuruhusu kuelekeza maswali ya DNS kulingana na sheria maalum. Ikiwa mapema ilikuwa ni lazima kukwepa sheria za Tabaka-7 kwenye firewall, sasa hii inafanywa kwa urahisi na kifahari:

/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD

Furaha yangu haina mipaka!

Je, hii inatutisha na nini?

Kwa uchache, tunaondoa miundo ya ajabu ya NAT kama hii:


/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp

Na sio yote, sasa unaweza kusajili wasambazaji kadhaa, ambayo itasaidia kufanya dns failover.
Usindikaji wa akili wa DNS utafanya iwezekane kuanza kuanzisha ipv6 kwenye mtandao wa kampuni. Kabla ya hapo, sikufanya hivi, sababu ni kwamba nilihitaji kutatua idadi ya majina ya dns kwa anwani za mitaa, na katika ipv6 hii haikuweza kufanywa bila viboko vikubwa.

Chanzo: mapenzi.com