10 yildan kamroq vaqt o'tgach, RoS ishlab chiquvchilari (barqaror 6.47 da) DNS so'rovlarini maxsus qoidalarga muvofiq qayta yo'naltirish imkonini beruvchi funksionallikni qo'shdilar. Agar ilgari xavfsizlik devorida Layer-7 qoidalaridan qochish kerak bo'lsa, endi bu oddiy va oqlangan tarzda amalga oshiriladi:
/ip dns static
add forward-to=192.168.88.3 regexp=".*\.test1\.localdomain" type=FWD
add forward-to=192.168.88.56 regexp=".*\.test2\.localdomain" type=FWD
Mening baxtim chegara bilmaydi!
Bu bizni nima bilan tahdid qilmoqda?
Hech bo'lmaganda, biz bunday g'alati NAT konstruktsiyalaridan xalos bo'lamiz:
/ip firewall layer7-protocol
add comment="DNS Nat contoso.com" name=contoso.com regexp="\x07contoso\x03com"
/ip firewall mangle
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="mark dns contoso.com" dst-address-type=local dst-port=53 in-interface-list=DNSMASQ layer7-protocol=contoso.com new-packet-mark=dns-contoso.com passthrough=yes protocol=tcp
/ip firewall nat
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=udp to-addresses=192.0.2.15
add action=dst-nat chain=dstnat comment="DST-NAT dns contoso.com" dst-port=53 in-interface-list=DNSMASQ packet-mark=dns-contoso.com protocol=tcp to-addresses=192.0.2.15
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=udp
add action=masquerade chain=srcnat comment="mask dns contoso.com" dst-port=53 packet-mark=dns-contoso.com protocol=tcp
Va bu hammasi emas, endi siz bir nechta ekspeditorlarni ro'yxatdan o'tkazishingiz mumkin, bu esa DNS-ni o'zgartirishga yordam beradi.
Intelligent DNS-ni qayta ishlash kompaniya tarmog'iga ipv6-ni joriy qilishni boshlash imkonini beradi. Undan oldin men buni qilmaganman, sababi bir qator DNS nomlarini mahalliy manzillarga hal qilishim kerak edi va ipv6 da buni juda katta tayoqchalarsiz amalga oshirish mumkin emas edi.
Manba: www.habr.com